Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.

Published byGervase Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting."— Presentation transcript:

1 Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting Gabriele Garzoglio Computing Division, Fermilab

2 Jun 18, 20072/26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick Access Control and Privileges Auditing –courtesy Tanya Levshina

3 Jun 18, 20073/26 Security Policies and Middleware in OSG Gabriele Garzoglio OSG Security OSG Proposal: “We propose to build a cyber- infrastructure that can grow to provide thousands of users effective access to 100,000 CPUs, 10s of PB of storage, located at hundreds of sites and interconnected by multiple 10Gb/s network links.” Technical Basis: –Service-based access to compute and storage services. –A software stack used by experiments to manage their users and their jobs. –The environment interoperates with other similar grid environments LCG, Teragrid, et al.

4 Jun 18, 20074/26 Security Policies and Middleware in OSG Gabriele Garzoglio OSG Capacity Targets In 2008 we estimate: 53 MSI2K = 26,000 CPUs; 74 MSI2K = 37,000 CPUs;

5 Jun 18, 20075/26 Security Policies and Middleware in OSG Gabriele Garzoglio Me, My Friends, the Grid

6 Jun 18, 20076/26 Security Policies and Middleware in OSG Gabriele Garzoglio Grid Security The goal of grid security is establish trust that computing organized along these lines will have appropriate integrity, availability, and confidentiality. OSG cannot bear the security responsibilities of sites or VO’s. Therefore, initially, inter-entity security is conceptually a set of pair-wise agreements. –We have more than a few autonomous parties –Not a small task.

7 Jun 18, 20077/26 Security Policies and Middleware in OSG Gabriele Garzoglio Illustrative example

8 Jun 18, 20078/26 Security Policies and Middleware in OSG Gabriele Garzoglio Operational Grid Security Based on NIST model – Controls based on risk, rooted in policy. –Risk = f(vulnerability, threat) –Goal: Achieve acceptable risk Recall -- context is open science. –Means: Controls Management (what did we decide?) Operational (we count on behaviors) Technical (stuff done in HW/SW)

9 Jun 18, 20079/26 Security Policies and Middleware in OSG Gabriele Garzoglio Some Specifics OSG security seeks to compliment, not replace site and VO security organizations. –Recall Roadmap: O(10 4 ) parties. Now: O(10 3 ) Make the security discussion scalable by standardizing the many elements of the discussion. –Foster a secure software stack for grid services. –Foster communications –Know what’s going on from the perspective of the whole grid

10 Jun 18, 200710/26 Security Policies and Middleware in OSG Gabriele Garzoglio Scaling Make the discussion standard. –Think of the market in mortgages Many standard terms Model security policies –JSPG: sites, VOs, users. –IGTF: Identity providers. –TBD: Service providers (likely JSPG) Software providers.

11 Jun 18, 200711/26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick  Access Control and Privileges Auditing –Courtesy Tanya Levshina

12 Jun 18, 200712/26 Security Policies and Middleware in OSG Gabriele Garzoglio VO Services Project Charter The project provides an infrastructure to manage user registration and implement fine-grained authorization to access rights on computing and storage resources. Authorization is linked to identities and extended attributes. Mapping is dynamic and supports pool accounts. Enforcement of access rights is implemented using UID/GID pairs. The infrastructure aims at reducing administrative overhead. Authorization service is central at the site. The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG.

13 Jun 18, 200713/26 Security Policies and Middleware in OSG Gabriele Garzoglio Stakeholders Stakeholders giving requirements: US CMS and US ATLAS. Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG since 2003 Different institutions are responsible for the maintenance of different components Core software distributed via VDT

14 Jun 18, 200714/26 Security Policies and Middleware in OSG Gabriele Garzoglio VO Services Architecture GUMS server maintains identity / attribute mapping for all the gateways at a site gPlazma server enhances UID/GID mapping with service-specific parameters (e.g. root path for SE). SAZ checks black/white lists Periodically, GUMS synchronizes with VOMS users/groups User identity and attributes are maintained in VOMS through VOMRS Users interact with VOMS to get attribute-enhanced credentials Gateway software (CE and SE) performs –identity mapping call-out through the PRIMA module –access control call-out through the SAZ module

15 Jun 18, 200715/26 Security Policies and Middleware in OSG Gabriele Garzoglio Deployment on OSG The authorization system (GUMS) has been deployed at O(10) sites –US CMS T2 centers and T1 at FNAL –US ATLAS T2 centers and T1 at BNL –FermiGrid (includes SAZ) et al. US CMS, US ATLAS, and DZero have defined roles that are implemented using VOMS. Sites configure GUMS (PDP) to implement local identity mapping

16 Jun 18, 200716/26 Security Policies and Middleware in OSG Gabriele Garzoglio Closing Project Phase II Deliverable of Phase II are due in the time scale of OSG V0.8.0 release (Aug 07): Document current use of credential attributes GUMS v1.2 LIGO Authentication Requirements gLExec deployment for CDF/CMS –Being packaged in VDT. gPlazma –Deployment underway. Further development and maintenance part of dCache project. –Storage role/access requirements part of Phase III VOMRS 1.3. Part of VDT release 1.6.1 in May 2006. –CERN (01/07), Fermilab (04/07), APAC (11/06)

