egi inspire
play

EGI-InSPIRE Cloud Security Implementations/Policies/Certification - PowerPoint PPT Presentation

Feb 25, 2023 •430 likes •716 views

EGI-InSPIRE Cloud Security Implementations/Policies/Certification Sven Gabriel, sveng@nikhef.nl Nikhef http://nikhef.nl EGI-CSIRT https://wiki.egi.eu/wiki/EGI CSIRT:Main Page EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 1

  1. EGI-InSPIRE Cloud Security Implementations/Policies/Certification Sven Gabriel, sveng@nikhef.nl Nikhef http://nikhef.nl EGI-CSIRT https://wiki.egi.eu/wiki/EGI CSIRT:Main Page EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 1 EGI-InSPIRE RI-261323 www.egi.eu

  2. Current Grid Infrastructure History 10+ years: Data Grid / EGEE / EGI / WLCG • Current Infrastructure grew under coordination of the Grid-Projects Data-Grid/EGEE 1-3/EGI. • Framework of SLAs, Policies, Procedures was developed to assure that reliable operation of the Infrastructure is possible. • Procedures/Policies define how to get part of the infrastructure, how to access resources, how to use the resources (AUP) • Grid Security Policy 1 1 https://documents.egi.eu/public/ShowDocument?docid=86 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  3. Current Grid Infrastructure Resource Provider/Centers (RP/C) Certification https://documents.egi.eu/document/76 • The name, email address and telephone number of the Site Manager and Site Security Contact in accordance with the requirements of the Site Operations Policy. 1 . • It is checked that they are operationally ready to fulfil the SLAs. • It is checked the RP/C does not expose known vulnerabilities. • RP/Cs security teams have a incident reponse procedure, know how to apply it (checked in SSCs). • Details on RP/C certification can be found in PROC09 2 1 https://documents.egi.eu/document/75 2 https://wiki.egi.eu/wiki/PROC09_Resource_Centre_Registration_and_Certification EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  4. Current Grid Infrastructure Cloud Technology / Evolution of VO-WMS / CVMfs / ID Managment • Grid Environment is Constantly changing, new technologies have to be integrated. • This does not change the policies. • To help to understand potential Security issues with new technologies a questionnaire should be answered. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  5. Security Policies/Procedures Incident Response related • Keep logfiles centrally to allow for an audit trail • Keep your systems updated • Have mechanisms in place for fine grained access control. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 3 EGI-InSPIRE RI-261323 www.egi.eu

  6. EGI-CSIRT EGI-CSIRT / SVG / Incident Prevention • Vulnerability Assessment (SVG, chaired by Linda) • If CRITICAL: Advisories 1 / Patch status Monitoring (pakiti, nagios) • Enforce application of software updates 2 . 1 https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts 2 https://documents.egi.eu/public/ShowDocument?docid=283 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  7. EGI-CSIRT Security Monitoring: Pakiti, Nagios EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  8. EGI-CSIRT Incident Response Task Force (IRTF): Leif Nixon • Provides Incident Response capabilities for the Infrastructure. • Weekly Rota / Handover Telco / Minutes Recorded in private wiki • Private Ticket System (RT-IR) for handling/follow up on security issues. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  9. Trust / Accreditation TF-CSIRT Interfacing to other (Grid/NREN/VO) CSIRTs • Collaboration with other CERTs, share Information, Trust • Describe / Document your CSIRT, operational requirements to be met • RFC-2350 • Provided information gets evaluated. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 5 EGI-InSPIRE RI-261323 www.egi.eu

  10. Trust / Accreditation TF-CSIRT Interfacing to other (Grid/NREN/VO) CSIRTs EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 5 EGI-InSPIRE RI-261323 www.egi.eu

  11. WLCG risk assessment Cloud Security EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 6 EGI-InSPIRE RI-261323 www.egi.eu

  12. WLCG risk assessment • Mostly apply to cloud (missing threats) • Most important identified asset: Trust • Most dangerous threat: Misused identities • Focuses on traceability for: • Incident containment • Incident re-occurring prevention EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 7 EGI-InSPIRE RI-261323 www.egi.eu

  13. Virtual Machine endorsement Security Policy for the endorsement and operation of Virtual Machine images 1 • 2 roles: • Endorser: Certify VM Image • VM Operator: Root access on the VM • Security requirements for both roles • Users are not endorsers: An Endorser should be one of a limited number of authorised and trusted individuals appointed either by the Infrastructure Organisation, a VO or a resource centre 1 https://documents.egi.eu/public/ShowDocument?docid=771 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 8 EGI-InSPIRE RI-261323 www.egi.eu

