Presentation is loading. Please wait.

Presentation is loading. Please wait.

DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Published byLynn Woods Modified over 8 years ago

Similar presentations

Presentation on theme: "DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN."— Presentation transcript:

1 DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN

2 DTI Mission – 29 June 2004 - 2 LCG Security environment The players UsersVOs Sites Personal data Roles Usage patterns … Experiment data Access patterns Membership … Resources Availability Accountability … Grid

3 DTI Mission – 29 June 2004 - 3 The Risks Top risks from Security Risk Analysis http://proj-lcg-security.web.cern.ch/proj-lcg-security/RiskAnalysis/risk.html Launch attacks on other sites Large distributed farms of machines Illegal or inappropriate distribution or sharing of data Massive distributed storage capacity Disruption by exploit of security holes Complex, heterogeneous and dynamic environment Damage caused by viruses, worms etc. Highly connected and novel infrastructure

4 DTI Mission – 29 June 2004 - 4 Policy – the LCG Security Group Security & Availability Policy Usage Rules Certification Authorities Audit Requirements GOC Guides Incident Response User Registration Application Development & Network Admin Guide http://cern.ch/proj-lcg-security/documents.html

5 DTI Mission – 29 June 2004 - 5 Authentication Infrastructure Users and Services own long-lived (1yr) credentials Digital certificates (X.509 PKI) European Grid Policy Management Authority “… is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. …” www.eugridpma.org covers EU (+ USA + Asia)www.eugridpma.org Jobs submitted with Grid Proxy Certificates Short-lived (<24hr) credential which “travels” with job Delegation allows service to act on behalf of user Proxy renewal service for long-running & queued jobs Some Issues… Do trust mechanisms scale up ? “On-line” certification authorities & Certificate Stores Kerberized CA Virtual SmartCard Limited delegation

6 DTI Mission – 29 June 2004 - 6 Authorization Infrastructure User Registers Accepts Usage Rules Provides personal/contact data Request to join VO VO managers add to VO servers Certificate Identity (DN) captured Submits jobs Creates short-lived proxy using long-lived certificate Proxy ‘travels’ with the job Resources authorize access Checks certificate validity Trusted CAs and revocation lists Checks user authorization Downloaded from Registration/VO servers Maps certificate DN to a local account Runs job

7 DTI Mission – 29 June 2004 - 7 User Registration (2003-4) lcg-registrar.cern.ch VOs 1. “I agree to the Usage Rules please register me, my VO is XYZ” 2. Confirm email 3. User Details User XYZ VO Manager 4. Register 5. Notify 6. User Details Site Authz Resource Authz Certificate GRID Usage Rules Submit job ? CA Certificates

8 DTI Mission – 29 June 2004 - 8 User Registration (? 2004 - ) Some Issues Static user mappings will not scale up Multiple VO membership Complex authorization & policy handling VO manager needs to validate user data How ? Solutions VO Management Service - Attribute proxy certificates Groups and Roles - not just static user mapping Attributes bound to proxy cert., signed by VO Service Credential mapping and authorization Flexible policy intersection and mapping tools Integrate with Organizational databases, but … What about exceptions ? (the 2-week summer student) What about other VO models: lighweight, deployment, testing XYZ VO Manager ? Certificate Roles

9 DTI Mission – 29 June 2004 - 9 Audit & Incident Response Audit Requirements Mandates retention of logs by sites Incident Response Security contact data gathered when site registers Establish communication channels maillists maintained by Deployment Team List of CSIRT lists –Channel for reporting Security contacts at site –Channel for discussion & resolution Escalation path 2004 Security Service Challenges Check the data is there, complete and communications are open

10 DTI Mission – 29 June 2004 - 10 Security Collaboration Projects sharing resources & have close links Need for inter-grid global security collaboration ? Common accepted Usage Rules ? Common authentication and authorization requirements ? Common incident response channels LCG – EGEE – OSG - ? LCG Security Group is now Joint Security Group JSG for LCG & EGEE Provide requirements for middleware development Some members from OSG already in JSG

11 DTI Mission – 29 June 2004 - 11 LCG Security Thank you.

Download ppt "DTI Mission – 29 June 2004 - 1 LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.

AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Similar presentations

Ads by Google