Presentation is loading. Please wait.

Presentation is loading. Please wait.

LCG Security Status and Issues

Published byRandall Moore Modified over 6 years ago

Similar presentations

Presentation on theme: "LCG Security Status and Issues"— Presentation transcript:

1 LCG Security Status and Issues
Ian Neilson Grid Deployment Group CERN LHCC 15 November,

2 LCG Security Status and Issues
Overview Security Policy Joint Security Policy Group Authentication & Authorization Infrastructure International Grid Trust Federation LHC Experiment Virtual Organisations Operational Security Operational Security Coordination Team Incident Response Planning Security Monitoring Tools Security Service Challenges plus some related activities LHCC 15 November,

3 Security Policy Joint Security Policy Group
LCG & EGEE with strong input from OSG Policy Set - Security & Availability Policy Usage Rules Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide VO Security LHCC 15 November,

4 Security Policy Policy Revision In Progress/Completed
Grid Acceptable Use common, general and simple AUP for all VO members using many Grid infrastructures EGEE, OSG, SEE-GRID, DEISA, national Grids… VO Security responsibilities for VO managers and members VO AUP to tie members to Grid AUP accepted at registration Incident Handling and Response defines basic communications paths defines requirements (MUSTs) for IR reporting response protection of data analysis not to replace or interfere with local response plans LHCC 15 November,

5 Security Policy Issues Can generic ‘simple’ policies be binding?
can they protect across legislative domains? Release of accounting data some site policies restrict release of per-user data legal implications of EU directives on privacy needed to properly manage and account to VOs More policy updates needed but revision process is slow top-level security and availability policy new policy for Data Handling/Protection needed Depth of policy review and discussion varies Risk Analysis should be repeated LHCC 15 November,

6 Authentication Infrastructure
IGTF – International Grid Trust Federation LCG currently accepts certificates from EUGridPMA CAs plus FNAL Kerberized CA IGFT officially formed at GGF15 3 regional PMAs: Europe, Asia Pacific, Americas addresses scalability issues felt by EUGridPMA separate the management of authentication profiles EUGridPMA: ‘classic’ CA TAGPMA: Short-lived Credential Generation Services brings FNAL KCA under an IGTF profile in future for myproxy and Shibboleth based services For LCG – “relying parties” what service is expected beyond credential issuing? revocation processing CA world is still “settling down”, will it stabilize? move from grid sites to NRENS LHCC 15 November,

7 Authorization Infrastructure
LHC Experiment Virtual Organisations VO Management service now deployed in beta at CERN VOMRS registration interface – good collaboration with FNAL Managed CERN Oracle service DB All 4 LHC experiments Back-end tied to CERN HR database view (ORGDB) allows use of existing exp. registration relies on membership lifecycle maintenance! but VO manager retains control e.g. LHCC 15 November,

8 Authorization Infrastructure
VOMS+VOMRS gives managed VO group+role flexibility BUT grid service authorization now based on simple group/role only authorization workshop discussed near-term requirements – SC4 VO Management and Authorization Services Critical service but has been hard to deploy HR interface Oracle support gLite packaging Limited experience in real operation Debug Performance LHCC 15 November,

9 Operational Security Coordination Team
OSCT membership = EGEE ROC security contacts What it is not: Not focused on middleware security architecture Not focused on vulnerabilities Vulnerabilities Group formed and operational Focus on Incident Response Coordination Assume it’s broken, how do we respond? Planning and Tracking Focus on ‘Best Practice’ Advice Monitoring Analysis Coordinators for each EGEE ROC plus OSG LCG Tier 1 + Taipei LHCC 15 November,

10 Operational Security Coordination Team
Incident Response Monitoring Tools Security Service Challenge Policy HANDBOOK Procedures Resources Reference Playbook Infrastructure Agents Deployment SSC1 - Job Trace SSC2 - Storage Audit Infrastructure LHCC 15 November,

11 Operational Security Coordination Team
Incident Response issues Contact management Use of site registration process and GOCDB Shift from site-based to regional/grid coordination Operational role for OSCT Live incident Lack of real incident experience incidents WILL happen and they WILL be disruptive OSCT can plan BUT cannot anticipate all eventualities Lack of dedicated resources Should be provided by EGEE-II NREN CSIRTS – overlap of IR activities understanding how/when/if to use Security Service Challenges Lessons from SSC1 Plan for SSC2 (storage) and beyond LHCC 15 November,

12 LCG Security Status and Issues
Related activities Optical Private Network Security Working group formed by GDB Disaster Recovery Planning Recent presentations at HEPiX and EGEE-4 ISSeG Proposed EU-funded project on Integrated Site Security for Grids CERN/Openlab lead LHCC 15 November,

13 Thank You LHCC 15 November,

Download ppt "LCG Security Status and Issues"

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.

INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Enabling Grids for E-sciencE www.eu-egee.org EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.

Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.

LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009.

Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,

Similar presentations

Ads by Google