  14. Virtual Machine endorsement • endorser/operator = site: current situation • endorser = VO: could provide more flexibility • operator = VO: could provide technical debugging • endorser/operator = end user: not foreseen useful EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 9 EGI-InSPIRE RI-261323 www.egi.eu

  15. Traceability Grid Security Traceability and Logging Policy 2 • Idea: understand and prevent incidents • Requirements: • Grid software MUST produce application logs: • Source of any action • Initiator of any action • Logs MUST be collected centrally • Logs MUST be kept 90 days 2 https://edms.cern.ch/document/428037 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 10 EGI-InSPIRE RI-261323 www.egi.eu

  16. Traceability Endorsement Site VO User Site Operator VO User EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 11 EGI-InSPIRE RI-261323 www.egi.eu

  17. Traceability Virtualization only introduces new possibilities: • Logging requirements not changed/impacted: • Every action/every user • Forwarded to a central server • New logs required (policy extension?): • Which endorsed VM is running? • Who is operating it (Site/VO) ? • User compartmentalization: • Similar to glexec? (one UID per user) • Re-instantiate VM for each user (not job) • Perfect easy compartmentalization • High impact for unique short jobs EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 12 EGI-InSPIRE RI-261323 www.egi.eu

  18. Traceability Complete root access for user is dangerous: • Endorsed VM: • Contains up-to-date software (by policy) • Contains secured configuration (by policy) • Can include protections/logging... • User in full-power: • Can break configuration (maliciously or by error) • Can disable logging (maliciously or by error) • Can falsify data (non-trusted logs) • Simple accountability/traceability: user responsible • Difficult detailed incident analysis • VM cannot be re-used by different users No identified reason for such situation: highly discouraged EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 13 EGI-InSPIRE RI-261323 www.egi.eu

  19. Traceability Complete user control: no security • Unknown VM: • Can be vulnerable (not patched, outdated...) • Can be badly configured (no logs, anonymous access...) • Could be fully-encrypted (no forensics possible) • User in full-power: • Can falsify data (non-trusted logs) • Simple accountability/traceability: user responsible • Potentially impossible incident analysis • VM cannot be re-used by different users No identified reason for such situation: highly discouraged EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 14 EGI-InSPIRE RI-261323 www.egi.eu

  20. Traceability • VM creation/deletion easy (could be VO/user initialized) • VM lifetime foreseen shorter than current WN • If trusted operator/endorser: • Application logs centrally kept • More system logs probably needed • Unknown/modified file preservation would help forensics • If non-trusted operator/endorser: • Application logs (central) not trustworthy • System logs (central) not trustworthy • VM disk MUST be preserved after deletion Policy extension required? EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 15 EGI-InSPIRE RI-261323 www.egi.eu

  21. Monitoring Three evolutions possible: • Probe every VM for vulnerabilities: • Much more work than now (who?) • Extremely diverse security contacts • Limit VM lifetime: • Vulnerability window restricted (automatic) • How long (soft/hard limits ?) ? • Hours ? • 2-3 days ? • Week(s) ? • Month(s) ? • If Trusted endorser/operator: • Identify vulnerable VM in trusted VM store • Contact all VM operators (who?) • Kill switch to be implemented (who?) EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 16 EGI-InSPIRE RI-261323 www.egi.eu

  22. Incident response • Need well defined security contacts • Require root access on VM for: • Site admin ? • EGI/OSG security team, WLCG security officer ? • VM freezing/isolation (could break jobs): • Who is authorized to do it? • Procedure (under which circumstances ?) ? • Analysis using backend services (e.g. disk providers): • Who is authorized to do it? • Procedure (under which circumstances ?) ? • Private data protection ? EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 17 EGI-InSPIRE RI-261323 www.egi.eu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is Changing 377 Academic, Public, School & Institutional Libraries 847 Deliveries per Week 139 1-Day per week 126 2-Day per week 49

589 views • 25 slides
EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Last release A) Monitoring of unsupported middleware version Information collected about old middleware version is

164 views • 4 slides
Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

9/19/12 EGI-InSPIRE Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 AP www.egi.eu EGI-InSPIRE RI-261323 History Transition from 10 ROCs to now 37 NGIs

621 views • 23 slides
Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND SUPPORTS INSPIRATIONAL TEACHERS. Thought leaders in You can education will receive sharing OUR a recorded Co-hosted topics to version by

573 views • 33 slides
USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING Museum Renovation Overview Forces at Play Background Development and design Workshop Q&A/Open discussion

390 views • 37 slides
Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded? It was Written by a group of people who saw the london bridge in 1636. Hoping to make suggestions that the government of to which it would adhere. 2.

