Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Published byEustace Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL."— Presentation transcript:

1 Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL

2 Overview A VERY long time since I gave a Security Update –Much to talk about (this will be rushed!) IGTF news –SHA2 etc Revised Security Policies –Service Operations –AUP Security for Collaborating Infrastructures (SCI) Security operations 12 Jun 20132Security - D Kelsey

3 IGTF news I attend EUGridPMA and TAGPMA meetings –Representing WLCG as a “Relying Party” Many recent developments –But today just report on some! TAGPMA meeting 6-7 May 2013 EUGridPMA meeting 13-15 May 2013 Thanks to David Groep for the following slides –Shown to the EGI OMB Summary of EUGridPMA meeting at: https://www.eugridpma.org/meetings/2013-05/eugridpma-kyiv-summary-20130515.txt https://www.eugridpma.org/meetings/2013-05/eugridpma-kyiv-summary-20130515.txt 12 Jun 2013Security - D Kelsey3

4 www.egi.eu EGI-InSPIRE RI-261323 SHA-2 time line agreed Now –CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1 –CAs should issue SHA-1 end entity certificates by default –CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs 1 st October 2013 –CAs should begin to phase out issuance of SHA-1 end entity certificates –CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default 1 st April 2014 –New CA certificates should use SHA-2 (SHA-512) –Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) –Existing root CA certificates may continue to use SHA-1 1 st October 2014 –CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1 st December 2014 (‘sunset date’) –All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. 2013-05-28 IGTF Summary OMB May 2013

5 www.egi.eu EGI-InSPIRE RI-261323 SHA-2 readiness For SHA-2 there are still a few CAs not ready a few can do either SHA-2 OR SHA-1 but not both –so they need to wait for software to be SHA-2-ready and then change everything at once A select few can do SHA-2 but their time line is not driven solely by us (i.e. some commercials) –Their time line is driven by the largest customer base –All can do SHA-2 already – some do on request (since non-grid customers do request SHA-2-only PKIs) –it is because of these that RPs have to be ready, because when directives come from CABF they will change, and do it quite irrespective of our time table! Keep in mind issues for HSMs (robot tokens) 2013-05-28 IGTF Summary OMB May 2013

6 www.egi.eu EGI-InSPIRE RI-261323 Other work items IPv6 deployment http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/ http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/ –expect RPs with v6-only systems to setup 6-to-4 NAT/proxy IGTF ‘Test Suite’ for software providers Guidelines on operation trusted credential stores (draft) http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline –matches with the Private Key Protection guidelines –guidance for MyProxy setups, portals, credential mngt systems –intended to be ‘good advice’ for RPs – things to consider Progress on move towards differentiated ID assurance http://wiki.eugridpma.org/Main/IOTASecuredInfraAP –provides only unique opaque identifier: no identity, no tracability –needs tuning of LoA with our RPs, current version may be too much XSEDE and does not even work yet for PRACE-T1s… 2013-05-28 IGTF Summary OMB May 2013

7 IGTF IOTA profile Input TAGPMA, CI Logon Basic, and UK SARoNGS RP requirements from XSEDE and PRACE New authentication profile –Identifier-Only Trust Assurance –Persistent unique identifiers –Light-weight identity vetting Appropriate in cases where VO does robust ID vetting, e.g. LHC VOs 12 Jun 2013Security - D Kelsey7

8 IOTA (2) If a commonName is included –it must contain either an opaque unique identifier –or a name chosen by the requestor and obtained from (a list proposed by) the IdP on which the issuer will enforce uniqueness Full details at http://wiki.eugridpma.org/Main/IOTASecuredInfraAP 12 Jun 2013Security - D Kelsey8

9 Revised Security Policies EGI Security Policy Group Old Grid Site Operations Security Policy –Replaced by Service Operations Security Policy As it is not just sites who run services –And a recent new bullet on the policy requirement for deployment of Security Emergency Suspension https://documents.egi.eu/document/1475 You must implement automated procedures to download the security emergency suspension lists defined centrally by Security Operations and should take appropriate actions based on these lists, to be effective within the specified time period. 12 Jun 2013Security - D Kelsey9

10 Service Operations Security Policy (2) Other changes: –addresses end of security support for software … software patches, updates or configuration changes required for security or end of security support … –removes the IPR statement (covered elsewhere) –addresses the retirement of a service Upon retirement of a service, the obligations specified in clauses 1, 2, 5 and 6 shall not lapse for the retention period specified in the Traceability and Logging Policy Has been adopted by EGI from 1 st June 2013 I propose that WLCG adopts this revised policy –At an upcoming WLCG MB meeting 12 Jun 2013Security - D Kelsey10

11 Revision to Grid AUP EGI Council decided to require its users to acknowledge support and resources used –And requested change to the User AUP EGI SPG considered –Not easy as Users usually register with VOs not sites or infrastructures https://documents.egi.eu/document/1779 This is one document where common wording between all VOs, communities etc is very useful! The following new wording has been added –Next page 12 Jun 2013Security - D Kelsey11

12 New AUP(2) Acknowledgement of support or of your use of the resources or services provided to you by Infrastructure Providers, Infrastructure Organisations and/or Resource Centres may be required by the body or bodies granting you access. You shall comply with all such requirements by adding the specified citations or acknowledgements to all published papers, preprints, conference papers and talks and any other published material, whether or not these are subject to copyright. Additional procedures are required to specify what acknowledgements are required and by whom 12 Jun 2013Security - D Kelsey12

13 Security for Collaborating Infrastructures A collaborative activity of information security officers from large-scale infrastructures –EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, … Developed out of EGEE and WLCG We are developing a Trust framework –Enable interoperation (security teams) –Manage cross-infrastructure security risks –Develop policy standards –Especially where not able to share identical security policies 12 Jun 2013Security - D Kelsey13

14 SCI (2) A draft version (V0.95) may be found at http://www.eugridpma.org/sci/ http://www.eugridpma.org/sci/ The document defines a series of numbered requirements in 6 areas –Each infrastructure should address these –Part of promoting trust between us all Version 1 has been produced –And is being tidied No time to look at details today But this is a useful way of building trust within WLCG –And for identifying areas that need more work Once V1 is finalised we will share with GDB and MB 12 Jun 2013Security - D Kelsey14

15 Security Operations You are all very aware that WLCG uses resources from several computing infrastructures: –EGI, OSG, NDGF/NeIC, … Today security operations in WLCG relies on strong collaboration between –Romain Wartel as WLCG Security Officer –CERN security team –The CSIRTs from EGI and NGIs, OSG, NDGF/NeIC In recent weeks there has been much activity by the EGI CSIRT monitoring and handling the vulnerability CVE-2013-2094 –Several people have been very busy for some weeks! EGI CSIRT is now accredited by TF-CSIRT/Trusted Introducer 12 Jun 2013Security - D Kelsey15

16 Security Operations after end of EGI-InSPIRE? The study made by EGI as to which global tasks need to continue beyond May 2014 identified “Security”, including a strengthened core expert incident response team as of “critical” importance As we move into an ever-changing world –Agile computing, Clouds, Virtualisation etc –Security risks and threats will change –Competent security teams will be needed! We confidently expect EGI.eu sustainable funding for this important activity to continue –And we may be able to bid for additional funds E.g. Horizon 2020 I don’t currently see any plan B for WLCG and its members to take over the funding of this 12 Jun 2013Security - D Kelsey16

17 Discussion? 12 Jun 2013Security - D Kelsey17

Download ppt "Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group Summary EGI TF David Kelsey 6/28/2015 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Similar presentations

Ads by Google