Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security - - PowerPoint PPT Presentation

update on security policy
SMART_READER_LITE
LIVE PREVIEW

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security - - PowerPoint PPT Presentation

May 21, 2023 121 likes •410 views

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk Overview Why do we need security policies? Joint Security Policy Group (JSPG) Some history

slide-1
SLIDE 1

Update on Security Policy

David Kelsey (RAL)
 7 Mar 2010


Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk

slide-2
SLIDE 2

2 7 Mar 2010 Kelsey, Security Policy

Overview

  • Why do we need security policies?
  • Joint Security Policy Group (JSPG)

– Some history – Interoperability

  • Overview of JSPG policies

– Current status and recent work

  • The transition to EGI
slide-3
SLIDE 3

3 7 Mar 2010 Kelsey, Security Policy

Why do we need security policies?

  • Management of IT security

– Management of risk, balanced with availability

  • f services
  • Perform a risk analysis

– Need a Security Plan

  • to mitigate and manage the risks
  • Security Plan includes various “Controls”

– Technical – Operational – Management

  • Security Policy is part of Management

Controls (written documents)

slide-4
SLIDE 4

4

Trust is important

  • Trust is a relationship of reliance. A trusted

party is presumed to seek to fulfill policies, ethical codes, law and their previous promises. (wikipedia)

  • Trust is a prediction of reliance on an action,

based on what a party knows about the other

  • party. Trust is a statement about what is
  • therwise unknown -- for example, because it is

far away, cannot be verified, or is in the future.

7 Mar 2010 Kelsey, Security Policy

slide-5
SLIDE 5

5 7 Mar 2010 Kelsey, Security Policy

Joint Security Policy Group

  • This started as a WLCG activity in 2003
  • In 2004, EGEE phase 1 started

– JSPG remit expanded to cover both projects – Strong participation by OSG, NDGF, …

  • Revised mandate (2008)

– http://www.jspg.org/ – prepares and maintains security policies for its primary stakeholders (EGEE and WLCG) – also able to provide policy advice on any security matter

  • Policies approved and adopted by Grid

management

  • Now taking forward into EGI era (more later)
slide-6
SLIDE 6

6 7 Mar 2010 Kelsey, Security Policy

Policy Interoperability

  • Wherever possible, JSPG aims to

– prepare simple and general policies – applicable to the primary stakeholders, but – also of use to other Grid infrastructures (NGI's etc)

  • The adoption of common policies by multiple

Grids eases the problems of interoperability (and scaling)

  • Users, VOs and Sites all accept the same policies

during their (single) registration (with Grid or VO)

  • Other participants then know that their actions

are already bound by the policies

– No need for additional negotiation, registration or agreement

slide-7
SLIDE 7

7

Overview of JSPG Policies

7 Mar 2010 Kelsey, Security Policy

slide-8
SLIDE 8

8 7 Mar 2010 Kelsey, Security Policy

Grid Security Policy

  • The main policy document
  • https://edms.cern.ch/document/

428008/

  • “…policy regulating those activities
  • f Grid participants related to the

security of Grid services and Grid resources.”

slide-9
SLIDE 9

9 7 Mar 2010 Kelsey, Security Policy

Grid Security Policy (2)

  • Objectives

– gives authority for actions

  • may be carried out by certain individuals and bodies

– places responsibilities on all participants

  • Scope

– This policy applies to all participants – Every site participating in the Grid autonomously owns and follows their own local security policies – This policy augments local policies by setting out additional Grid-specific requirements.

slide-10
SLIDE 10

10 7 Mar 2010 Kelsey, Security Policy

Grid Security Policy (3)

  • Additional Policy documents

– Appendix 1 defines additional policy documents – These must exist for a proper implementation of this policy

  • Roles and Responsibilities:

Participants

– Grid Management – Grid Security Offjcer & Grid Security Operations – Virtual Organisation Management – Users – Site Management – Resource Administrators

slide-11
SLIDE 11

11 7 Mar 2010 Kelsey, Security Policy

Grid Security Policy (4)

  • Limits to Compliance

– Grid policies designed to be applied uniformly across all sites and VOs – exceptions may be made when required – must be justified in a document submitted to the Grid Security Offjcer for authorisation – In exceptional circumstances it may be necessary for emergency action – the exception should be minimised, documented, time- limited and authorised at the highest level of the management commensurate with taking the emergency action promptly, and the details notified to the Grid Security Offjcer at the earliest opportunity

slide-12
SLIDE 12

12 7 Mar 2010 Kelsey, Security Policy

Grid Security Policy (5)

  • Sanctions

– Sites or resource administrators who fail to comply may lose the right to have that service instance recognised by the Grid – Users who fail to comply may lose their right of access to and/or collaboration with the Grid

  • may be reported to their home institute
  • Or to appropriate law enforcement agencies

– VOs which fail to comply may lose their right of access to and/or collaboration with the Grid

  • Including all their users
slide-13
SLIDE 13

13 7 Mar 2010 Kelsey, Security Policy

Security Policy Site & VO Policies Certification Authorities Traceability and 
 Logging Security Incident Response Accounting Data
 Privacy Pilot Jobs and 
 VO Portals Grid & VO AUPs

JSPG Security Policies

slide-14
SLIDE 14

14 7 Mar 2010 Kelsey, Security Policy

Recent JSPG work

  • JSPG membership expanded to include more NGIs (-> EGI

era)

