Presentation is loading. Please wait.

Presentation is loading. Please wait. EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

Similar presentations

Presentation on theme: " EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey."— Presentation transcript:

1 EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey

2 EGI-InSPIRE RI-261323 Agenda EGI Security Policy – history and status Security Policy Group (SPG) –Terms of Reference and procedures SPG plans for next 12 months 16/9/2010 Kelsey/Security Policy Group2

3 EGI-InSPIRE RI-261323 Status and history The current EGI Security Policy is available on the SPG wiki Policies from the Joint (EGEE/WLCG) Security Policy Group have been imported into new EGI templates –No change to wording –Except for titles of and links to documents Adopted by EGI (from 1 st May 2010) 16/9/2010 3Kelsey/Security Policy Group

4 EGI-InSPIRE RI-261323 7 Mar 2010 Kelsey, Security Policy Joint Security Policy Group(JSPG) This started as a WLCG activity in 2003 In 2004, EGEE phase 1 started –JSPG remit expanded to cover both projects –Strong participation by OSG, NDGF, … Revised mandate (2008) – –prepares and maintains security policies for its primary stakeholders (EGEE and WLCG) –also able to provide policy advice on any security matter Policies approved and adopted by Grid management Now ended – EGI SPG continues the work

5 EGI-InSPIRE RI-261323 7 Mar 2010 Kelsey, Security Policy Policy Interoperability All about building TRUST Wherever possible, JSPG aimed to –prepare simple and general policies –applicable to the primary stakeholders, but –also of use to other Grid infrastructures (NGI's etc) The adoption of common policies by multiple Grids eases the problems of interoperability (and scaling) Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) Other participants then know that their actions are already bound by the policies –No need for additional negotiation, registration or agreement

6 EGI-InSPIRE RI-261323 7 Mar 2010 Kelsey, Security Policy Security Policy Site & VO Policies Certification Authorities Traceability and Logging Security Incident Response Accounting Data Privacy Pilot Jobs and VO Portals Grid & VO AUPs JSPG Security Policies

7 EGI-InSPIRE RI-261323 Security policies Top-level Grid Security Policy: Grid Security Policy For all Users: Grid Acceptable Use Policy For all Sites: Grid Site Operations Policy Site Registration Security Policy 16/9/2010 Kelsey/Security Policy Group7

8 EGI-InSPIRE RI-261323 Security policies (2) For all VOs: VO Operations Policy Virtual Organisation Registration Security PolicyVirtual Organisation Registration Security Policy Virtual Organisation Membership Management PolicyVirtual Organisation Membership Management Policy VO Portal Policy 16/9/2010 Kelsey/Security Policy Group8

9 EGI-InSPIRE RI-261323 Security policies (3) Other policies for all Grid participants: Traceability and Logging Policy Security Incident Response Policy Approval of Certificate Authorities Policy on Grid Pilot Jobs Grid Policy on the Handling of User-Level Job Accounting DataGrid Policy on the Handling of User-Level Job Accounting Data Glossary of terms used in JSPG policy documents: Security Policy Glossary of Terms 16/9/2010 Kelsey/Security Policy Group9

10 EGI-InSPIRE RI-261323 SPG Terms of Reference and Procedures 16/9/2010 Kelsey/Security Policy Group10

11 EGI-InSPIRE RI-261323 Terms of Reference Draft SPG Terms of Reference have been produced See... Discuss today Comments and suggestions are welcome 16/9/2010 11Kelsey/Security Policy Group

12 EGI-InSPIRE RI-261323 Terms of Ref (2) SPG Purpose and Responsibilities Develop and maintain Security Policy –For use by EGI and NGIs –Defines expected behaviour of NGIs, Sites, Users and others –To facilitate the operation of a secure and trustworthy DCI May also provide policy advice on any security matter related to operations 16/9/2010 12Kelsey/Security Policy Group

13 EGI-InSPIRE RI-261323 Terms of Ref (3) Where possible SPG should prepare simple and general policies –Of use to other Grids and DCIs (global) –Adoption of common policies eases interoperability SPG does not formally approve policy – Executive Board (and Council?) –And management bodies of NGIs Topics for consideration can be specified either by EGI management or SPG SPG may create focused sub-groups 16/9/2010 13Kelsey/Security Policy Group

14 EGI-InSPIRE RI-261323 Terms of Ref (4) SPG Membership Each NGI and EIRO member of is entitled to appoint one voting member In addition, SPG should aim to include expertise in its deliberations from other stakeholders –Site security officers, Site sys admins, operations experts, middleware experts, VRCs, other DCIs... –These are determined by Chair in consultation with EGI management 16/9/2010 14Kelsey/Security Policy Group

15 EGI-InSPIRE RI-261323 Terms of Ref (5) SPG Chair –Defined Global task of EGI-InSPIRE SPG Secretary –Appointed by SPG communications –All members belong to the SPG-discuss mail list –SPG wiki... 16/9/2010 15Kelsey/Security Policy Group

16 EGI-InSPIRE RI-261323 ToR (6) SPG Meetings As often as the work requires At least twice per year –Once during Technical Forum Face to face or phone/video –Face to face at least once per year To define future plans and discuss policy Editorial sub-groups created as required to work on policy documents –Leader of this to decide how this meets 16/9/2010 16Kelsey/Security Policy Group

17 EGI-InSPIRE RI-261323 ToR(7) decision making Wherever possible via clear consensus Voting only when consensus not possible –Or if two voting members call for a vote Vote only valid if quorum present –50% of the voting members –Vote by email if quorum not present SPG may (if majority agrees) refer matters to EGI Director for decision 16/9/2010 17Kelsey/Security Policy Group

