OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

Slides:

Advertisements

Similar presentations

GT4 Architectural Security Review December 17th, 2004.

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

University of Kaiserslautern Department of Computer Science Integrated Communication Systems ICSY License4Grid: Adopting DRM for Licensed.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

OSG Security Review Mine Altunay December 4, 2008.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Higher Ed Certificate Authority by CREN: Update CSG February 2, 2000.

Open Science Grid Security Activities Mine Altunay, FNAL OSG Security Officer For the OSG Security Team: Doug Olson, Deputy Security Officer, LBNL, Jim.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

OSG PKI Transition Mine Altunay OSG Security Officer

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.

New OSG Virtual Organization Security Training OSG Security Team.

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research.

Framework on Key Compromise, Key Loss & Key Rollover

OSG Security Kevin Hill.

زير ساخت كليد عمومي و گواهي هويت

CS 465 Certificates Last Updated: Oct 14, 2017.

PKI (Public Key Infrastructure)

Presentation transcript:

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012

WLCG Management Board Background The Open Science Grid (OSG) relies on a public key infrastructure (PKI) built around an OSG Certificate Authority (CA) to support its operations. The OSG PKI is operated by two parties:  The OSG itself operates a network of trusted agents (registration authorities and grid admins) who vet certificate requests and a web front-end OSG Information Management (OIM) System that provides interfaces for users for PKI functions  The DigiCert, a private company, operates the CA that, at direction of OSG and within the bounds of policy, performs the issuance of certificates. 2

October 16, 2012WLCG Management Board Goals and Scope Create a Recovery Plans document that present a recovery plan for PKI failure scenarios. Not a risk analysis, does not attempt to analyze whether or not a PKI failure is something that the OSG should prepare for. Analyzes the options for a recovery plan and recommends a broad course of action. Describes all the steps necessary to bring the OSG PKI back to its normal functional state. Focuses on the new OSG PKI, not the DOEGrids CA although most of the discussion is valid for DOEGrids CA as well. 3

October 16, 2012WLCG Management Board OSG PKI Failure Cases 2 Failure Types: compromise and loss of service  Back-End CA Compromise  OSG Information Management (OIM) Front-End Compromise  Back-End CA Loss of Availability  OSG OIM Front-End Loss of Availability 4

October 16, 2012WLCG Management Board Recovery Plans A recovery plan for each failure type is presented in the document available at docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121. The plan: docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121  Is a workflow of specific steps that should be taken in the aftermath of a failure to restore PKI back to normal. E.g., forming the incident response team, revoking compromised certs, issuing replacement certs, community communications, and so on.  Considers slight variations in a failure type depending on the different levels of severity (e.g. all RA Agents compromised vs. only some are compromised), incorporates conditional branches into the workflow. 5

October 16, 2012WLCG Management Board Recovery Plans  Each step is accompanied with specific timelines, estimating how long the plan execution would take.  Each step has a clear owner responsible for performing the activities in the event of a failure. Due to time limitation and the complexity of each plan, I will not present them here. Please contact me and Von Welch should you have any questions or feedback. 6