Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Update David Kelsey (RAL) HEPiX, LBNL 28 Oct 2009.

Published byReynold Hutchinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Security Update David Kelsey (RAL) HEPiX, LBNL 28 Oct 2009."— Presentation transcript:

1 Grid Security Update David Kelsey (RAL) HEPiX, LBNL 28 Oct 2009

2 Overview Grid Security Update Progress during the last year (since last HEPiX talk) Operational security (OSCT) Vulnerability handling (GSVG) Security policies (JSPG) Identity management and trust (IGTF) Thanks to colleagues for material (Romain Wartel - OSCT, Linda Cornwall - GSVG, David Groep - IGTF) Nothing on technical issues – see talk by M. Litmaath on WLCG Security (Thursday) 28 Oct 09HEPiX, Kelsey2

3 OPERATIONAL SECURITY… 28 Oct 09HEPiX, Kelsey3

4 OSCT Tasks Security Incident Response Concentrate on this today OSCT also works on Security Service Challenges Security Training Security Monitoring But no more on those today 28 Oct 09HEPiX, Kelsey4

5 EGEE Security Incidents 28 Oct 09HEPiX, Kelsey5

6 Incidents Common attack: Stolen SSH account(s) or Web application (known) vulnerability Escalate as root CVE-2009-2692, CVE-2009-2698, etc. Deploy rootkit or further malware Several incidents avoidable if sites were up-to-date with security patches Grid management supported recent suspension of unpatched sites 28 Oct 09HEPiX, Kelsey6

7 Incidents(2) Updated incident response procedure Redesigned to include feedback and metrics from security service challenges Specific details and contact points added Templates for initial reporting and final report Coordination process within the OSCT described https://edms.cern.ch/file/867454/2/EGEE_Incident_Resp onse_Procedure.pdf http://cern.ch/osct/incident-reporting.html 28 Oct 09HEPiX, Kelsey7

8 Peers Collaboration with the NRENs Significant progress since last year Many more contacts established between the ROCs and their NRENs BoF at TERENA Network Conference 09 Collaboration plan agreed, implementation in progress As far as we can go, the rest is in the hands of each ROC/NREN 28 Oct 09HEPiX, Kelsey8

9 Peers (2) Collaboration with peer grids Creation of GRID-SEC "A coordinated response to cross-grid security incidents“ http://cern.ch/grid-sec/ Framework to share incident-related information Rather extensive coverage of the academic community Already been handling 2 cross-grid security incidents Incidents affecting sites belonging to different grids 28 Oct 09HEPiX, Kelsey9

10 VULNERABILITIES … 28 Oct 09HEPiX, Kelsey10

11 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 GSVG Issue handling summary Grid Security Vulnerability Group Aim is to find and fix vulnerabilities in the middleware –And avoid security incidents Anyone may report an issue –By e-mailing to grid-vulnerability-report@cern.ch orgrid-vulnerability-report@cern.ch –By entering in the GSVG savannah https://savannah.cern.ch/projects/grid-vul/ https://savannah.cern.ch/projects/grid-vul/  Note that bugs are private so cannot be read except by members of this savannah project The Risk Assessment Team (RAT) investigates the issue, if valid carries out a Risk Assessment Advisories issued – see http://www.gridpp.ac.uk/gsvg/advisories/

12 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Some numbers (Sept 2009) 174 Issues submitted since started in 2005 –(28 submitted in last 12 months) –For those fully risk assessed (since current strategy started mid 2006) 1EC, 19 High, 21 Moderate, 39 Low 111 closed –64 closed as fixed, 16 invalid, 5 duplicates, 10 OSCT informed, 5 software no longer in use, 11 more general concerns adequately addressed 63 open –17 awaiting TD, 15 disclosed, most of the rest either very low risk or more general concerns rather than specific vulnerabilities –Situation with open issues not awaiting TD described in document at https://edms.cern.ch/document/1011173/1https://edms.cern.ch/document/1011173/1 Vulnerability and Risk management 12

13 SECURITY POLICIES … 28 Oct 09HEPiX, Kelsey13

14 21 Sep 2009Kelsey, Security Policy Security Policy Site & VO Policies Certification Authorities Traceability and Logging Security Incident Response Accounting Data Privacy Pilot Jobs and VO Portals Grid & VO AUPs JSPG Security Policies

