Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September.

Published byDamon Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September."— Presentation transcript:

1 EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September 2004 www.eu-egee.org

2 EU IST-FP6 Concertation, 17 th September 2004 - 2 Contents EGEE security plans Identified problems/challenges Some words on Trust EUGridPMA

3 EU IST-FP6 Concertation, 17 th September 2004 - 3 EGEE security plans (1/2) Security Requirements - Horizontal activity, managed through central groups  Lesson learned: reused and updated requirements from earlier projects  Collecting (continuous process) the requirements from the activities - Middleware, Sites, Applications.  Share the requirements with other grid activities and get feedback, e.g. in the US  Prioritization set in the security groups, with representatives from all involved activities.  Defining what security modules to deliver when. Product - leverage on the biomed requirements  To keep the industry focus we put extra effort, from day one, in supporting biomed applications, being a security demanding application. Middleware - Security is not an add-on, has to be there from start  From start, and ‘all over the place’: All JRA3 members are also part of the Middleware development.  Active in the architecture and design of the middleware Middleware, JRA1 Security, JRA3

4 EU IST-FP6 Concertation, 17 th September 2004 - 4 EGEE security plans (2/2) Security Architecture - Modular, Agnostic, Standard, Interoperable  Modular – add new modules later  Agnostic – modules will evolve  Standard – start with transport-level security but intend to move to WS-Security when it matures  Interoperable - at least for AuthN & AuthZ  Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules Worldwide solution - Involve non-European partners at an early stage  Bob Cowles (SLAC, OSG) and Dane Skow (Fermilab, OSG) members of the MWSG  Establish contact through hands-on activities. Example: EGEE and OSG to define common operational security procedures, by contributing to/working out common documents, mostly by reusing OSG work already in place.

5 EU IST-FP6 Concertation, 17 th September 2004 - 5 Identified problems/challenges IssueCurrent solution Get focus on SecurityActive security work from start, security groups, driving/guiding documents Get involvement from GGF, OSG,..Middleware Security Group (MWSG) Avoid gaps in the security work Security Architect for the MW, Security Head overall responsible Lagging standardization work, e.g. Writing initial recommendations OGSA (Open Grid Services Architecture)for reengineering focusing on ordinary WS now, OGSA later Coordinating operational sec workJoint Security Group (JSG, SA1), guided by JRA3 documents (created together with SA1, OSG)

6 EU IST-FP6 Concertation, 17 th September 2004 - 6 Global security architecture (1/4) ServiceDescriptionTime frame Logging and AuditingEnsures monitoring of system activities, and accountability in case of a security event Now AuthenticationCredential storage ensures proper security of (user-held) credentials Now Proxy certificates enable single sign-on TLS, GSI, WS-Security and possibly other X.509 based transport or message-level security protocols ensure integrity, authenticity and (optionally) confidentiality Now EU GridPMA establishes a common set of trust anchor for the authentication infrastructure Now Pseudonymity services addresses anonymity and privacy concerns Mid-term Overview of the security architecture services.

7 EU IST-FP6 Concertation, 17 th September 2004 - 7 Global security architecture (2/4) ServiceDescriptionTime frame AuthorizationAttribute authorities enable VO managed access control Policy assertion services enable the consolidation and central administration of common policy Authorization framework enables for local collection, arbitration, customisation and reasoning of policies from different administrative domains, as well as integration with service containers and legacy services Now Future Now DelegationAllows for an entity (user or resource) to empower another entity (local or remote) with the necessary permissions to act on its behalf Now Overview of the security architecture services.

8 EU IST-FP6 Concertation, 17 th September 2004 - 8 Global security architecture (3/4) Overview of the security architecture services. ServiceDescriptionTime frame Data key managementEnables long-term distributed storage of data for applications with privacy or confidentiality concerns Mid-term SandboxingIsolates a resource from the local site infrastructure hosting the resource, mitigating attacks and malicious/wrongful use Mid-term Site proxyEnables applications to communicate despite heterogenous and non-transparent network access Mid-term

9 EU IST-FP6 Concertation, 17 th September 2004 - 9 Global security architecture (4/4) RequirementFulfilledSolution/Technology/ServiceTime frame Single sign-onYesProxy certificates and a global authentication infrastructure Now User PrivacyPartiallyPseudonymity servicesMid-term Data PrivacyPartiallyEncrypted data storageMid-term Audit abilityPartiallyMeaningful log informationNow AccountabilityYesAll system interactions can be traced back to a user Now VO managed access controlYesVOMSNow Support for legacy and non- WS based software components YesModular authentication and authorization software suitable for integration Now Timely revocation delaysYesGradual transition from CRL based revocation to OCSP based revocation Mid-term Non-homogenous network accessYesSite ProxyFuture High-level requirements and how the architecture address them

