DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
TERENA TF-EMC2 Workshop David Groep,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Security, Authorisation and Authentication.
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK
Mine Altunay July 30, 2007 Security and Privacy in OSG.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Bob Jones EGEE Technical Director
David Kelsey CCLRC/RAL, UK
JRA3 Introduction Åke Edlund EGEE Security Head
Grid Security.
LCG Security Status and Issues
LCG/EGEE Incident Response Planning
EGEE VO Management.
David Kelsey CCLRC/RAL, UK
Gonçalo Borges, Mário David, Jorge Gomes
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Presentation transcript:

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN

DTI Mission – 29 June LCG Security environment The players UsersVOs Sites Personal data Roles Usage patterns … Experiment data Access patterns Membership … Resources Availability Accountability … Grid

DTI Mission – 29 June The Risks Top risks from Security Risk Analysis Launch attacks on other sites Large distributed farms of machines Illegal or inappropriate distribution or sharing of data Massive distributed storage capacity Disruption by exploit of security holes Complex, heterogeneous and dynamic environment Damage caused by viruses, worms etc. Highly connected and novel infrastructure

DTI Mission – 29 June Policy – the LCG Security Group Security & Availability Policy Usage Rules Certification Authorities Audit Requirements GOC Guides Incident Response User Registration Application Development & Network Admin Guide

DTI Mission – 29 June Authentication Infrastructure Users and Services own long-lived (1yr) credentials Digital certificates (X.509 PKI) European Grid Policy Management Authority “… is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. …” covers EU (+ USA + Asia) Jobs submitted with Grid Proxy Certificates Short-lived (<24hr) credential which “travels” with job Delegation allows service to act on behalf of user Proxy renewal service for long-running & queued jobs Some Issues… Do trust mechanisms scale up ? “On-line” certification authorities & Certificate Stores Kerberized CA Virtual SmartCard Limited delegation

DTI Mission – 29 June Authorization Infrastructure User Registers Accepts Usage Rules Provides personal/contact data Request to join VO VO managers add to VO servers Certificate Identity (DN) captured Submits jobs Creates short-lived proxy using long-lived certificate Proxy ‘travels’ with the job Resources authorize access Checks certificate validity Trusted CAs and revocation lists Checks user authorization Downloaded from Registration/VO servers Maps certificate DN to a local account Runs job

DTI Mission – 29 June User Registration (2003-4) lcg-registrar.cern.ch VOs 1. “I agree to the Usage Rules please register me, my VO is XYZ” 2. Confirm 3. User Details User XYZ VO Manager 4. Register 5. Notify 6. User Details Site Authz Resource Authz Certificate GRID Usage Rules Submit job ? CA Certificates

DTI Mission – 29 June User Registration (? ) Some Issues Static user mappings will not scale up Multiple VO membership Complex authorization & policy handling VO manager needs to validate user data How ? Solutions VO Management Service - Attribute proxy certificates Groups and Roles - not just static user mapping Attributes bound to proxy cert., signed by VO Service Credential mapping and authorization Flexible policy intersection and mapping tools Integrate with Organizational databases, but … What about exceptions ? (the 2-week summer student) What about other VO models: lighweight, deployment, testing XYZ VO Manager ? Certificate Roles

DTI Mission – 29 June Audit & Incident Response Audit Requirements Mandates retention of logs by sites Incident Response Security contact data gathered when site registers Establish communication channels maillists maintained by Deployment Team List of CSIRT lists –Channel for reporting Security contacts at site –Channel for discussion & resolution Escalation path 2004 Security Service Challenges Check the data is there, complete and communications are open

DTI Mission – 29 June Security Collaboration Projects sharing resources & have close links Need for inter-grid global security collaboration ? Common accepted Usage Rules ? Common authentication and authorization requirements ? Common incident response channels LCG – EGEE – OSG - ? LCG Security Group is now Joint Security Group JSG for LCG & EGEE Provide requirements for middleware development Some members from OSG already in JSG

DTI Mission – 29 June LCG Security Thank you.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.