150 likes | 296 Views
Grid Security Policy. GridPP18, Glasgow. David Kelsey D.P.Kelsey@rl.ac.uk. 21sr March 2007. Joint Security Policy Group. “Joint” initially was EGEE and LCG Strong participation by USA Open Science Grid Now “Joint” = EGEE/OSG/WLCG/NDGF + … Strong links to other security groups
E N D
Grid Security Policy GridPP18, Glasgow David Kelsey D.P.Kelsey@rl.ac.uk 21sr March 2007
Joint Security Policy Group • “Joint” initially was EGEE and LCG • Strong participation by USA Open Science Grid • Now “Joint” = EGEE/OSG/WLCG/NDGF + … • Strong links to other security groups • Middleware Security Group • Operational Security Coordination Team • Grid Security Vulnerability Group • EU Grid PMA/IGTF
JSPG membership • Application representatives/VO managers • Site Security Officers • Site/Resource Managers/Security Contacts • Security middleware experts/developers • CERN Deployment team • Now expanded to include other EU Grid projects • Other EU Infrastructure projects (may) use our policies • BalticGrid, EELA, EUMedGrid, EUChinaGrid, …
Interoperable Policies • Aim to allow applications (VO’s) to easily use resources in multiple Grids • The simplest approach • Common Policies • User AUP • Site AUP • VO AUP • If not common then at least not conflicting! • EU eInfrastructure Reflection Group (eIRG) • EGEE inputs policy for consideration
Incident Response Certification Authorities Audit Requirements Site & VO Policies Grid Security Policy Grid & VO AUPs Application Development & Network Admin Guide User Registration & VO Management
Grid Security Policy • New, revised document • Replaces very old LCG Security and Availability Policy • Simpler and more general • Useful to multiple Grids, not LCG-specific • https://edms.cern.ch/document/428008/4 • V5.4 (December 06) – EGEE milestone MSA1.7 • Current draft (V5.5) from last week’s JSPG meeting • Will be distributed for wider comment soon • V5.4 already approved by OSG • A major simplification will be tackled during 2007
Grid Site Operations Policy • Has to be signed by Sites during registration • EGEE-II milestone MSA1.3 • https://edms.cern.ch/document/819783 • Lots of useful feedback received • Including CERN legal department • Close to final • V1.3 agreed at last week’s JSPG meeting • Signing will await approval of new top-level policy document • Covering document per Grid also required
Issues for GridPP • Security policy in new GridPP Tier 2 MoU • Sites say they cannot accept policy that allows others to change this without their approval • Existing GridPP Tier 2 MoU handled this • Took snapshot of EGEE policies • Change requires approval of Tier 2 Board • But the Grid has to be able to change policies! • For EGEE, policy approval process involves full consultation and feedback with Sites • But once approved new policy applies to all
Accounting & Monitoring Data Policy • VO’s/Grid Ops require access to user-level logs • EU directives and national laws on processing personal data and privacy apply here • Dave Kant presented the approach for Accounting yesterday • Draft policy document available soon • Will cover accounting and monitoring data • Data classification agreed last week (JSPG)
Informed User consent Grid AUP says…(accepted during registration with VO) • Logged information, including information provided by you for registration purposes, shall be used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed to other organizations anywhere in the world for these purposes. Although efforts are made to maintain confidentiality, no guarantees are given • So the User has given informed consent • Together with a policy document on personal data management, should be enough to convince sites to allow access to the appropriate logs
Logged data classification • Private • Contains sensitive personal data • Grid Operations does not create, store or handle such data • Personal • Name, Institute, e-mail address, X.509 DN • Non-public • To be kept confidential within site and/or VO • Security considerations, confidentiality • Public • World readable – no stipulations • Grid needs to have policy for two in red • VO’s and applications are responsible for their own data handling
EGEE security operations • Operational Security Coordination Team • Romain Wartel (CERN) – Security Officer • Weekly operational rota • Security Service Challenges • New GridPP Security Officer • Grid Security Vulnerability Group • Linda Cornwall (RAL) • Risk Assessment Team handles issues • Full responsible public disclosure now approved
IGTF • International Grid Trust Federation • 3 regional PMA’s, including EU Grid PMA • Number of classic CA’s continues to grow • Africa now starting to join EU PMA • New Authentication profiles • Short-Lived Cert Service (SLCS) • SWITCH Shibboleth CA now approved • Member Integrated Cert Service (MICS) • Close to agreement
JSPG future plans • Approval of current draft documents • New draft of Audit Policy • VO Operations Policy • Signed by VO during registration • Grid Service Operations Policy • Obligations of anyone running a Grid service, e.g. VObox • In EGEE-III • Move towards EGI with national Grids • Scaling problems of one VO and many Grids • Work with NGI’s, e.g. NGS and Grid Ireland
JSPG Meetings, Web etc • Meetings - Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 • JSPG Web site http://proj-lcg-security.web.cern.ch/ • Policy documents at http://cern.ch/proj-lcg-security/documents.html