1 / 7

Comprehensive GENI Security Program Spiral 2 Year-end Project Review

Comprehensive GENI Security Program Spiral 2 Year-end Project Review. National Center for Supercomputing Applications PI: Adam Slagell Staff: N/A Students: N/A Aug. 30, 2010. Project Summary.

megan
Download Presentation

Comprehensive GENI Security Program Spiral 2 Year-end Project Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comprehensive GENI Security ProgramSpiral 2 Year-end Project Review National Center for Supercomputing Applications PI: Adam Slagell Staff: N/AStudents: N/A Aug. 30, 2010

  2. Project Summary • Goal: Lay the ground work for a security and incident response program for GENI. Advancing Spiral 3 goals of making GENI operational • Components • Threat and Risk Assessments • Document policies, agreements, standards and guidelines • Develop security plans • How will incidents be addressed? • What kind of proactive security measures can be deployed and maintained? INSERT PROJECT REVIEW DATE

  3. Milestone & QSR Status INSERT PROJECT REVIEW DATE

  4. Accomplishments 1: Advancing GENI Spiral 2 Goals • Our security work is only indirectly related to the main primary Spiral 2 goals • More directly focused on prep for Spiral 3 goals • Continuous Experimentation Goal: • A more secure environment resulting from the contribution of this project will lead to increased participation and uptime • Lack of security plans discourage campus IT from becoming involved • Unmitigated incidents are harmful to this goal. • Integration Goal: • Our work is not aimed at technical integration. • The agreements we develop do address higher-level social integration • Helps to define roles and responsibilities • Sets expectations • Lays out methods of communication INSERT PROJECT REVIEW DATE

  5. Accomplishments 2:Other Project Accomplishments • Aggregate Provider Agreement Draft • Important to have in place as we move to operations • Forces discussion of important issues that need to be addressed • E.g., roles and responsibilities, what it means to be a part of the GENI federation, etc. • Interim Operational Security Plan • Based on an initial threat assessment of WiMAX and OpenFlow build-outs • First draft security incident response plan that includes cross-site collaboration • Identifies roles & responsibilities ofthe proposed team INSERT PROJECT REVIEW DATE

  6. Issues • Challenging to get community feedback outside GEC • Mass emailing has not proven effective & phone calls are only moderately more effective • Difficult environment to present at GECs • Interruptions often prevent even short presentations from finishing • Other presentations get bumped off schedule completely • Conversation / feedback is often dominated by a few individuals, but it is hard to gauge broad public opinion • Difficult to pick-up and finish these conversations offline after GEC • Solutions • Work harder (and with GPO) to get ALL the interested parties on calls • Make sure participants read docs before the call to be more productive • Perhaps have homework? Everyone submit at least 2 comments on wiki agenda before the call? • Can test this for Aggregate Provider Agreement v0.2 • Polling to get broader opinion? • Saving comment period till after a presentation • Stricter enforcement of time limits by chairs to keep agenda moving INSERT PROJECT REVIEW DATE

  7. Plans • Our focus changed mid-year and the SOW was reworked • Less on formal threat and risk analysis, more on agreements and security plans • Driven by immediate needs for plans with major build-outs • Original SOW focused most on formal analysis, little focus on policy, nothing about agreements • Long time till any concrete plans would be developed • Also the realization that a lot of the hardest operational security problems are social and not technical • Managed by focusing the scope of threat & risk analysis activities • Focus on large projects & deployments • GENI too large and diverse for a formal threat & risk assessment of the entire project even if the full 40% of an FTE is dedicated to that goal • In the future, adjusting to a more pragmatic needs for the project • Establish sound agreements, procedures and protocols to handle security incidents • A major goal is to lay the foundation of guidelines and plans for a future operational incident response team • Provide a smooth transition from this development phase to normal operations of infrastructure • Spiral 4 milestones will need to be reworked • E.g, developing plans for a large IDS is less relevant and unlikely to be built • Anticipate the need for additional agreements and policies • For example nothing much has been said about privacy issues INSERT PROJECT REVIEW DATE

More Related