332 views • 9 slides
Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for all Member States and EEA MedSea project at Ifremer INSPIRE Directive in Europe INSPIRE is based on the infrastructures for spatial information

679 views • 42 slides
Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives Inspire We will inspire the public with new ways of using and experiencing our collection Re-imagine our Kew site as a vibrant, welcoming,

214 views • 9 slides
Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Tool Overview - Features Application Hosted By CCIN2P3 Team : Cyril L'Orphelin , Olivier Lequeux , Pierre

309 views • 9 slides
EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic Sinica Grid Computing EGI User Forum, 13, April, 2011 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Introduction to drug

661 views • 37 slides
CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your guide Inspire Weve been inspiring customers to explore the power of imaging for over 80 years. Inspire And today were still working together 5

558 views • 37 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2011-12 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Impact of the States 2011-13 Biennial Budget Overview of

651 views • 40 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2010-11 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Overview of 2010-11 Preliminary Budget What will this mean

676 views • 51 slides
PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy Philosophy The choices we make dictate the life we lead. Based on empowerment, personal accountability and respect for Based on empowerment,

586 views • 35 slides
Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA (inspiremovement.org) The Inspire Movement is an international network of Christians who are committed to developing mission-shaped discipleship in the leadership and

421 views • 4 slides
Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

THA Best Practices: Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School / University of Brighton The INSPIRE project Open innovation and SMEs Data and methodology INSPIRE cases

551 views • 25 slides
Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan ( S eminaire LIPN -

Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan ( S eminaire LIPN -

Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan ( S eminaire LIPN - 18 Novembre 2014 ) Duong Hieu Phan Some Advances in BE&TT S eminaire LIPN 1 / 42 Multi-receiver Encryption From One-to-one to

1.23k views • 65 slides
Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia) ghadafi@cs.bris.ac.uk University of Bristol Latincrypt 2014 E

348 views • 33 slides
Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features

Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features

Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features Barleen Kaur COMP 762 What is traceability? Traces are navigable links between data held in software artifacts (like requirement document, design

757 views • 17 slides
Comparison of complementary statistical analysis approaches in metabolomic food traceability Ral

Comparison of complementary statistical analysis approaches in metabolomic food traceability Ral

Comparison of complementary statistical analysis approaches in metabolomic food traceability Ral Gonzlez-Domnguez 1,2* , Ana Sayago 1,2 , ngeles Fernndez-Recamales 1,2 1 Department of Chemistry, Faculty of Experimental Sciences,

377 views • 13 slides
Requirements Engineering Requirem ents Engineering Unit 6: Requirem ents Engineering process

Requirements Engineering Requirem ents Engineering Unit 6: Requirem ents Engineering process

10/ 13/ 2009 | 1 10/ 13/ 2009 | 2 Course outline Requirements Engineering Requirem ents Engineering Unit 6: Requirem ents Engineering process Use case approach for requirements management Requirem ents elicitation Department of

623 views • 25 slides
Formal Methods in Aerospace: Constraints, Assets and Challenges Virginie Wiels ONERA/DTIM

Formal Methods in Aerospace: Constraints, Assets and Challenges Virginie Wiels ONERA/DTIM

Formal Methods in Aerospace: Constraints, Assets and Challenges Virginie Wiels ONERA/DTIM 1 Overview Constraints 1. certification Assets 2. industrial practice of formal methods Challenges 3. research themes at Onera Focus on

589 views • 46 slides
On the traceability in a graph roundtrip On the traceability in a graph roundtrip transformation

On the traceability in a graph roundtrip On the traceability in a graph roundtrip transformation

On the traceability in a graph roundtrip On the traceability in a graph roundtrip transformation system GRoundTram transformation system GRoundTram Soichiro Hidaka National Institute of Informatics Workshop on Bidirectional

449 views • 33 slides
Requirements Traceability, Prioritization and Triage Lectures 8, DAT230, Requirements Engineering

Requirements Traceability, Prioritization and Triage Lectures 8, DAT230, Requirements Engineering

Requirements Traceability, Prioritization and Triage Lectures 8, DAT230, Requirements Engineering Robert Feldt, 2010-09-17 Notes about course Individual assignment 2: Only 128 of 150 submitted on time A couple of lame excuses

497 views • 30 slides

More recommend