Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

Published byBlake Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014."— Presentation transcript:

1 OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014

2 Key Initiatives CILogon Basic CA is now IGTF accredited – Under the new IGTF profile – Included in the new IGTF release. – Included in our standard IGTF distribution as an accredited CA

3 Key Initiative: OSG IdM Roadmap Two questions from Lothar triggered our work. Presented the roadmap in detail on 4/2/2014 meeting. – What would happen to OSG stakeholders if we stop to provide certificates? – Can we get certificates somewhere other than DigiCert? – We created a short-term roadmap, OSG-doc- 1185, answering these questions in detail. Please read the document for details.

4 IDM Roadmap Can we get certificates somewhere else? Yes: – CILogon Net HSM service – Commercial Retail CAs – InCommon Certificate Service – Operating our own Backend CA – Operating our intermediate CA

5 IDM Roadmap CILogon Net HSM is the best option. We note the concern about future funding commitments. – Same set of services we get from DigiCert with minimal changes to Frontend – Started a prototype. Instantiating a new HSM service instance for OSG. Will use the same OIM invocation methods. No changes to the command line clients. If CILogon NET HSM option does not work, then we want to try to set up our own HSM service. If our own HSM does not work out, we should continue with DigiCert CA.

6 IDM Roadmap We completed a working prototype. Demonstrated that it works and changes are easily manageable. API changes at OIM-side Wrote a MOU between XSEDE and OSG and waiting to hear back form seniro mgmt. When we receive the approval, we will proceed.

7 Key initiatives OSG IdP that can onboard OSG members to OSG Connect seamlessly is completed. – Transitioning the service to GOC – IdP authenticates OSG users with their certificates, then sends a notification to OSGConnect. The OSG user does not have authenticate twice. – We stopped our plans on building an IdP that authenticates users with their uname/psswd. Objected at the staff retreat.

8 Change Management Process with DigiCert Had a few operational problems with PKI – Unprocessed Revocations. Found out revocation requests have not processed because a final step in approval was not performed. Learned that we should have tested CRLs once the revocations performed. – CRL download problem. Caused by trying to remediate the unprocessed revocations. GOC wanted to distribute CRLs faster but requested to change configuration variables that does not impact the distribution speed. Caused a OSG-wide CRL download problem. – Service names inclusion in renewed certificates. Discovered a minor problem with service prefix not included in certificate DN for renewals. – Testing infrastructure. Learned that DigiCert applies some changes to its production CA; we have no way of testing end-end before they move to rpoduction

9 These issues demonstrate that – We still have not fully understood DigiCert’s operational details – Have not nailed down a change management process – Seemingly innocent change requests can cause trouble. PKI is complex and fragile at the same time. Operations and Security teams got together and created a change management request process. – Always seek approval from security and operations teams before making a change request. – Consider consequences of a change from many angles. – Keep track in a ticketing system. Document the request and the steps taken. – Define a process for emergencies. Do our best to minimize the number of emergency releases. Since they will not be tested thoroughly. – We will test the process with the upcoming SHA-2 change

10 Operational security Busy 3 months Heartbleed, bitcoin mining, dcache vulnerability Dcache vulnerability, sent announcement to sites. Heartbleed. – More challenging. – Private keys, passwords, confidential material may become exposed if an attacker finds a vulnerable server – We asked all sites to patch ASAP. – We decided not to renew worker node certificates immediately. – No username/passwords to renew – For gatekeepers, we suggested renewing when is not burdensome for the site admin.

11 Operational Security Bitcoin Mining – Had some publicized incidents on CIOMagazine, bitcoin miners on NSF supercomputer, harvard university, and in EGI. – Sent out an announcement to VO admins. First line of defense is to educate the VO managers and ask them to spread the message. – Do not view bitcoin mining as a “malicious” activity, does not threat our security. But waste of computer resources. – More worried about increasing incident causing a hysteria in DOE leading to widespread bans in distributed computing environment.

12 Operational Security Bitcoin Mining– Actions to take – Will follow up with VO managers one-one. This is the most important action item for us. – Working with XSEDE security team. Will participate into closed-doors security meeting at XSEDE – Distribute information for sites who has IDS systems – OSG VO implemented warning messages when users first log in. – OSGConnect plans on having the same warning messages.

13 Operational Security Central banning tool – WLCG has been asking about an automated banning server that can push banned user list to sites automatically – Brian has implemented an additional feature in GUMS that it can retrieve ban list form Argus server. – OSG security decided not to run a central banning service because Most of our sites do not require end user certificates therefore they cannot ban a user based on the user’s dn Many of our users (non-LHC) do not use a certificate to submit Having a central banning tool has ony marginal value for a few OSG sites, CMS mainly

14 Operational security We considered whether having the banning feature at the VO-side is more meaningful. – Ban the user automatically at glideinwms submit node. – Decided this is not useful either. – During an incident, it is the VO who tracks the malicious user and identifies his/her identity. So the banning happens at the VO’s speed. – Sharing the malicious user name across the Vos may be useful but few users have multiple VO memberships and furthermore users name may be different from VO to VO. So we cannot automatically find and ban a user in a different VO. We no longer have a grid-wide unique identifier for each user. – So the banning service is no longer very useful for OSG

15 Future work Security controls. Started already. Scott has already completed GOC’s assessment. Thanks. Document the new risk model for OSG with the certificate-free jobs. – Ssh access to submit nodes, as opposed to certificate-based access to resources. – Weakest link is the submit node now.

Download ppt "OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014."

Similar presentations

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Key Accomplishments and Work Plans OSG Security Team July 11, 2012.

Key Accomplishments and Work Plans OSG Security Team July 11, 2012.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan.

OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan.

Similar presentations

Ads by Google