1 / 11

Cyber Security Issues in HEP and NP Grids

Cyber Security Issues in HEP and NP Grids. Bob Cowles — SLAC bob.cowles@slac.stanford.edu NC 2004 10 August 2004. Secure Grid Services. Major changes required that have an impact on: Researchers Application Developers Research Organizations Sites Proposal. Researchers.

tavi
Download Presentation

Cyber Security Issues in HEP and NP Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Issues in HEP and NP Grids Bob Cowles — SLAC bob.cowles@slac.stanford.edu NC 2004 10 August 2004

  2. Secure Grid Services • Major changes required that have an impact on: • Researchers • Application Developers • Research Organizations • Sites • Proposal NC 2004

  3. Researchers • Identification • Authentication • Authorization NC 2004

  4. Identification • Registration process collects personal information • Privacy concerns • Responsible site personnel must have ability to quickly contact • DOE paranoia about Foreign Nationals NC 2004

  5. Authentication • “Standard” use of certificates is insufficient • Must incorporate other forms of AuthN • Credential Repositories • KCA • MyProxy • Variety of one time password tokens • Smart cards • How to quantify trust in a federated AuthN environment? NC 2004

  6. Authorization • AuthZ got the hard issues from AuthN • Must keep initial implementation SIMPLE • Typically jobs disappear or fail with misleading error messages • Require patience and calm problem reporting to resolve the issues • Heterogeneous resources present a challenge for specifying job requirements • Consider boiling water in Peru NC 2004

  7. Application Developers • Applications with inflexible req’ts will find fewer host sites (think like a virus writer) • Early design to resolve security concerns can greatly improve application portability • Logging in a standard form essential for debugging and incident response • Robust - recovery from temporary outages (allowing security upgrades) NC 2004

  8. Application Developers (2) • Secure programming design and practices (consider boiling water in Peru) • Check all input for validity and verify environment is as expected and minimize requirements for privileges • React quickly to investigate, patch and deploy when security problems are found during both development and production phases “when” they are found, not “if” • Design for re-AuthN and re-AuthZ to protect users NC 2004

  9. Research Organizations • Must maintain AuthN information in a secure, reliable form, responsive to concerns for privacy vs. need for rapid contact in cases of misuse • Must develop and maintain AuthZ policies in a secure, reliable and auditable form • Logs must be generated and securely stored to allow auditing of past AuthN and AuthZ decisions NC 2004

  10. Sites • Must monitor resources to detect and report anomalous or suspected misuse • Maintain infrastructure by mitigating or rapidly applying security patches • Immediately isolate compromised machines, resources or services • Cooperate with other sites and participate actively in incident investigation NC 2004

  11. Proposal • Concentrate on Grid as providing a virtual facility • Research Organizations • use services already in place and provided by the facility for AuthN, AuthZ and logging • select from a menu of policies • Sites • draw on facility resources and expertise for incident detection and response • facility provides incident coordination NC 2004

More Related