15 21 Sep 2009Kelsey, Security Policy Recent JSPG work Five recently approved and adopted policies Virtual Organisation Registration Security Policy https://edms.cern.ch/document/573348/8 Virtual Organisation Membership Management Policy https://edms.cern.ch/document/428034/3 Grid Policy on the Handling of User-Level Job Accounting Data https://edms.cern.ch/document/855382/5 VO Portal Policy https://edms.cern.ch/document/972973/6 Security Incident Response Policy https://edms.cern.ch/document/428035/7

16 Ongoing revisions Site Registration Security Policy http://www.jspg.org/wiki/Site_Registration_Security_Policy –Remove EGEE-specific procedures –Use same simple style as the VO Registration Security Policy Grid AUP http://www.jspg.org/wiki/Grid_Acceptable_Use_Policy –Some Grids use it but have modified our text –Some infrastructures do not have VOs –Revise to include these modifications 21 Sep 2009Kelsey, Security Policy

17 New policy framework for EGI A framework to enable interoperation of collaborating Grids –managing cross-Grid operational security risks Identify policy components help trust building between Grids Not imposing a single policy for all Other components are either too EGEE-specific or are operational rather than related to security – separate them Each Grid will have security policies consisting of the framework components and their own Grid-specific components 21 Sep 2009Kelsey, Security Policy

18 Policy Components 21 Sep 2009 Infrastructure Includes Incident Response Vulnerability Handling Patching Data protection Registration etc Users Includes AUP Traceability VO Management Data protection Incident response Data protection Registration etc Providers Includes Traceability Incident Response Access control Registration etc

19 Security Policy Framework 21 Sep 2009 InfrastructureUsersProviders Incident Response Traceability Data Protection 123 456 789 Policy Components (numbered) at matrix intersections etc etc etc

20 IDENTITY MANAGEMENT AND TRUST… 28 Oct 09HEPiX, Kelsey20

21 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 IGTF Developments International Grid Trust Federation –EUGridPMA, TAGPMA, APGridPMA Federation Certification Authorities Robot certificates and naming Private key protection 21 HEPiX, Kelsey

22 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Federated Authentication IGTF created a global X.509 PKI trust fabric This currently serves a few x 10,000 users The identity vetting processes and CA operations are expensive –Can we improve this? Now show what is happening in Europe Similar activities have also started in the USA –NCSA CIlogon project  Using US InCommon federation

23 Towards more Federated Authorities in Europe and the TERENA eScience (Personal) CA David Groep

24 Federated Authorities in Europe and the TERENA TCS CAs - 24 David Groep – davidg@eugridpma.org Grids, Eduroam, Federations  Different terms, same issues  How to provide access only the ‘proper’ people?  Most of whom you’ve never met and will never meet  Across organisations and countries  Traceable and consistent over many years  Core issue is trust

25 Federated Authorities in Europe and the TERENA TCS CAs - 25 David Groep – davidg@eugridpma.org Refresher: Federations grid structure was not too much different!  A common Authentication and Authorization Infrastructure  Allow access to common resources with a single credential

26 Federated Authorities in Europe and the TERENA TCS CAs - 26 David Groep – davidg@eugridpma.org With thanks to Licia Florio, TERENA A highly successful confederation!

27 Federated Authorities in Europe and the TERENA TCS CAs - 27 David Groep – davidg@eugridpma.org Beyond the network  Research community requirements go beyond network access  Increasing dynamics in the education system  Students can access courses in other faculties  Students take some course units abroad (Bologna)  On-line courses are more common  Users want to access the same services no matter where they are  Grid: example of access to distributed resources  More institutions dealing with the same users means:  Multiple registration of users  Overhead to manage guest users  Increased possibility of error in managing the users’ records With thanks to Licia Florio, TERENA

28 Federated Authorities in Europe and the TERENA TCS CAs - 28 David Groep – davidg@eugridpma.org Grid & Federations - a logical combination  Many of the e-Infrastructure users have a federated account anyway  Could give users grid certificates within 5 minutes without any further hassle, if the trust level matches  Allows users to ’try’ the grid  Allows for scaling the number of grid users significantly  Comparable issues and trust levels  Federation assurance levels are going up, as more diverse services participate in the federation  User account management of IdPs is improving rapidly … far more rapidly than grid credential management …

