[email protected] security area in gridpp2 4 mar 2004 security area in gridpp2 “proforma-2...
TRANSCRIPT
Security Area in GridPP2 4 Mar 2004
Security Area in GridPP2
• “Proforma-2 posts” overview• Deliverables– Local Access– Local Usage– VO Tools– Security co-ordination– Tier 2 VO and Security posts
• Future LCG/EGEE Security Work• Dissemination
Security Area in GridPP2 4 Mar 2004
GridPP 2 Posts
• 1.0 for Local Access Control (Manchester)
– GACL and GridSite Library extensions• 1.0 for Local Usage Control (Manchester)
– For sites to control disk use etc• 0.5 for VO Tools (Manchester)
– GridSite• 1.0 for Security co-ordination (RAL)
– Mostly LCG follow-on from EDG Security Group• 0.5 for Tier-2 VO Operations (Manchester)
• 1.0 for Tier-2 Security Officer (RAL)
Security Area in GridPP2 4 Mar 2004
Deliverables: Task 1
• Task 1 Local Access Control (1.0 FTE)– Month 6 Hardening of GridSite and SlashGrid for bulk
file handling– Month 12Profile for use of XACML policy language – Month 18XACML and C/C++/Java support via GACL API– Month 24Updates integrated into SlashGrid and
GridSite releases– Month 30Further performance and robustness
requirements/improvements– Month 36Final release of standards-based
GridSite/GACL library
Security Area in GridPP2 4 Mar 2004
Deliverables: Task 2
• Task 2 Local Usage Control (1.0 FTE)– Month 6 Requirements gathering for Usage Control– Month 12Prototype application of Usage Control to
services– Month 18Prototype XML representation of Usage
Control– Month 24SlashGrid and GridSite releases with support
for Usage Control– Month 30Co-ordination of standards with GGF etc
accounting groups– Month 36Final release, including reporting usage to
Virtual Organization
Security Area in GridPP2 4 Mar 2004
Deliverables: Task 3
• Task 3 Virtual Organization Tools (0.5 FTE)– Month 6 Integration of VOMS interface to GridSite
lightweight groups– Month 12Improvements to GridSite user interface after
users survey– Month 18Ad-hoc group creation and user tools– Month 24Prototype usage control/reporting in GridSite– Month 30Implementation of further requirements after
initial deployment– Month 36Final release of standards-based VO usage
administration
Security Area in GridPP2 4 Mar 2004
Deliverables: Task 4
• Task 4 Security coordination, policies, quality assurance and documentation (1.0 FTE)– M6 Define the relationship of LCG security coordination to JRA3
and SA1 activities in EGEE– M6 Define and agree QA procedures with tasks 1 to 3.– M9 Contribute to the Security Coordination and Policy issues
for the LCG TDR– M12 Complete evaluation of the Security Middleware
documentation and propose and implement improvements
– M24 Produce a Quality Assurance report on all security middleware developments
– M30 Coordinate the implementation of LCG security policy and procedures for LCG Phase-2
Security Area in GridPP2 4 Mar 2004
Deliverables: VO Operations
• 0.5 FTE• Quaterly reports to GridPP– Status of services, account of support
undertaken and plans for next quarter• Three annual reports– At M12, M24 and M36– Assessing the virtual organization middleware
deployed– Feedback to developers within GridPP and other
projects, in light of operational experience
Security Area in GridPP2 4 Mar 2004
Deliverables: Security Officer
• 1.0 FTE• M3 Produce and negotiate Incident Response Procedure• M6 Perform a Security Risk Analysis in collaboration with the Tier 2 • M6 Produce and negotiate a GridPP Security Policy and other rules• M9 Produce an agreed firewall guide for GridPP• M12 Prepare annual summary of security incidents, issues and
policy• M15 Investigate the feasibility of a Grid Intrusion Monitoring and
Detection service and implement if appropriate• M18 Organise a GridPP security operations workshop• M24 Prepare the second annual summary of GridPP security
incidents, issues and policy• M36 Prepare the final summary of GridPP security incidents,
issues and policy
Security Area in GridPP2 4 Mar 2004
Future LCG/EGEE work (1)(slides from David Kelsey)
• Authentication– Continue and expand the EDG PKI
– Secure credential management: online services, SmartCards
– Faster and more robust certificate revocation,e.g. OCSP
• Restricted delegation
• Confidentiality– Integrate and deploy the proposed solution
for the old WP10's applications
Security Area in GridPP2 4 Mar 2004
Future LCG/EGEE work (2)
• Authorization– Fuller use of VOMS AuthZ credentials
– Mutual AuthZ: VOs should approve resources and services
– Convergence with GGF standards (XACML, SAML, …)
• Build on DataGrid design and components for industrial strength– PKI/SSL authentication, standards-based
authorization, WS-security,…
Security Area in GridPP2 4 Mar 2004
GridPP Security dissemination
• GridSite and Security Middleware are readily applicable to other projects– All projects need a website– All projects need security
• (write access control if nothing else)
• We're talking to other projects which are interested in using GridPP security middleware– In particular, MRC projects (HIC, CLEF, PsyGrid)
• We intend to submit GridSite to OMII repository• Other possibilities in the pipeline...
Security Area in GridPP2 4 Mar 2004
“gridsite.org”
• Shorthand for making GridSite an Open Source project, with external involvement
• We noticed that most of the users installed the software without first asking for help/support
• We're trying to encourage this:– Source and binary distributions– User, Admin, Install guides, man pages etc– Publically available CVS + Bugtrack (thanks to
EDG and now LCG Savannah)– Public announcement and discussion mailing lists– Pointers to free/cheap/lightweight X.509 CAs
Security Area in GridPP2 4 Mar 2004
Summary
• Middleware concentrates on local access/usage• Some work also on lightweight VO support• Migrating to standards (eg XACML)• Funding to support continued [EDG|LCG] Security
Group leadership by David Kelsey• Tier-2 VO and Security Officer posts involved in
the programme as on site “customers”• But we need to make more links to other LCG,
EGEE, ARDA etc middleware projects