1 / 15

Grid Security Policy

Grid Security Policy. GridPP18, Glasgow. David Kelsey D.P.Kelsey@rl.ac.uk. 21sr March 2007. Joint Security Policy Group. “Joint” initially was EGEE and LCG Strong participation by USA Open Science Grid Now “Joint” = EGEE/OSG/WLCG/NDGF + … Strong links to other security groups

nysa
Download Presentation

Grid Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security Policy GridPP18, Glasgow David Kelsey D.P.Kelsey@rl.ac.uk 21sr March 2007

  2. Joint Security Policy Group • “Joint” initially was EGEE and LCG • Strong participation by USA Open Science Grid • Now “Joint” = EGEE/OSG/WLCG/NDGF + … • Strong links to other security groups • Middleware Security Group • Operational Security Coordination Team • Grid Security Vulnerability Group • EU Grid PMA/IGTF

  3. JSPG membership • Application representatives/VO managers • Site Security Officers • Site/Resource Managers/Security Contacts • Security middleware experts/developers • CERN Deployment team • Now expanded to include other EU Grid projects • Other EU Infrastructure projects (may) use our policies • BalticGrid, EELA, EUMedGrid, EUChinaGrid, …

  4. Interoperable Policies • Aim to allow applications (VO’s) to easily use resources in multiple Grids • The simplest approach • Common Policies • User AUP • Site AUP • VO AUP • If not common then at least not conflicting! • EU eInfrastructure Reflection Group (eIRG) • EGEE inputs policy for consideration

  5. Incident Response Certification Authorities Audit Requirements Site & VO Policies Grid Security Policy Grid & VO AUPs Application Development & Network Admin Guide User Registration & VO Management

  6. Grid Security Policy • New, revised document • Replaces very old LCG Security and Availability Policy • Simpler and more general • Useful to multiple Grids, not LCG-specific • https://edms.cern.ch/document/428008/4 • V5.4 (December 06) – EGEE milestone MSA1.7 • Current draft (V5.5) from last week’s JSPG meeting • Will be distributed for wider comment soon • V5.4 already approved by OSG • A major simplification will be tackled during 2007

  7. Grid Site Operations Policy • Has to be signed by Sites during registration • EGEE-II milestone MSA1.3 • https://edms.cern.ch/document/819783 • Lots of useful feedback received • Including CERN legal department • Close to final • V1.3 agreed at last week’s JSPG meeting • Signing will await approval of new top-level policy document • Covering document per Grid also required

  8. Issues for GridPP • Security policy in new GridPP Tier 2 MoU • Sites say they cannot accept policy that allows others to change this without their approval • Existing GridPP Tier 2 MoU handled this • Took snapshot of EGEE policies • Change requires approval of Tier 2 Board • But the Grid has to be able to change policies! • For EGEE, policy approval process involves full consultation and feedback with Sites • But once approved new policy applies to all

  9. Accounting & Monitoring Data Policy • VO’s/Grid Ops require access to user-level logs • EU directives and national laws on processing personal data and privacy apply here • Dave Kant presented the approach for Accounting yesterday • Draft policy document available soon • Will cover accounting and monitoring data • Data classification agreed last week (JSPG)

  10. Informed User consent Grid AUP says…(accepted during registration with VO) • Logged information, including information provided by you for registration purposes, shall be used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed to other organizations anywhere in the world for these purposes. Although efforts are made to maintain confidentiality, no guarantees are given • So the User has given informed consent • Together with a policy document on personal data management, should be enough to convince sites to allow access to the appropriate logs

  11. Logged data classification • Private • Contains sensitive personal data • Grid Operations does not create, store or handle such data • Personal • Name, Institute, e-mail address, X.509 DN • Non-public • To be kept confidential within site and/or VO • Security considerations, confidentiality • Public • World readable – no stipulations • Grid needs to have policy for two in red • VO’s and applications are responsible for their own data handling

  12. EGEE security operations • Operational Security Coordination Team • Romain Wartel (CERN) – Security Officer • Weekly operational rota • Security Service Challenges • New GridPP Security Officer • Grid Security Vulnerability Group • Linda Cornwall (RAL) • Risk Assessment Team handles issues • Full responsible public disclosure now approved

  13. IGTF • International Grid Trust Federation • 3 regional PMA’s, including EU Grid PMA • Number of classic CA’s continues to grow • Africa now starting to join EU PMA • New Authentication profiles • Short-Lived Cert Service (SLCS) • SWITCH Shibboleth CA now approved • Member Integrated Cert Service (MICS) • Close to agreement

  14. JSPG future plans • Approval of current draft documents • New draft of Audit Policy • VO Operations Policy • Signed by VO during registration • Grid Service Operations Policy • Obligations of anyone running a Grid service, e.g. VObox • In EGEE-III • Move towards EGI with national Grids • Scaling problems of one VO and many Grids • Work with NGI’s, e.g. NGS and Grid Ireland

  15. JSPG Meetings, Web etc • Meetings - Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 • JSPG Web site http://proj-lcg-security.web.cern.ch/ • Policy documents at http://cern.ch/proj-lcg-security/documents.html

More Related