Presentation is loading. Please wait.

Presentation is loading. Please wait.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

Published byBranden Smith Modified over 9 years ago

Similar presentations

Presentation on theme: "WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015."— Presentation transcript:

1 WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015

2 Working Group History October 2014 call for volunteers to do practical work – investigating cloud traceability gaps – Testing possible solutions Face to face meeting at CERN February 10 th – 18 participants - Many sites and all main LHC VOs represented – Gathered ideas/concerns – 5 initial areas of interest identified

3 The problem Security incidents in our infrastructure are an operational reality 70+ in WLCG since 2006 When incidents occur, we need to contain them and limit their impact. This preserves our reputation & ensures resources are being used for the purposes intended. In order to do this we must be able to answer some questions about any problematic activity: – Who did What, When did they do it, and Where Well established model, backed up by policy & best practice to allow us (more or less) to know these things in grid context. Increasing use of cloud platforms & virtualisation mean we must reavaluate, monitor & log some different things, and validate that our measures are effective.

4 Many ideas Condensed to 4 areas for ‘immediate’ investigation

5 Areas for further investigation Just use syslog – Logging from inside VMs – Exploit the high degree of trust between sites and Vos within WLCG – Evaluate merits of using job features vs. contextualisation to pass syslog configuration info Quarantining VMs – Ability to keep VM images for forensics Hypervisor & network flow logging – Can depend on the externally observable behaviour – Have until now neglected netflow VO Logging – Gap analysis

6 In addition Giving sites root access – Exploit VO trust in sites to support incident response Agreed this can just happen, does not need further work Policy evolution – There will be policy changes – Should track work and evolve policy as appropriate – No immediate action

7 Practical steps - Logging Should primarily depend on, and increase logging of, externally observable behaviour – Hypervisor & Cloud management framework – Network activity & flows This may depend upon (expensive) hardware Ability to cross checking/aggregate from multiple sources increasingly important Tools for storing, aggregating & searching increasingly important Within WLCG images are well controlled by VOs – This allows a greater degree of trust – User and superuser roles are well separated. – Therefore we should also use syslog from within VMs Potential for changes to VO workflow logging in order to better support traceability

8 Action: Syslog Investigate providing remote syslog service for running VMs – Also frameworks for managing & searching high volumes of logs – RAL, Glasgow, CERN, Brunel, INFN – Manchester will provide a syslog server that the VMs can report to. – Investigate creating VM images that can be configured to use site syslog – Compare machine/job features and site contextualisations Manchester: Initial work on using machinefeatures to pass local syslog server information Prototype cernvm image supporting contextualisation of syslog At RAL, getting some logs, ironing out problems.

9 Action: Hypervisor & Netflow logging Survey experience of sites that do have hardware supporting flow monitoring – Nikhef, CERN, IN2P3 Investigate network flow monitoring on hypervisors – Some possible approaches – need to test especially for any performance impact Formalise recommendations for logging instantiation etc. of VMs Initial contacts made

10 Forensic examination of VM images is one specific benefit of virtualisation – Easy in some cloud management frameworks Built in to Stratuslab – Has a cost in storage – RAL, IN2P3 & Glasgow to investigate At RAL virtualised WNs already quarantined (managed by Condor). Investigating building this in to storage service. Action: Quarantining VMs

11 Action: VO Logging In order to ensure traceability & ability to map users to processes on VMs may need enhancement of (already substantial) VO workflow logging Will advance this with traceability service challenges Awaiting progress in other areas

12 Summary A productive meeting A set of clear actions Some progress in last month Scope for more participants – contact Ian Collier

13 Questions & Links Questions? Links Meeting notes: https://twiki.cern.ch/twiki/bin/view/LCG/20150210PreGDB https://twiki.cern.ch/twiki/bin/view/LCG/20150210PreGDB Egroup: project-lcg-gdb-traceability-tf@cern.ch (need a CERN account to join on your own)

Download ppt "WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015."

Similar presentations

Cloud Computing at the RAL Tier 1 Ian Collier STFC RAL Tier 1 GridPP 30, Glasgow, 26th March 2013.

Cloud Computing at the RAL Tier 1 Ian Collier STFC RAL Tier 1 GridPP 30, Glasgow, 26th March 2013.
Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.

Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
HEPiX Virtualisation Working Group Status, July 9 th 2010

HEPiX Virtualisation Working Group Status, July 9 th 2010
Cloud & Virtualisation Update at the RAL Tier 1 Ian Collier Andrew Lahiff STFC RAL Tier 1 HEPiX, Lincoln, NEBRASKA, 17 th October 2014.

Cloud & Virtualisation Update at the RAL Tier 1 Ian Collier Andrew Lahiff STFC RAL Tier 1 HEPiX, Lincoln, NEBRASKA, 17 th October 2014.
Integrating Network and Transfer Metrics to Optimize Transfer Efficiency and Experiment Workflows Shawn McKee, Marian Babik for the WLCG Network and Transfer.

Integrating Network and Transfer Metrics to Optimize Transfer Efficiency and Experiment Workflows Shawn McKee, Marian Babik for the WLCG Network and Transfer.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Tier-1 experience with provisioning virtualised worker nodes on demand Andrew Lahiff, Ian Collier STFC Rutherford Appleton Laboratory, Harwell Oxford,

Tier-1 experience with provisioning virtualised worker nodes on demand Andrew Lahiff, Ian Collier STFC Rutherford Appleton Laboratory, Harwell Oxford,
Sergey Belov, Tatiana Goloskokova, Vladimir Korenkov, Nikolay Kutovskiy, Danila Oleynik, Artem Petrosyan, Roman Semenov, Alexander Uzhinskiy LIT JINR The.

Sergey Belov, Tatiana Goloskokova, Vladimir Korenkov, Nikolay Kutovskiy, Danila Oleynik, Artem Petrosyan, Roman Semenov, Alexander Uzhinskiy LIT JINR The.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Virtualisation Cloud Computing at the RAL Tier 1 Ian Collier STFC RAL Tier 1 HEPiX, Bologna, 18 th April 2013.

Virtualisation Cloud Computing at the RAL Tier 1 Ian Collier STFC RAL Tier 1 HEPiX, Bologna, 18 th April 2013.
Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.

Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper

Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper
The HEPiX IPv6 Working Group David Kelsey EGI TF, Prague 18 Sep 2012.

The HEPiX IPv6 Working Group David Kelsey EGI TF, Prague 18 Sep 2012.
LAN Switching and Wireless – Chapter 1 Vilina Hutter, Instructor

LAN Switching and Wireless – Chapter 1 Vilina Hutter, Instructor
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Virtualisation & Cloud Computing at RAL Ian Collier- RAL Tier 1 HEPiX Prague 25 April 2012.

Virtualisation & Cloud Computing at RAL Ian Collier- RAL Tier 1 HEPiX Prague 25 April 2012.
Virtualised Worker Nodes Where are we? What next? Tony Cass GDB 2012 12/12/12.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.

Similar presentations

Ads by Google