10 EU IST-FP6 Concertation, 17 th September 2004 - 10 Status - EGEE Security - Global Security Architecture - Security requirements - Incident response capability PM4PM5PM6 MWSG3 August 25 JRA1 All-hands meeting June 28-30 Security requirement doc MJRA3.1 (PM3) completed Recurrent tasks: - JRA1 design team, integration, testing - EUGridPMA, QAG - Software maintenance and development Taxonomy document on Incident handling and Security operational procedures; definition of a common Grid incident format. (PM6+) In cooperation with JSG and OSG Phase1 OGSA doc MJRA3.3 (PM4) completed DJRA3.1 Security Architecture doc (PM5) delivery date: Sept. 17 Software maintenance and development PM5: SOAP over HTTPS 80% PM6: Delegation 45%, AuthZ framework 70%, Mutual AuthZ 10%, VOMS admin & parser (ongoing) PM7: Message level security 70% PM9: Resource access control 10%, Grid enhancements for OpenSSL Started PM11: Site Proxy for GRID cluster Started September 13

11 EU IST-FP6 Concertation, 17 th September 2004 - 11 Some words on Trust(1/2) The authentication model for EGEE is based on the concept of trusted third parties (TTPs): entities that are not related to any relying party except through a trust relationship. Underlying the trust relationship is the digital signature of the TTP, based on standard asymmetric cryptography. The TTP will bind the cryptographic key pair to one or more identifiers that represent the entity. Although theoretically a single TTP could service the entire community, in practice a mesh of TTPs exists. One can thus define a set of resources, users and services that agree to use a common set of TTPs for authentication. Such a common authentication domain does not imply common rights of access or constitute an “infrastructure” of sorts. In the context of the EGEE project, it is assumed that a common set of TTPs exists. It is not assumed that all entities accept all TTPs: This introduces an additional failure mode that higher-level services should cover for.

12 EU IST-FP6 Concertation, 17 th September 2004 - 12 Some words on Trust (2/2) For the EGEE project, management of the common authentication domain based on TTPs is delegated to the EUGridPMA and the LCG/SA1 Joint Security Group

13 EU IST-FP6 Concertation, 17 th September 2004 - 13 EGEE Authentication Scope CA coordination is an activity of EGEE JRA3 establish a CA trust domain for EGEE coordination of existing national initiatives Milestone in PM3, reached as of April 1 st : the EUGridPMA … and even with a much larger community appeal

14 EU IST-FP6 Concertation, 17 th September 2004 - 14 The EUGridPMA European Grid Authentication Policy Management Authority for e-Science Coordinates authentication for people and services for European and related Grid projects EGEE, DEISA, SEEGRID, LCG, … ‘PMA’ manages authentication guidelines policy Trust domain for research and academic purposes

15 EU IST-FP6 Concertation, 17 th September 2004 - 15 Certificate Authority Coordination Evolved from the CA Coordination Group in DataGrid, CrossGrid, LCG, … collection of national or regional CAs  better identity vetting  national legislation all meet or exceed minimum requirements  identity checking (in-person, photo-ID)  physical security (off-line signing key, storage)  naming (unique certificate names)  revocation (updated lists, retrieval) Clearly defined accreditation procedure

16 EU IST-FP6 Concertation, 17 th September 2004 - 16 Where to go for a certificate? Everyone (almost) in Europe has a national CA (April data)  Green: CA Accredited  Yellow: being discussed Other Accredited CAs:  DoEGrids (US)  GridCanada  ASCCG (Taiwan)  ArmeSFO (Armenia)  CERN  Russia (HEP)  FNAL Service CA (US)  Israel  Pakistan

17 EU IST-FP6 Concertation, 17 th September 2004 - 17 The Catch-All CAs For those left out of the rain in EGEE  CNRS “catch-all”  coverage for all EGEE partners  you should agree on a local Registration Authority For the South-East European Region  regional catch-all is being established (SEE-GRID) For LCG physicists world-wide  DoeGrids CA (ESnet)  Registration Authorities through SA1

18 EU IST-FP6 Concertation, 17 th September 2004 - 18 A European Authentication Solution Common services to all European eInfrastructure  EUGridPMA: All EU Grid infrastructure FP6 programmes CAs also cover inter-organisational national projects  TERENA TACAR provides more than Grid CAs: e.g. NREN CAs for access to wireless networks root of trust for any other Authentication and Authorisation Infrastructure (AAI’s) library access, scientific journals, etc. EUGridPMA collaborates in gridpma.org  International Grid Federation (IGF) with US & AP  en route to a federation covering the world

Download ppt "EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.

INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE-III Program of Work Erwin Laure EGEE-II / EGEE-III Transition Meeting CERN,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE-III Program of Work Erwin Laure EGEE-II / EGEE-III Transition Meeting CERN,
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
EGEE is proposed as a project funded by the European Union under contract IST-2003-508833 EU eInfrastructure project initiatives FP6-EGEE Fabrizio Gagliardi.

EGEE is proposed as a project funded by the European Union under contract IST EU eInfrastructure project initiatives FP6-EGEE Fabrizio Gagliardi.
EGEE is a project funded by the European Union under contract IST-2003-508833 Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.

EGEE is a project funded by the European Union under contract IST Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.

Similar presentations

Ads by Google