Presentation is loading. Please wait.

Presentation is loading. Please wait.

DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009.

Published byBeatrix Wilson Modified over 7 years ago

Similar presentations

Presentation on theme: "DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009."— Presentation transcript:

1 DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009

2 EUGridPMA May 20082 A little background …. Signed up for audit in Sep 2007 Audit of various features Nov-Dec 2007 –Certificate issuance –Log files: census and management –NIST 800-53 –“Peer review” style committee, focused on early version of IGTF Audit Framework Initial Report Amsterdam Jan 2008 Final Audit Report Aug 2008 RFC 3647 translation “Completed” Audit response

3 EUGridPMA May 20083 Audit Report Details Audit Report Executive Summary Principal matters of interest to auditors; includes significant recommendations “Findings” Defect list – discussed in Amsterdam ESnet response Proposed plan for issues found in audit Other sections Includes auditors’ spreadsheets and comments

4 EUGridPMA May 20084 Audit Report Executive Summary Comments Need to deal with ID verification better Need for RAs to maintain identification records Recommendations –Update CPS format to RFC 3647 –Consider offering a MICS-type CA –Update/revamp DOEGrids PMA –Continuity of operations –RA responsibilities –NIST 800-53 –Various ID & authentication-specific

5 EUGridPMA May 20085 Audit Findings Broken into 2 classes – –Significant deviations – topics with obvious seriousness, where either the documentation was missing, or the CA operations didn’t conform to standards –Minor deviations – essentially minor documentation errors and omissions

6 EUGridPMA May 20086 Review of Audit Response ID Verification (initial) was resolved at Amsterdam -> resulted in TTP 1SCP ID re-verification remains an open issue RA record retention – under discussion COO -> see the “CA cloning” slides Restructuring CPS to RFC 3647– done – v 3.0 Updated CPS according to Audit Log – done v 3.1 DOEGrids PMA revived Strategic planning remains a future goal

7 EUGridPMA May 20087 DOEGrids CPS Transition DOEGrids CPS v 2.10 –Effectively implemented at Apr 2008 TAGPMA at NERSC –Added ESnet RA & Philips RA DOEGrids CPS v 3.0 –Translation of v 2.10 -> RFC 3647 framework DOEGrids CPS v 3.1 –Implementation of DOEGrids Audit – Finally!

8 EUGridPMA May 20088 DOEGrids CPS 3.1 Going thru DOEGrids PMA approval process Approved by ESnet management Better reflects the reality of how we must operate the CA & its services Some controversial areas: –We reserve the right to make changes…. –Who has the right to cause a certificate to be revoked (or other CA operation)? –Privacy & confidentiality (NONE)

9 EUGridPMA May 20089 Outstanding Issues These issues become the next work program after DOEGrids CPS 3.1 acceptance Identity re-verification –This is a difficult community issue –The tools to support this are in development –We are currently studying the demographics & plan to have a program for re-verifying ancient subscribers in place by October RA responsibilities & duties –Community interest GCP/GFD 125 compliance –Working on gradual adoption – another community relations issue Federation CA –Has to be identified as a customer requirement More CPS restructuring –Remove RA Disclosure appendices, put in DOEGrids PMA domain –Remove dynamic content and link –Cross – linking with NIST 800-53 – based security and practice documentation –Fix various anachronisms discovered

10 EUGridPMA May 200810 Other Auditing Activities NIST 800-53 framework – ongoing ESnet PKI CSPP – working on publishing Configuration Review – ongoing ESnet Security Peer Review OSG risk assessments Automated re-issuance –2 changes caused a lot of trouble: Migration from Iplanet CMS to Redhat CS using old configurations Trust in other CAs –Examined every automatically issued certificate (renewals, certain kinds of RA agent functions) since Jul 2007

11 EUGridPMA May 200811 Document Links We shall now pass lovingly over these documents as time permits…. DOEGrids Audit Report –http://www.doegrids.org/Docs/DOEGridsInternalAudit2007Report.doc Log of work done on audit –http://www.doegrids.org/Docs/Audit2007-Response.doc Poll: –http://doodle.com/r5cnvskcftf534nzhttp://doodle.com/r5cnvskcftf534nz DOEGrids CPS 3.1 –http://www.doegrids.org/Docs/DOEGrids-3.1.dochttp://www.doegrids.org/Docs/DOEGrids-3.1.doc

Download ppt "DOEGrids Audit Report Michael Helm 1 Networking for the Future of Science Energy Sciences Network Lawrence Berkeley National Laboratory 10 May 2009."

Similar presentations

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.
TAC Position Paper Process Mark Melanson 5 August 2009 Tom Duerr Karen Harwell Mark Melanson Jim Neidhoefer.

TAC Position Paper Process Mark Melanson 5 August 2009 Tom Duerr Karen Harwell Mark Melanson Jim Neidhoefer.
Configuration Management

Configuration Management
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Chapter 4 Quality Assurance in Context

Chapter 4 Quality Assurance in Context
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.

IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Brooks Evans – CISSP-ISSEP, Security+ IT Security Officer Arkansas Department of Human Services.

Brooks Evans – CISSP-ISSEP, Security+ IT Security Officer Arkansas Department of Human Services.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
A Review ISO 9001:2015 Draft What’s Important to Know Now

A Review ISO 9001:2015 Draft What’s Important to Know Now
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments “Another.

©2005 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. July 27, 2005 PKI Audits and Assessments “Another.
Key changes and transition process

Key changes and transition process
CS 4310: Software Engineering

CS 4310: Software Engineering
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Company Confidential Improvement Opportunities for Audit Reporting Tony Marino and Rick Downs July 19-20, 2012 Registration Management Committee RMC Workshop.

Company Confidential Improvement Opportunities for Audit Reporting Tony Marino and Rick Downs July 19-20, 2012 Registration Management Committee RMC Workshop.

Similar presentations

Ads by Google