29 Federated Authorities in Europe and the TERENA TCS CAs - 29 David Groep – davidg@eugridpma.org Federated CAs: there already!  SWITCH  Accredited 2007 under SLCS  Shib-only federation, dedicated software development  Leverages nice, tightly-controlled SWITCHaai federation  DFN SLCS  Accredited 2008 as SLCS  TERENA eScience Personal CA (formerly NetherNordic SLCS/MICS)  Under accreditation today  Multi-technology federation, SAML2 based  Heterogeneous federations, with web access being the only common element

30 Federated Authorities in Europe and the TERENA TCS CAs - 30 David Groep – davidg@eugridpma.org New: TERENA ‘eScience’ TCSes  Initial partners: FEIDE, SURFfederatie, HAKA, WAYF, Swamid, CESNET TERENA  Trans-national, cross-federation service  But not (yet) confederated  How many SLCS/MICS CAs does Europe need ?  Consolidate operational PKI skills in one place  Better sustainability, in line with the European trend

31 Federated Authorities in Europe and the TERENA TCS CAs - 31 David Groep – davidg@eugridpma.org

32 Federated Authorities in Europe and the TERENA TCS CAs - 32 David Groep – davidg@eugridpma.org

33 Federated Authorities in Europe and the TERENA TCS CAs - 33 David Groep – davidg@eugridpma.org In ‘personal CA’, not necessarily aware of grid applications

34 Federated Authorities in Europe and the TERENA TCS CAs - 34 David Groep – davidg@eugridpma.org Federated CAs (SLCS and MICS) in 2010

35 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Robots & naming “Non-human automated clients that perform automated tasks without human intervention on behalf of named human individuals” –E.g. monitoring clients, some types of Grid portals The draft IGTF Guideline for Robots can be found at https://grid.ie/eugridpma/wiki/GuidelineOnRobots One common name component of the subject distinguished name (in the certificate) –must start with the string “Robot”, immediately followed by the COLON character or a SLASH –And followed by a string describing the function of the robot The natural person responsible for the automated client must also be identified by an appropriate representation of their name in the CN

36 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Robot naming (2) The CERN CA has proposed for robot certs –to drop the requirement for a person’s name  Frequent change of staff and/or duties  Privacy issues –substitute with a responsive e-mail address of the group responsible for the robot certificate  And add an Endorser’s personID *Lots* of discussion on this at recent IGTF meetings –So far the IGTF is not willing to drop the requirement for an actual responsible person to be named

37 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Robot – hardware tokens USB secure hardware tokens – private key can never be extracted (unencrypted) Initial risk analysis –hardware tokens to protect Robot keys –does not fundamentally improve security cf software tokens –If the hardware tokens remain activated for long time periods and if the relying parties accept 'proxy' certificates for delegation Different groups in the IGTF will now proceed with a more in-depth analysis of the security issues It is likely, but not certain, that future versions of the Guideline on Robots may relax the requirement to use hardware tokens

38 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Private key protection A new "Guideline on Private Key Protection“ –https://www.eugridpma.org/guidelines/pkp/https://www.eugridpma.org/guidelines/pkp/ –Draft at this stage Generation and storage of user private keys on –shared file systems –remote user interface systems (codifying current practice) Generation and storage of private keys *for end users* –on well secured and managed portals –without the user ever having to hold the private key Enabling national Credential Stores/MyProxy Services –run for many users and on behalf of many portals –subject to some specific security restrictions

39 SUMMARY … 28 Oct 09HEPiX, Kelsey39

40 Summary Good progress during last year –In all security areas Handling of security incidents and vulnerabilities continues to improve Policies are moving forward into EGI era Identity management is changing to tackle ease of use and scaling issues 28 Oct 09HEPiX, Kelsey40

41 Questions? 28 Oct 09HEPiX, Kelsey41

Download ppt "Grid Security Update David Kelsey (RAL) HEPiX, LBNL 28 Oct 2009."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.

GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Similar presentations

Ads by Google