Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona...
-
Upload
barbara-dean -
Category
Documents
-
view
214 -
download
0
description
Transcript of Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona...
![Page 1: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/1.jpg)
Security Policy:From EGEE to EGIDavid Kelsey (STFC-RAL)
21 Sep 2009EGEE’09, Barcelona
david.kelsey at stfc.ac.uk
![Page 2: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/2.jpg)
221 Sep 2009 Kelsey, Security Policy
Overview• EGEE/WLCG Joint Security Policy Group
– Interoperable policies• Overview of current JSPG policies• New policy framework for EGI era• EGI Security Policy Group
– Proposed operation
![Page 3: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/3.jpg)
321 Sep 2009 Kelsey, Security Policy
Policy Interoperability• Wherever possible, JSPG aims to
– prepare simple and general policies– applicable to the primary stakeholders, but– also of use to other Grid infrastructures (NGI's etc)
• The adoption of common policies by multiple Grids eases the problems of interoperability (and scaling)
• Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO)
• Other participants then know that their actions are already bound by the policies– No need for additional negotiation, registration or
agreement
![Page 4: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/4.jpg)
4
Overview of currentJSPG Policies
21 Sep 2009 Kelsey, Security Policy
![Page 5: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/5.jpg)
521 Sep 2009 Kelsey, Security Policy
Security Policy
Site & VOPolicies
Certification Authorities
Traceability and Logging
SecurityIncident Response
Accounting DataPrivacy
Pilot Jobs and VO Portals
Grid & VOAUPs
JSPG Security Policies
![Page 6: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/6.jpg)
621 Sep 2009 Kelsey, Security Policy
Recent JSPG workFive recently approved and adopted policies• Virtual Organisation Registration Security Policyhttps://edms.cern.ch/document/573348/8• Virtual Organisation Membership Management Policyhttps://edms.cern.ch/document/428034/3• Grid Policy on the Handling of User-Level Job Accounting
Datahttps://edms.cern.ch/document/855382/5• VO Portal Policyhttps://edms.cern.ch/document/972973/6• Security Incident Response Policyhttps://edms.cern.ch/document/428035/7
![Page 7: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/7.jpg)
7
Ongoing revisions• Site Registration Security Policyhttp://www.jspg.org/wiki/Site_Registration_Security_Policy
– Remove EGEE-specific procedures– Use same simple style as the VO Registration Security
Policy• Grid AUPhttp://www.jspg.org/wiki/Grid_Acceptable_Use_Policy
– Some Grids use it but have modified our text– Some infrastructures do not have VOs– Revise to include these modifications
21 Sep 2009 Kelsey, Security Policy
![Page 8: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/8.jpg)
8
From EGEE to EGI
21 Sep 2009 Kelsey, Security Policy
![Page 9: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/9.jpg)
9
Problems with current Policies
• Many different documents– Overlaps and inconsistencies
• Includes operational issues as well as security-related issues
• Participants find it difficult to know which policy applies to them
• Many policies are rather EGEE-specific
21 Sep 2009 Kelsey, Security Policy
![Page 10: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/10.jpg)
10
New policy framework for EGI
• A framework to enable interoperation of collaborating Grids– aimed at managing cross-Grid operational security risks
• Identify policy components to help trust building between Grids • Not imposing a single policy for all
– But Grids can use JSPG policies if they wish• Present the current set of JSPG policies– Taking high-level view to identify those components which are necessary
• Other components are either too EGEE-specific or are operational rather than related to security – separate them
• Each Grid will have security policies consisting of the framework components and their own Grid-specific components
21 Sep 2009 Kelsey, Security Policy
![Page 11: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/11.jpg)
11
Framework (2)• Specifies the issues that need to be addressed in a
Grid's security policy• At this stage does not define minimum standards or
requirements– Standards (may) come later
• Aimed at Grids preparing or revising security policies, not at end users, sites, application communities etc.
• As an aside ... we found it very useful to have been through the whole JSPG "experience" to identify those issues which need to be addressed!