– revise all policy documents to make simpler and more general

Policies approved and adopted during the last year…

  • Virtual Organisation Registration Security Policy

https://edms.cern.ch/document/573348/8

  • Virtual Organisation Membership Management Policy

https://edms.cern.ch/document/428034/3

  • Grid Policy on the Handling of User-Level Job Accounting

Data

https://edms.cern.ch/document/855382/5

  • VO Portal Policy

https://edms.cern.ch/document/972973/6

  • Security Incident Response Policy

https://edms.cern.ch/document/428035/7

slide-15
SLIDE 15

15

Revision to Grid AUP

  • http://www.jspg.org/wiki/

Grid_Acceptable_Use_Policy – Version 4.1

  • Old policy document (V3.1 28 Oct 2005)

– one of the early successes of JSPG – a simple common policy for use on several difgerent interoperating Grids – AUP has to be accepted by all users during their (re)registration with their VO – Important for interoperation between Grids

7 Mar 2010 Kelsey, Security Policy

slide-16
SLIDE 16

16

Grid AUP (2)

  • Many Grids and other computing

infrastructures, e.g. DEISA, have since used this AUP

  • but needed to make small modifications
  • main aim of this revision

– take these modifications into account – produce a new version to meet the needs of Grids using the policy

7 Mar 2010 Kelsey, Security Policy

slide-17
SLIDE 17

17

Revision to Site Registration

  • http://www.jspg.org/wiki/

Site_Registration_Security_Policy – Version 3.1

  • Old policy document (V2.0 16 Mar 2006)

– contains many detailed registration procedures

  • These are too EGEE-specific
  • JSPG decided to remove these

– change the focus of the document to be purely related to security policy issues – similar to the recently approved "Virtual Organisation Registration Security Policy“

  • new document is now much shorter and simpler

7 Mar 2010 Kelsey, Security Policy

slide-18
SLIDE 18

18

From EGEE to EGI

7 Mar 2010 Kelsey, Security Policy

slide-19
SLIDE 19

19

Problems with current Policies

  • The complete revision during EGEE-III has

been successful, however…

  • Still many difgerent documents

– Overlaps and inconsistencies

  • Includes operational issues as well as

security-related issues

  • Participants find it diffjcult to know which

policy applies to them

  • Many policies are rather EGEE-specific

7 Mar 2010 Kelsey, Security Policy

slide-20
SLIDE 20

20

Policy framework for EGI


  • defining policy

standards

  • A framework to enable interoperation of

collaborating Grids

– aimed at managing cross-Grid operational security risks

  • Identify policy components needed for trust between

Grids

  • Not necessarily imposing a single policy for all

– But Grids can use template policies if they wish

  • Presents the current set of JSPG policies

– Taking high-level view to identify those components which are necessary

  • Other components are either too EGEE-specific or are
  • perational rather than related to security – separate them

7 Mar 2010 Kelsey, Security Policy

slide-21
SLIDE 21

21

Framework (2)

  • Specifies the issues that need to be addressed in a Grid's

security policy

  • At this stage does not define minimum standards or

requirements – Standards should come later

7 Mar 2010 Kelsey, Security Policy

slide-22
SLIDE 22

Policy Framework: Participants

7 Mar 2010

Infrastructur e

Includes

  • Grid

Operations

  • Security Offjcer
  • Sec Operations

Users

Includes

  • Grid users
  • VOs
  • Application

Communities

Providers

Includes

  • Grid Sites
  • Resource

Providers

  • Service

Providers, e.g. VO running services

slide-23
SLIDE 23

Policy Components

7 Mar 2010

Infrastructur e

Includes

  • Incident

Response

  • Vulnerability

Handling

  • Patching
  • Data protection
  • Registration
  • etc

Users

Includes

  • AUP
  • Traceability
  • VO

Management

  • Data protection
  • Incident

response

  • Registration
  • etc

Providers

Includes

  • Traceability
  • Incident

Response

  • Access control
  • Registration
  • etc
slide-24
SLIDE 24

Security Policy Framework

7 Mar 2010

Infrastructur e Users Providers Incident Response Traceability Data Protection

1 2 3 4 5 6 7 8 9 etc etc etc

slide-25
SLIDE 25

25

EGI Security Policy Group

  • Primary stakeholders: 


NGIs, Sites, Application communities

  • Will start with the current set of JSPG policies
  • SPG will build on this to develop the policy

framework

– And produce template policies

  • Small editorial team to prepare policies
  • Full consultation by e-mail (all stakeholders)
  • Annual face to face meeting if possible
  • Coordination with other Grids still important

7 Mar 2010 Kelsey, Security Policy

slide-26
SLIDE 26

26 7 Mar 2010 Kelsey, Security Policy

JSPG Meetings, Web etc

  • Meetings - Agenda, presentations, minutes etc

http://indico.cern.ch/categoryDisplay.py?categId=68

  • JSPG Web sites

http://www.jspg.org and http://proj-lcg-security.web.cern.ch/

  • Membership of the JSPG mail list is closed, BUT

– Volunteers to work with us are always welcome!

  • Policy documents at http://www.jspg.org and

http://proj-lcg-security.web.cern.ch/proj-lcg-security/ documents.html

slide-27
SLIDE 27

27 7 Mar 2010 Kelsey, Security Policy

Where are JSPG security policies?

  • http://www.jspg.org/wiki/JSPG_Docs
  • http://proj-lcg-security.web.cern.ch/

proj-lcg-security/documents.html

  • https://edms.cern.ch/nav/

CERN-0000022711

slide-28
SLIDE 28

7 Mar 2010 Kelsey, Security Policy

Discussion?