National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Developing a Comprehensive GENI Cyber Security Program Adam Slagell GEC 7, Duke & RENCI March 17, 2010
What is a “comprehensive security program”? About operational security & incident response Not GENI software stack, authN/Z mechanisms, etc Not writing code, but developing processes & policies Describes mechanisms for prevention & detection of security incidents Including roles for different parties Focuses on collaborative, cross-organizational efforts Has plans to react to incidents What do all the stakeholders do? Many roles, with different responsibilities. Materials and processes to disseminate plans
How do we develop our security program? Understand assets, threats & risks Perform risk analysis Develop security policy architecture Includes high-level policies, standards, guidelines, procedures and agreements More about social processes than technology specific Develop security architectures Monitoring tools for incident response Configuration guidelines and standards Especially for centrally located or shared assets Education, Training, & Compliance Not clear this early what that means for GENI Need to understand roles and responsibilities first
Performing a risk assessment Identify assets and their value Very qualitative Identify threats & vulnerabilities Determine probability and impact of threats Select countermeasures Limited options here: policies, hardening guidelines, collaborative monitoring tools
Developing security policies Many types of policies Agreements: with researchers, aggregates, universities, partners, etc Policies about monitoring, processes for IR, organizational roles and responsibilities Best practices for researchers, aggregate security, updates We can’t wait for risk assessment first! Spiral 3 coming! Need a interim policies, Vic discussed some of the content Base off of lessons learned in OSG, PlanetLab, etc
Developing security architectures Most assets not owned centrally by GENI System is going to evolve organically, less amenable to top- down approach What can we define? IDS, tools for collaboration, logging & monitoring infrastructure Maybe are aggregates connected, and how do we provide isolation How are centralized resources hardened (e.g., CA’s, clearing houses) Not clear what may be centrally controlled by GMOC We can provide guidelines in any case
Where are we now? NCSA started work after GEC 6 Caveat: 1/3 FTE total We created incident response use cases Long list of potential things a GENI IR team may encounter E.g., Request from LE, experiment used for attack, etc Welcome feedback, go to our wiki page Stakeholder and asset identification Qualitative values of assets Tangible and intangible First, first draft; needs feedback!
We need you! We cannot evaluate criticality of assets in isolation Need input on the methodology Need input from all stakeholders on actual assed values Are we complete? Some assets may be obsolete as they will no longer exist May be new things since we read docs May just not be creative enough Feedback is vital before we start evaluating impact of threats.
Timeline for feedback Asset Valuation and Risk Assessment report v. 0.1 When: Now Where: on our project wiki space Asset Valuation and Risk Assessment report v. 0.2 Added some threats, incorporated feedback When: May 1, 2010 Asset Valuation and Risk Assessment report v. 0.3 Risk analysis of partial list of threats, incorporated feedback When: June, 2010 Interim Operational Security Plan 0.1 When: during the month after & during GEC 8
A modest proposal Observations There are a LOT of GENI documents There are lots of versions of each They are spread out everywhere Some people don’t even upload them to the GENI wiki Security and operations need to think holistically I spend an inordinate amount of time searching for new docs People in OMIS likely interested in similar docs Proposal Utilize the list more. Send a note with link and summary when you create a new doc (or make major revisions)