21 Sep 2009 Kelsey, Security Policy
![Page 12: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/12.jpg)
Policy Framework: Participants
21 Sep 2009
Infrastructure
Includes•Grid Operations•Security Officer•Sec Operations
UsersIncludes•Grid users•VOs•Application Communities
ProvidersIncludes•Grid Sites•Resource Providers•Service Providers, e.g. VO running services
![Page 13: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/13.jpg)
Policy Components
21 Sep 2009
Infrastructure
Includes•Incident Response•Vulnerability Handling•Patching•Data protection•Registration•etc
UsersIncludes•AUP•Traceability•VO Management•Data protection•Incident response•Data protection•Registration•etc
ProvidersIncludes•Traceability•Incident Response•Access control•Registration•etc
![Page 14: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/14.jpg)
Policy Framework: Functions
21 Sep 2009
Incident Response
Traceability
Data Protection
Registration
Etc etc etc
We have considered and deliberately excluded: IPR, liability, software licensing, copyright.
![Page 15: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/15.jpg)
Security Policy Framework
21 Sep 2009
Infrastructure
Users Providers
Incident Response
Traceability
Data Protection
1 2 3
4 5 6
7 8 9
Policy Components (numbered) at matrix intersections
etc etc etc
![Page 16: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/16.jpg)
16
An example component:Security Incident
Response• Infrastructure (component #1)– Contact details to report incidents – Incident response procedure for Sites– Ensure they are quickly investigated– Collaborate with others
• Grids & NREN CSIRTs• Users & Providers (component #2 and #3)
– Must participate in Incident Response– Must keep audit logs
21 Sep 2009 Kelsey, Security Policy
![Page 17: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/17.jpg)
17
Framework – Next steps• During next few months
– JSPG will finalise the draft framework– Ensure nothing is missing
• Then before end of EGEE-III– Create generic description of the policy components
• In EGI first year– Consult many more stakeholders and tune framework
• Beyond EGI year one– Work on minimum policy standards and common
wording
21 Sep 2009 Kelsey, Security Policy
![Page 18: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/18.jpg)
18
Security Policy Group• SPG – initial plans (feedback very
welcome!)– Development and maintenance of security
policies– Advice on any security policy issue– Primary stakeholders: NGIs, Sites, Application
communities• and include other infrastructures for interoperation
– Build on JSPG work
21 Sep 2009 Kelsey, Security Policy
![Page 19: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/19.jpg)
19
EGI SPG(2)• Membership: NGI reps, Sites, VOs, middleware,
security ops• Participate in EUGridPMA, IGTF, OGF, TERENA
federations, Middleware etc policy discussions • Small editorial team to prepare policies
– Meet face to face• Full consultation by e-mail (all stakeholders)• Annual face to face meeting if possible• Coordination with other security activities and
informing everyone are both important
21 Sep 2009 Kelsey, Security Policy
![Page 20: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/20.jpg)
2021 Sep 2009 Kelsey, Security Policy
JSPG Meetings, Web etc• Meetings - Agenda, presentations, minutes etchttp://indico.cern.ch/categoryDisplay.py?categId=68• JSPG Web siteshttp://www.jspg.org andhttp://proj-lcg-security.web.cern.ch/• Membership of the JSPG mail list is closed, BUT
– Volunteers to work with us are always welcome!• Policy documents at http://www.jspg.org andhttp://proj-lcg-security.web.cern.ch/proj-lcg-
security/documents.html
![Page 21: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/21.jpg)
2121 Sep 2009 Kelsey, Security Policy
Where are JSPG security policies?
• http://www.jspg.org/wiki/JSPG_Docs• http://proj-lcg-security.web.cern.ch/proj-
lcg-security/documents.html• https://edms.cern.ch/nav/CERN-
0000022711
![Page 22: Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.](https://reader035.fdocuments.us/reader035/viewer/2022070605/5a4d1b0f7f8b9ab05998de4a/html5/thumbnails/22.jpg)
21 Sep 2009 Kelsey, Security Policy
Discussion