Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Published byPosy Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "Mine Altunay July 30, 2007 Security and Privacy in OSG."— Presentation transcript:

1 Mine Altunay July 30, 2007 Security and Privacy in OSG

2 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 2 Who am I ? Recently joined OSG Security Team Ramping up to be full time OSG Security Working through the OSG Security Plan Helping develop any new items for the Security Plan in Year 2

3 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 3 Security Controls Security Control: safeguards prescribed for an information system to protect integrity, confidentiality and availability of a system and its information –Management Controls (policies) –Operational Controls (things that people do) –Technical Controls (things that machines do) OSG Security Plan defines, implements and executes these controls

4 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 4 Security Plans Two types of security plans –Core OSG: assets under complete control of OSG (eg, middleware software cache). OSG is responsible for security of these systems –Facilities, VOs and software providers that are “part” of OSG. OSG can create examples and templates of security plans that can be incorporated into site and VO plans. Sites and VOs are responsible for security of these

5 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 5 What does this mean for a site admin? You are responsible for the security of your own site You should understand the usage scenarios analyze the risks implement and execute security controls

6 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 6 Site Resources Accessible to VO Data Storage 1 Data Storage 2 Site Database Site Web Services WN Cluster 1 WN Cluster 2 NOT Accessible to VO A fictitious site access policy: for each resource, only allow authorized users AND deny any requests from black-listed users

7 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 7 Site grants access to the VO. VO delegates the access privilege to its trusted members VO manages its members’ access rights –different access rights to different VO members –E.g. grouping of users based on tasks; or roles played in an experiment

8 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 8 A simple usage scenario grid job VOSite Researcher A from University X, which is a member of the VO VO trusts ResearcherSite trusts VO Site allows access by Researcher VO-accessible Site Resources Three separate security domains: –Univ., VO and Site Two trust relationships Researcher accesses Site’s resources due to the trust between the VO and the Site. VO Infra. & Services Data Storage 1 WN Cluster 1

9 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 9 Researcher A from Uni. X Researcher B from Uni. Y Group 1’s Data Group 2’s Data VO Group1 : Uni. X Role: Researcher, Privileges: execute, read-write VO determines member privileges over Site resources WN Group2 : Uni. Y Role: Researcher, Privileges: execute, read-write Site enforces VO assigned permissions Site resources

10 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 10 VO Policy Site Policy Enforced Policy Site’s Resources that are accessible to VO Data Storage 1 WN Cluster 1

11 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 11 Researcher A from Group 1 grid job 1 VO VO Infra. & Services Site WN Researcher B from Group 2 Group 1’s Data Group 2’s Data Unauthorized access Enforced Policy outcome Researcher A cannot modify Researcher B’s data (due to VO policy)

12 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 12 Researcher A from Group 1 grid job 1 VO VO Infra. & Services Site WN Researcher B from Group 2 DN name is blacklisted Group 1’s Data Group 2’s Data Enforced Policy outcome Researcher B denied access due to Site policy Unauthorized access

13 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 13 Grid Site VOMSVOMRS VO Services synchronize register get-voms-proxy synchronize SAZ Sitewide Services GUMS CE Gatekeeper Prima/SAML callouts (C) Job Manager Submit request with voms-proxy Privilege Project Module Legend VO Management Services user name DN, FQAN user name SE SRM gPlazma Storage Auth Service DN, FQAN Prima/SAML Client (Java) Storage priv set DN, FQAN Storage priv set certificateVOMS Extended proxy VOMS Extended proxy Is authorized? yes/no

14 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 14 GUMS Gatekeeper Prima/SAML callouts (C) Job Manager Pilot DN Pilot UID Pilot User Job WN Pilot UID Pilot User queue User job User DN Pilot DN Request User job and Pilot job runs in the same user account  modifications between jobs Site does not auth/authz the user  only auth/authz pilot job

15 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 15 GUMS Gatekeeper Prima/SAML callouts (C) Job Manager Pilot DN Pilot UID User DN User UID Pilot User Job gLExec WN Pilot UID User DN User UID Pilot User queue User job User DN Pilot DN Request

16 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 16 What if something goes wrong? Incident Response Researcher A launches attack against the Site Site discovers the attack Site analyzes the attack, temporarily blacklists Researcher A (if it can trace it) Site should Call GOC at 1 317-278-9699, or submit a trouble ticket, Email security@opensciencegrid.orgsecurity@opensciencegrid.org Or email security-discuss-L@opensciencegrid.orgsecurity-discuss-L@opensciencegrid.org

17 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 17 –Inform VO security contact –Site trusts the VO, not individual members –VO finds which member has the privilege Logs and mapping repository (VOMRS) –Determines culpability and take measures over Researcher A’s privileges OSG has only controls over core OSG assets and staff –VO is responsible for its users behavior –OSG may bar a VO if VO violates OSG policies

18 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 18 Building and maintaining a trust relationship with VO Determining which resources are accessible to VO members and in which capacity Reaching an agreement with VO over the usage of the resources –privileges associated with roles (r/w privilege over a data location by a VO member) Enforcing VO assigned privileges and site’s access policies Keeping in synch with VO policy (e.g. VOMRS), maintaining service availability for access Sites are responsible for

19 07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 19 –Keeping access logs of VO users and maintaining audits –Informing VO Security contact about security incidents –Complying with grid operational controls Keeping up to date with CA-certificates IGTF updates Certificate Revocation Lists Using latest configuration for grid distributed software

Download ppt "Mine Altunay July 30, 2007 Security and Privacy in OSG."

Similar presentations

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Blueprint Meeting Notes Feb 20, 2009. Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Similar presentations

Ads by Google