[email protected] security area in gridpp2 4 mar 2004 security area in gridpp2 “proforma-2...

[email protected]

Security Area in GridPP2 4 Mar 2004

Security Area in GridPP2

• “Proforma-2 posts” overview• Deliverables– Local Access– Local Usage– VO Tools– Security co-ordination– Tier 2 VO and Security posts

• Future LCG/EGEE Security Work• Dissemination

[email protected]


GridPP 2 Posts

• 1.0 for Local Access Control (Manchester)

– GACL and GridSite Library extensions• 1.0 for Local Usage Control (Manchester)

– For sites to control disk use etc• 0.5 for VO Tools (Manchester)

– GridSite• 1.0 for Security co-ordination (RAL)

– Mostly LCG follow-on from EDG Security Group• 0.5 for Tier-2 VO Operations (Manchester)

• 1.0 for Tier-2 Security Officer (RAL)

[email protected]


Deliverables: Task 1

• Task 1 Local Access Control (1.0 FTE)– Month 6 Hardening of GridSite and SlashGrid for bulk

file handling– Month 12Profile for use of XACML policy language – Month 18XACML and C/C++/Java support via GACL API– Month 24Updates integrated into SlashGrid and

GridSite releases– Month 30Further performance and robustness

requirements/improvements– Month 36Final release of standards-based

GridSite/GACL library

[email protected]



• Task 2 Local Usage Control (1.0 FTE)– Month 6 Requirements gathering for Usage Control– Month 12Prototype application of Usage Control to

services– Month 18Prototype XML representation of Usage

Control– Month 24SlashGrid and GridSite releases with support

for Usage Control– Month 30Co-ordination of standards with GGF etc

accounting groups– Month 36Final release, including reporting usage to

Virtual Organization

[email protected]



• Task 3 Virtual Organization Tools (0.5 FTE)– Month 6 Integration of VOMS interface to GridSite

lightweight groups– Month 12Improvements to GridSite user interface after

users survey– Month 18Ad-hoc group creation and user tools– Month 24Prototype usage control/reporting in GridSite– Month 30Implementation of further requirements after

initial deployment– Month 36Final release of standards-based VO usage

administration

[email protected]



• Task 4 Security coordination, policies, quality assurance and documentation (1.0 FTE)– M6 Define the relationship of LCG security coordination to JRA3

and SA1 activities in EGEE– M6 Define and agree QA procedures with tasks 1 to 3.– M9 Contribute to the Security Coordination and Policy issues

for the LCG TDR– M12 Complete evaluation of the Security Middleware

documentation and propose and implement improvements

– M24 Produce a Quality Assurance report on all security middleware developments

– M30 Coordinate the implementation of LCG security policy and procedures for LCG Phase-2

[email protected]


Deliverables: VO Operations

• 0.5 FTE• Quaterly reports to GridPP– Status of services, account of support

undertaken and plans for next quarter• Three annual reports– At M12, M24 and M36– Assessing the virtual organization middleware

deployed– Feedback to developers within GridPP and other

projects, in light of operational experience

[email protected]


Deliverables: Security Officer

• 1.0 FTE• M3 Produce and negotiate Incident Response Procedure• M6 Perform a Security Risk Analysis in collaboration with the Tier 2 • M6 Produce and negotiate a GridPP Security Policy and other rules• M9 Produce an agreed firewall guide for GridPP• M12 Prepare annual summary of security incidents, issues and

policy• M15 Investigate the feasibility of a Grid Intrusion Monitoring and

Detection service and implement if appropriate• M18 Organise a GridPP security operations workshop• M24 Prepare the second annual summary of GridPP security

incidents, issues and policy• M36 Prepare the final summary of GridPP security incidents,

issues and policy

[email protected]


Future LCG/EGEE work (1)(slides from David Kelsey)

• Authentication– Continue and expand the EDG PKI

– Secure credential management: online services, SmartCards

– Faster and more robust certificate revocation,e.g. OCSP

• Restricted delegation

• Confidentiality– Integrate and deploy the proposed solution

for the old WP10's applications

[email protected]


Future LCG/EGEE work (2)

• Authorization– Fuller use of VOMS AuthZ credentials

– Mutual AuthZ: VOs should approve resources and services

– Convergence with GGF standards (XACML, SAML, …)

• Build on DataGrid design and components for industrial strength– PKI/SSL authentication, standards-based

authorization, WS-security,…

[email protected]


GridPP Security dissemination

• GridSite and Security Middleware are readily applicable to other projects– All projects need a website– All projects need security

• (write access control if nothing else)

• We're talking to other projects which are interested in using GridPP security middleware– In particular, MRC projects (HIC, CLEF, PsyGrid)

• We intend to submit GridSite to OMII repository• Other possibilities in the pipeline...

[email protected]


“gridsite.org”

• Shorthand for making GridSite an Open Source project, with external involvement

• We noticed that most of the users installed the software without first asking for help/support

• We're trying to encourage this:– Source and binary distributions– User, Admin, Install guides, man pages etc– Publically available CVS + Bugtrack (thanks to

EDG and now LCG Savannah)– Public announcement and discussion mailing lists– Pointers to free/cheap/lightweight X.509 CAs

[email protected]


Summary

• Middleware concentrates on local access/usage• Some work also on lightweight VO support• Migrating to standards (eg XACML)• Funding to support continued [EDG|LCG] Security

Group leadership by David Kelsey• Tier-2 VO and Security Officer posts involved in

the programme as on site “customers”• But we need to make more links to other LCG,

EGEE, ARDA etc middleware projects

[email protected] security area in gridpp2 4 mar 2004 security area in gridpp2 “proforma-2...

Documents