1. INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Joint Security Policy Group David Kelsey, CCLRC/RAL, UK d.p.kelsey@rl.ac.uk 3 rd EGEE Project Conference, Athens, 19 Apr 2005

2. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 2 Overview What is JSPG? Recent activities Future plans Advert for Thursday’s session

3. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 3 History LCG Security Group was created in early 2003 Mandate To advise and make recommendations to the Grid Deployment Manager and LCG GDB on all matters related to Security –Policies are agreed and adopted by GDB for LCG To produce and maintain –Policies and procedures on Registration, Authentication, Authorization and Security Where necessary recommend the creation of focussed task-forces made-up of appropriate experts –E.g. Task force on LCG User Registration

4. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 4 JSPG Following EGEE-1 in Cork: scope of group extended –To include EGEE SA1 Site Security Group Joint Security Policy Group (JSPG) –“Joint” means EGEE and LCG –Strong participation by USA Open Science Grid –“Policy” - responsibile for policy and procedures An activity of EGEE SA1 –Discusses all documents with ROC Managers –Participation of site managers/security officers Strong links to JRA3 and EGEE Middleware Security Group (and JRA1) New “task force” (since EGEE-2 meeting) –SA1 Operational Security Coordination Team (OSCT)  See next presentation by Ian Neilson

5. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 5 JSPG membership Application representatives/VO managers –Discussions with VO managers as/when required Site Security Officers –Bob Cowles (SLAC), Denise Heagerty (CERN), Dane Skow (FNAL) Site/Resource Managers/Security Contacts –Dave Kelsey (RAL) – Chair –Miguel Cardenas Montes (Spain) –Romain Wartel (UK/I ROC) Security middleware experts/developers –Joni Hahkala (JRA3), David Groep (JRA3), Andrew McNab (GridPP), Yuri Demchenko (JRA3) CERN Deployment team –Maria Dimou, Ian Neilson (Security Officer) Several others on mail list and active in the past

6. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 6 JSPG Meetings, Web etc Meetings - Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 JSPG Web site http://proj-lcg-security.web.cern.ch/ Membership of the JSPG mail list is closed, BUT –Requests to join stating reasons to D Kelsey –Volunteers to work with us are always welcome! Policy documents at http://cern.ch/proj-lcg-security/documents.html

7. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 7 EGEE/LCG Policy Security & Availability Policy Usage Rules Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide picture from Ian Neilson VO AUP

8. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 8 Recent activities Site Registration Policy & Procedure –Presented in Den Haag –Finalised and agreed (Mar 2005) User Acceptable Use Policy –Aim for simpler, more general text –Short, so users may well read it! –Accepted by User during registration with a VO  And bound by VO AUP –First (early) draft exists VO Security Policy –VO Registration requirements –VO Community responsibilities –VO Acceptable Use Policy –Draft document – for approval in May/June 2005 Operational Security –Incident Response (based on OSG work) –See OSCT talk

9. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 9 Recent activities (2) Security Vulnerabilities –EGEE resources are a potential target –Security problems (may) exist in middleware (design and implementation), in deployment and in use of the middleware by the applications –Limited activity in this area to date –Work started (UK GridPP) to collect problems  In a secure problem-tracking database  feedback to developers, deployers & applications –JRA3 also working in this area  Models for threat analysis and vulnerabilities –Aim is to improve the security of the Grid  Timely fixes and patches will be required

10. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 10 Future plans for JSPG All Security Policy documents need revision –next 6 months –To make them more general  Some documents are still “LCG” based –Working closely with OSG for common policy  Wherever possible –Approval of top-level Security Policy  by project as a whole (PMB?) –Continue to work with eIRG and NA5 We will revisit the LCG Risk Analysis and Risk Management –Better understand the threats and risks –Help prioritise efforts on mitigating the risks –Linked to work on Security Vulnerabilities

11. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 11 JSPG sessions this week OSCT (Ian Neilson) –Thursday 14:30 to 16:00 –Operational Security issues JSPG –Thursday 16:30 to 18:00 –Update on Policy and Procedures (DPK)  AUP & VO Security Policy –Security Vulnerability – Identification and Reduction (Linda Cornwall, JRA1 & GridPP UK) –Models for Threats and Vulnerabilities (Yuri Demchenko, UvA, JRA3) ALL WELCOME (not closed meetings) –Of interest to SA1, JRA1, JRA3, MWSG, …

12. Enabling Grids for E-sciencE INFSO-RI-508833 JSPG at EGEE-3 12 Recent documents Site Registration Policy & Procedure –https://edms.cern.ch/document/503198/https://edms.cern.ch/document/503198/ Virtual Organisation Security Policy –https://edms.cern.ch/document/ 573348/https://edms.cern.ch/document/ 573348/