21-Mar-07 Kelsey, Security Policy 2
Joint Security Policy Group
• “Joint” initially was EGEE and LCG– Strong participation by USA Open Science Grid
• Now “Joint” = EGEE/OSG/WLCG/NDGF + …• Strong links to other security groups
– Middleware Security Group– Operational Security Coordination Team– Grid Security Vulnerability Group– EU Grid PMA/IGTF
21-Mar-07 Kelsey, Security Policy 3
JSPG membership
• Application representatives/VO managers• Site Security Officers• Site/Resource Managers/Security Contacts• Security middleware experts/developers• CERN Deployment team• Now expanded to include other EU Grid projects• Other EU Infrastructure projects (may) use our
policies– BalticGrid, EELA, EUMedGrid, EUChinaGrid, …
21-Mar-07 Kelsey, Security Policy 4
Interoperable Policies
• Aim to allow applications (VO’s) to easily use resources in multiple Grids
• The simplest approach– Common Policies
• User AUP• Site AUP• VO AUP
– If not common then at least not conflicting!• EU eInfrastructure Reflection Group (eIRG)
– EGEE inputs policy for consideration
21-Mar-07 Kelsey, Security Policy 5
Grid Security PolicySite & VOPolicies
Certification Authorities
AuditRequirements
Incident Response
User Registration & VO Management
Application Development& Network Admin Guide
Grid & VOAUPs
21-Mar-07 Kelsey, Security Policy 6
Grid Security Policy
• New, revised document– Replaces very old LCG Security and Availability Policy– Simpler and more general– Useful to multiple Grids, not LCG-specific
• https://edms.cern.ch/document/428008/4 • V5.4 (December 06) – EGEE milestone MSA1.7• Current draft (V5.5) from last week’s JSPG
meeting– Will be distributed for wider comment soon
• V5.4 already approved by OSG
• A major simplification will be tackled during 2007
21-Mar-07 Kelsey, Security Policy 7
Grid Site Operations Policy
• Has to be signed by Sites during registration• EGEE-II milestone MSA1.3
– https://edms.cern.ch/document/819783
• Lots of useful feedback received– Including CERN legal department
• Close to final– V1.3 agreed at last week’s JSPG meeting
• Signing will await approval of new top-level policy document– Covering document per Grid also required
21-Mar-07 Kelsey, Security Policy 8
Issues for GridPP
• Security policy in new GridPP Tier 2 MoU• Sites say they cannot accept policy that allows
others to change this without their approval– Existing GridPP Tier 2 MoU handled this
• Took snapshot of EGEE policies– Change requires approval of Tier 2 Board
• But the Grid has to be able to change policies!• For EGEE, policy approval process involves full
consultation and feedback with Sites– But once approved new policy applies to all
21-Mar-07 Kelsey, Security Policy 9
Accounting & Monitoring Data
Policy• VO’s/Grid Ops require access to user-level
logs– EU directives and national laws on processing
personal data and privacy apply here
• Dave Kant presented the approach for Accounting yesterday
• Draft policy document available soon– Will cover accounting and monitoring data
• Data classification agreed last week (JSPG)
21-Mar-07 Kelsey, Security Policy 10
Informed User consent
Grid AUP says…(accepted during registration with VO)• Logged information, including information provided by you for
registration purposes, shall be used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed to other organizations anywhere in the world for these purposes. Although efforts are made to maintain confidentiality, no guarantees are given
• So the User has given informed consent
• Together with a policy document on personal data management, should be enough to convince sites to allow access to the appropriate logs
21-Mar-07 Kelsey, Security Policy 11
Logged data classification
• Private– Contains sensitive personal data– Grid Operations does not create, store or handle such data
• Personal– Name, Institute, e-mail address, X.509 DN
• Non-public– To be kept confidential within site and/or VO
• Security considerations, confidentiality
• Public– World readable – no stipulations
• Grid needs to have policy for two in red– VO’s and applications are responsible for their own data handling
21-Mar-07 Kelsey, Security Policy 12
EGEE security operations
• Operational Security Coordination Team– Romain Wartel (CERN) – Security Officer– Weekly operational rota– Security Service Challenges– New GridPP Security Officer
• Grid Security Vulnerability Group– Linda Cornwall (RAL)– Risk Assessment Team handles issues– Full responsible public disclosure now approved
21-Mar-07 Kelsey, Security Policy 13
IGTF
• International Grid Trust Federation– 3 regional PMA’s, including EU Grid PMA
• Number of classic CA’s continues to grow– Africa now starting to join EU PMA
• New Authentication profiles– Short-Lived Cert Service (SLCS)
• SWITCH Shibboleth CA now approved
– Member Integrated Cert Service (MICS)• Close to agreement
21-Mar-07 Kelsey, Security Policy 14
JSPG future plans
• Approval of current draft documents• New draft of Audit Policy• VO Operations Policy
– Signed by VO during registration
• Grid Service Operations Policy– Obligations of anyone running a Grid service, e.g. VObox
• In EGEE-III– Move towards EGI with national Grids– Scaling problems of one VO and many Grids– Work with NGI’s, e.g. NGS and Grid Ireland
21-Mar-07 Kelsey, Security Policy 15
JSPG Meetings, Web etc
• Meetings - Agenda, presentations, minutes etc
http://agenda.cern.ch/displayLevel.php?fid=68
• JSPG Web sitehttp://proj-lcg-security.web.cern.ch/
• Policy documents athttp://cern.ch/proj-lcg-security/documents.html
Top Related