Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.

Published byLogan Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013."— Presentation transcript:

1 A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013

2 And many thanks to ISGC2013 co- authors and other collaborators K. Chadwick (FNAL) I. Gaines (FNAL) D. Groep (Nikhef) U. Kaila (CSC) C. Kanellopoulos (GRNET) J. Marsteller (PSC) R. Niederberger (FZ-Juelich) V. Ribaillier (IDRIS) R. Wartel (CERN) W. Weisz (University of Vienna) J. Wolfrat (SURFsara) 10/07/13SCI at WLCG GDB2

3 Outline What is Trust and why do we need it? Early days of cooperation in security policy Why is this good for WLCG? Building a new Trust Framework – Security for Collaborating Infrastructures (SCI) The SCI document Assessment versus SCI requirements Future plans 10/07/133SCI at WLCG GDB

4 Trust? 10/07/134SCI at WLCG GDB

5 Trust? Definition of trust (oxforddictionaries.com) Noun – firm belief in the reliability, truth, or ability of someone or something My view: reliability, even more predictability, is important for IT operations 10/07/13SCI at WLCG GDB5

6 Why do we need Trust? Management of IT security – Management of risk – balanced with availability of services Risk analysis Security Plan to mitigate and manage the risks Security Plan includes various “Controls” – Technical – Operational – Management Security Policy is part of Management Controls Agreed policy framework – part of building trust 10/07/13SCI at WLCG GDB6

7 Talking about Controls… 10/07/13SCI at WLCG GDB7

8 Early days of Grid Security Policy Joint (WLCG/EGEE) Security Policy Group In 2005 – EGEE, OSG, WLCG agreed a common version of the Grid Acceptable Use Policy Accepted by all users during registration with a VO – And used by many other (Grid) Infrastructures Today EGI and WLCG in general continue to use the same Security Policies But often not easy to agree on identical policy words 10/07/13SCI at WLCG GDB8

9 Building a new Trust Framework There are several large-scale production Distributed Computing Infrastructures – Grids, Clouds, HPC, HTC, … Each includes resources, services, users, policies and procedures Subject to many common security threats – Common technologies – Common users (spreading infections) Essential to share information and work together on security operations 10/07/13SCI at WLCG GDB9

10 10/07/13SCI at WLCG GDB10 And now to SCI …

11 Security for Collaborating Infrastructures (SCI) A collaborative activity of information security officers from large-scale infrastructures – EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, … Developed out of EGEE – started end of 2011 WLCG is an obvious use-cases – EGI, OSG, NDGF,… We are developing a Trust framework – Enable interoperation (security teams) – Manage cross-infrastructure security risks – Develop policy standards Especially where not able to share identical security policies 10/07/13SCI at WLCG GDB11

12 WLCG? Today, WLCG participates in development of and adopts EGI security policies OSG often only endorses these for WLCG sites In future we could move up a level – No longer demand identical words – security policies, if covered by SCI standards, could be sufficient 10/07/13SCI at WLCG GDB12

13 SCI Document V1 of the SCI document was submitted to ISGC 2013 proceedings (under review) SCI has met since then – new version under way Older public draft (V0.95) at http://www.eugridpma.org/sci/ http://www.eugridpma.org/sci/ The document defines a series of numbered requirements in 6 areas – Each infrastructure should address these – Part of promoting trust between us all 10/07/13SCI at WLCG GDB13

14 SCI: areas addressed Operational Security Incident Response Traceability Participant Responsibilities – Individual users – Collections of users – Resource providers, service operators Legal issues and Management procedures Protection and processing of Personal Data/Personally Identifiable Information 10/07/13SCI at WLCG GDB14

15 SCI example – Incident Response Imperative that an infrastructure has an organised approach to addressing and managing events that threaten the security of resources, data and overall project integrity. Each infrastructure must have: [IR1] Security contact information for all service providers, resource providers and communities together with expected response times for critical situations. [IR2] A formal Incident Response procedure, which must address roles and responsibilities, identification and assessment of … (text continues) And continues … 10/07/13SCI at WLCG GDB15

16 SCI Assessment To evaluate extent to which requirements are met, we recommend Infrastructures to assess the maturity of their implementations According to following levels – Level 0: Function/feature not implemented – Level 1: Function/feature exists, is operationally implemented but not documented – Level 2: … and comprehensively documented – Level 3: … and reviewed by independent external body 10/07/13SCI at WLCG GDB16

17 Example of assessment form 10/07/13SCI at WLCG GDB17

18 Future plans Updated Version of document – In a few weeks At that point each of the authors will approach their infrastructure for comments, corrections, additions Will send to WLCG GDB and MB Have started self-assessments – These will continue The document is useful for plans for the coming year – Which policy documents are missing/incomplete? 10/07/13SCI at WLCG GDB18

19 Further info Security for Collaborating Infrastructures http://www.eugridpma.org/sci/ SCI meetings https://indico.cern.ch/categoryDisplay.py?categId=68 10/07/1319SCI at WLCG GDB

20 10/07/13SCI at WLCG GDB20 Questions?

Download ppt "A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013."

Similar presentations

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group Summary EGI TF David Kelsey 6/28/2015 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.

Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.

Similar presentations

Ads by Google