18 EGI-InSPIRE RI-261323 ToR (8) SPG Outputs The security policy documents Reports on activities in EGI-InSPIRE quarterly reports Report to wider community at EGI Technical Forum Reports from editorial sub-groups to main SPG at least quarterly 16/9/2010 18Kelsey/Security Policy Group

19 EGI-InSPIRE RI-261323 ToR(9) amendments SPG can amend ToR by consensus Amendments to be approved by the Executive Board SPG will review its ToR and procedures annually 16/9/2010 19Kelsey/Security Policy Group

20 EGI-InSPIRE RI-261323 ToR - Issues raised so far Internal (EGI only) vs External (other DCI) –discuss vs EGI-InSPIRE (answer: Take names out of document (yes) Allow for deputies (seems good idea) “Appointed by” vs “Not representing” –“Nominated by”? (sounds good) What is an EIRO? (add to definitions) –European Intergovernmental Research Organisation 16/9/2010 20Kelsey/Security Policy Group

21 EGI-InSPIRE RI-261323 SPG Procedures To produce a new/revised policy (MS209) Tasks: –Write internal draft (editorial team) –Discuss within SPG –Prepared updated external draft –Consult stakeholders –Prepare updated final call draft –SPG agrees version for approval –Policy approval 16/9/2010 21Kelsey/Security Policy Group

22 EGI-InSPIRE RI-261323 Editorial team Sub-set of SPG members Responsible for producing all drafts (internal, external, final call) Leader and at least 2 other SPG members –Important to include appropriate expertise –Can/should include members from other DCIs, other experts,... Can meet face to face or discuss by phone, email, video etc (their choice) 16/9/2010 22Kelsey/Security Policy Group

23 EGI-InSPIRE RI-261323 Document database All drafts of policy documents will be public –Stored in EGI document database Document discussion to be stored on SPG wiki (again, public access) The whole process should be open All are encouraged to comment 16/9/2010 23Kelsey/Security Policy Group

24 EGI-InSPIRE RI-261323 Consultation Important to consult widely and take all feedback into account SPG will distribute external draft for comment to: –SPG itself (members to distribute on) –EGI-CSIRT –VRC contacts –NGI contacts (NGI distributes to Sites) Or should we distibute to all Security Contacts –All EGI Boards 16/9/2010 24Kelsey/Security Policy Group

25 EGI-InSPIRE RI-261323 Consultation (2) Final call draft –Sent to all EGI boards –Also sent to Executive Board –And everyone else again? Or just those who commented before? Approval by EB should not (hopefully!) raise more comments 16/9/2010 25Kelsey/Security Policy Group

26 EGI-InSPIRE RI-261323 Timetable JSPG learned that the development of common, simple policy takes time! Each time we send document for comment we need to allow at least 2 weeks (more?) 16/9/2010 26Kelsey/Security Policy Group

27 EGI-InSPIRE RI-261323 Details of voting process At face to face (or phone/video) –Voting members only –Chair does not vote (except for tie) –Voting is public Quorum –At least 50% of voting members must be present –If not must do by email Email vote –Vote sent to Secretary (following request on mail list) –2 week deadline 16/9/2010 Kelsey/Security Policy Group27

28 EGI-InSPIRE RI-261323 Anything else? Some people have already been nominated or have volunteered Others – please contact me –david.kelsey at Other issues for ToR/procedures? 16/9/2010 Kelsey/Security Policy Group28

29 EGI-InSPIRE RI-261323 SPG Tasks for Year 1 16/9/2010 Kelsey/Security Policy Group29

30 EGI-InSPIRE RI-261323 Immediate work Firm up SPG membership Populate mail list Complete ToR and MS209 procedures Both will be sent to the mail list for final comment 16/9/2010 30Kelsey/Security Policy Group

31 EGI-InSPIRE RI-261323 Work for year 1 To date there have been no requests from EGI management for SPG to study particular policy issues –Except for some comments from EB My thoughts follow –Discuss today –Suggestions very welcome 16/9/2010 Kelsey/Security Policy Group31

32 EGI-InSPIRE RI-261323 Policy issues from EB Comments received during EB review –Definition of Pseudonymous Web User not clear In VO Portal Policy –Top-Level policy uses different approach to references from other documents –Some use RFC2119 “MUST”, “SHOULD” etc, some do not 16/9/2010 32Kelsey/Security Policy Group

33 EGI-InSPIRE RI-261323 Document revision The oldest document is the top-level main Security Policy I think we should start with that –Avoid overlap with policy sub-documents –Make applicable to new EGI/NGI world –And of use to other DCIs –Review style of references (inline or not?) An important review –Sets approach for all our future work 16/9/2010 33Kelsey/Security Policy Group

34 EGI-InSPIRE RI-261323 VM Endorsement There is a particle physics (HEPiX) working group on Virtualisation This has produced a draft security policy on the Endorsement of Trusted Virtual Machine Images – Should we discuss this for use by general communities? 16/9/2010 34Kelsey/Security Policy Group

35 EGI-InSPIRE RI-261323 Policy framework During the last year of JSPG Discussed the development of a policy framework for collaborating Grids A way of defining policy standards required for trustworthy interoperation –Not policy words –List of policy components that must be addressed We should do more on this –Good way of interacting with many DCIs –I suggest we start with Security Incident Response 16/9/2010 35Kelsey/Security Policy Group

36 EGI-InSPIRE RI-261323 Other areas of weakness Clear definition of responsibility and liability Treatment of data protection, data privacy What can we do to improve policies for VRCs? Others? 16/9/2010 36Kelsey/Security Policy Group

37 EGI-InSPIRE RI-261323 Discussion 16/9/2010 37Kelsey/Security Policy Group

Download ppt " EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey."

Similar presentations

Ads by Google