9-Oct-03 D.P.Kelsey, LCG-GDB-Security 1

LCG/GDBSecurity

(Report from the LCG Security Group)

FNAL9 October 2003

David KelseyCCLRC/RAL, UK

d.p.kelsey@rl.ac.uk

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 2

Overview

Just one topic• LCG Security and Availability Policy

– Draft 3 presented at 9th Sep 03 GDB– Aiming for approval at this meeting

• This draft (V4b) produced on 30th Sep

Security Group meetings (also working on risk analysis)– 10th September 2003– 24th September 2003

http://agenda.cern.ch/displayLevel.php?fid=68

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 3

Changes since last GDB

• “LCG Security and Availability Policy”– Trevor Daniels (GOC task force) is main author– In collaboration with Security Group

• Incorporated comments made last month by GDB– Ownership– Role of home employing institute– No personnel screening

• Lots of minor changes– To make document clearer– Changed document template to LCG SEC format

• Also distributed V4b to Site Security contacts– but no feedback to date

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 4

Section 1: Objectives and Scope

• Objectives– Agreed set of statements– Attitude of the project towards security and availability– Authority for defined actions– Responsibilities on individuals and bodies

• Promote the LHC science mission• Control of resources and protection from abuse• Minimise disruption to science• Obligations to other network (inter- and intra- nets) users• Broad scope: not just hacking• Maximise availability and integrity of services and data• Resources, Users, Administrators, Developers (systems

and applications), and VOs• Does NOT override local policies• Procedures, rules, guides etc contained in separate

documents

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 5

Section 1: Ownership, maintenance and review

• The Policy is– Prepared and maintained by Security Group and GOC– Approved by GDB– Formally owned and adopted as policy by SC2

• Technical docs implementing or expounding policy– Procedures, guides, rules, …– Owned by the Security Group and GOC

• timely and competent changes• GDB approval for initial docs and significant revisions

– Must address the objectives of the policy• Review the top-level policy at least every 2 years

– Ratification by SC2 via GDB if major changes required

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 6

Section 2: LCG services and resources

• Definition of …• Resources

– Equipment, software, data• Services

– Defined by GOC web-site– example list defined

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 7

Section 3: Roles and Responsibilities

• LCG Organisation• VOs

– Acts with LCG Organisation, sites and home institutes of users

• Sites• Resource Administrators• Users• Developers• GOC• Some examples here. Details in associated

documents

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 8

Section 4: Physical security

• Expected to be covered by site local policy and practices– Should aim to reduce the risks

• Should be consistent with the SLA defined by the resource administrator

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 9

Section 5: Network security

• Covered by local site policy– Should aim to reduce risks

• Again consistent with SLA• LCG policy to reduce the risk exposed by

applications which need to communicate across the Internet, BUT

• Firewalls required to allow transit of inbound and outbound packets to/from some port numbers

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 10

Section 6: Access Control

• Global components of the common grid security infrastructure must be deployed by all sites and resources

• Additional local components allowed• Resource providers and Users must comply

with all relevant associated documents

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 11

Section 7: Compliance

• Require Site self-audit at least every 2 years– Check policy (and associated procedures

and practices) is being followed• Independent audit (by or for GOC) allowed if

– Self audit not performed– Not following policy– At random

• Audit summaries to be published (by GOC)• Emergency exceptions allowed

– Time-limited, authorised and GOC informed

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 12

Section 8: Sanctions

Sanctions defined for failure to comply • Sites or admins

– remove services• Users , Admins, Developers

– remove right of access– May have activities reported to home

institute• or to law enforcement agencies

– Appropriate body will decide course of action• Responsibility of the VO to define the body

• VOs– Remove right of access for them and all their

users

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 13

Section 9:Associated documents

• User Registration and VO Management (exists)

• Rules for use of LCG-1 (exists)• Procedures for Resource Administrators• Approval of LCG CA’s (exists)• Guide for network administrators• Procedures for site self-audit• SLA Guide• Incident Response (exists)• Audit Requirements (exists)

9-Oct-03 D.P.Kelsey, LCG-GDB-Security 14

Issues since 30th Sep

• We use the term GOC in the singular– Means the GOC “service”

• i.e. several GOC’s

• Assumes that sites join LCG– How can we cope with other Grids offering

resources, but not part of LCG?• We need to require they agree to our policy