17 Jun 18, 200717/26 Security Policies and Middleware in OSG Gabriele Garzoglio Goals for Phase III ? (1) Interface/integrate/migrate OSG AuthZ components more into emerging standards. Set path for less effort in the future Prepare for use of new AuthN mechanisms (ie Shiboleth). VOMRS –Interface to Shib; Use more standard workflow engine, persistency, UI technology Accounting integration : Interface roles GRAM-Auditing and Gratia

18 Jun 18, 200718/26 Security Policies and Middleware in OSG Gabriele Garzoglio Goals for Phase III ? (2) Support finer-grain access to Storage –SRM/dCache does not manage privileges directly via X509 credential attributes. UID, GID, Root Path, … mappings are required. –Stakeholders are interested in supporting combinations of read / write accesses to files / directories by VO, VO groups, and group roles. Improve software stack validation and regression tests across releases. Ongoing OSG - EGEE AuthZ interoperability. Already started: –Globus develops the common library (based on XACML2/SAML2): prototype version in collaboration w/ IBM on Apr 07. –Understanding and feeding back OSG and EGEE requirements: implementation of some key features estimated for July 07 –Holding regular meetings (Oct 06, Feb 07, Mar 07, Apr 07, Jun 07)

19 Jun 18, 200719/26 Security Policies and Middleware in OSG Gabriele Garzoglio What about Policy ? Currently no mechanism to define VO authorization policies and apply them consistently across sites. –SBIR Phase I grant approved –GPBox ? More maintainable authentication management by implementing certificate validation service site-centralized.

20 Jun 18, 200720/26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick Access Control and Privileges  Auditing –Courtesy Tanya Levshina

21 Jun 18, 200721/26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Motivations The nature of the Grid cyberspace security vulnerabilities provides a motivation for creation of centralized service for real-time automated security assessment and forensic analysis. The usage patterns across the Grid may reveal adverse intentions while similar behavior may seem legitimate to any particular grid site or VO specific service. Use Cases: –should be able to determine if a specific, presumed to be stolen credential has been used to access Grid Sites or VO services –find out if there was an attempt to enter a site or service by scanning

22 Jun 18, 200722/26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Goals Provide a global level auditing service to the OSG Community. The global auditing service is necessary to assess the overall security condition of the OSG across OSG sites and VO’s specific services. Offer a real-time automated security assessment and forensic analysis tools that will satisfy the security requirements of OSG Staff, VO’s, and sites participating in the OSG. Provide flexible query interfaces needed to ad hoc security investigations at the grid level. Interface OSG Information Management Project in order to notify the appropriate officials in case of discovery of unusual or suspicious gird usage. Complement the existing site security processes and help drive further development of auditing collection software used by Grid Sites. Focus on integration and analysis of the, possibly diverse and multiple-format, information.

23 Jun 18, 200723/26 Security Policies and Middleware in OSG Gabriele Garzoglio Grid Site with Log Search Service CE SE Grid application VO Spec application Syslog-ng Log Search Service OSG Central Facility Auditing Service Auditing Service Client Syslog-ng Log Search Service SE VO Spec application Grid application Syslog-ng CE Grid Site without Log Search Service Catch-All Log Search Service Host Central Repository Security Officer Site Central Log Monitoring Host Auditing Project Architecture VO Resource Site VO Services Host Gratia probes Gratia probes Gratia probes VO Spec application Syslog-ng site cluster host application log repository auditing data repository flow of data request flow of data storage Legend

24 Jun 18, 200724/26 Security Policies and Middleware in OSG Gabriele Garzoglio Auditing Project Context Diagram Auditing Service Active Storage Grid operation environment Gratia’s probes Auditing probes Globus Datagram Auditing Data Management MS Grid Configuration AAA Data Log Storage Query Executor Automaton Grid Security team Incident respondent Security assessor Suspected vulnerability Suspected incident OSG Security Information Service

25 Jun 18, 200725/26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Deliverables Provide a review of the of auditing projects within OSG, EGEE, CEDPS Troubleshooting project, and Globus Auditing (started) Provide a evaluation summary the auditing tools currently in use and/or available through Open Source (started) Provide the evaluation summary of usability of the raw data collected by Gratia’s probes for auditing post- mortem analysis (started) Determine the information model for service log files, investigate log format transformations and log analysis capabilities Achieve community consensus on the proposal and encourage community collaboration on this project Provide high level design of Auditing Service (started)

26 Jun 18, 200726/26 Security Policies and Middleware in OSG Gabriele Garzoglio Conclusion Security work in OSG is currently tackling both Policy and Middleware Policy work focuses on Management, Operation, and Technical controls to mitigate risk Middleware projects address User Registration, Access Authorization, Accounting (Gratia), and Auditing We want to collaborate with our European partners to achieve interoperations and share ideas

Download ppt "Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.
 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.
CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.

Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Similar presentations

Ads by Google