OSG Security ReviewOSG Security ReviewMine Altunay Mine Altunay

December 4, 2008December 4, 2008

31 Jan 2008 2

Security OverviewSecurity Overview

• Current Initiatives OSG Security Roadmap

AuthN: Certificate Authorities distribution problem(WBS 2.1.1 and 2.1.9 and 2.1.9.1) AuthZ needs: MyProxy certificate renewal and lifetimes, Additional Banning Features and ca mgmt tool – requests from site admins at SLAC

Technical and operational needs for long and short term (WBS 2.1.4) Incident Mitigation Plans (WBS 2.3). Comm. with site admins (Aashish) Monitoring, security related RSV probes More fire drills and site education (WBS 2.1). Aashish and Igor will set up fire drills. Policy work

Top-level Grid Policy, OSG Registration Policy and procedures Risk assessment (WBS 2.1.4, 2.3)

• Accomplishments Since Last Report Privacy Policy & Approval of CA Policy have been completed and sent to EB. Jim set up periodic meetings with Miron and Ruth to discuss fundamental security issues Security plan revision against NIST guidelines completed. Security controls are being completed. New surveys for core assets are partially completed CA management tool for OSG site admins are completed, tested and integrated into VDT.

Ready for next release Banning capability into GUMS is implemented. Ready for the release.

Great feedback at SLAC on CA mgmt tool and banning feature

31 Jan 2008 3

Security OverviewSecurity Overview

• Accomplishments Since Last Report Security oriented RSV probes are defined. Central probes are almost finished

(Anand). Site probes are Arvind’s. Weekly gratia reports to VO admins are generated and sent each week. This is

being transitioned to Gratia soon Proxy clean-up work has completed and initiated similar work in EGEE Operational work continues CA distribution service transfer. February is set as a deadline. Has not finalized

yet Education was assigned to Doug, but he was out so this is stalled Desired security interactions with software providers is written CHEP Review Committee, reviewed 12 submissions and sent a submission on

behalf of OSG Incident Response procedure is set up and is ready to sent to EB IGTF CA incident response team and evaluation (Jim)

31 Jan 2008

Security Overview

• Issues / Concerns Effort is not an issue. It was when Doug first left for medical leave.

Jim does RA work. Aashish and Anand helped greatly

I spend time in software tools group. I have to be careful Igor, Aashish and Anand helps . Total of 2.50 FTE.

4

31 Jan 2008 5

Security OverviewSecurity Overview

• Current Initiatives (6/08) Incident response procedure – top priority (WBS 2.1.2 and 2.3.) OSG Registration Policy and Requirements from members (WBS 2.3.1) OSG Core Assets/Software in VDT Stack (WBS 2.1.7) DOEGrids RA workflow – introducing requested notifications (WBS 2.2) VO incident response teams (WBS 2.1.1 and 2.1.2) Command Line Security Management Tools (WBS 2.1.1) Banning tool requirements. With CDIGS. (WBS 2.1.9) Including OSG Staff contact info into OIM (WNBS 2.1.1 and 2.1.2) Grid Tactical Plan (FNAL) and MOU with VO services/Privilege Project (WBS 2.1.9) ST&E control deadlines are approaching (WBS 2.1.1)

• Current Initiatives (3/08) OSG Security roadmap

Technical and operational needs for long and short term (WBS 2.1.4) Incident Mitigation Plans (WBS 2.3) AuthN needs: GSI auth problems, CRLs, proxy clean up and VOMS-GUMS authN AuthZ needs: Banning tool, Uniform FQAN, MyProxy, AC validation More fire drills and site education (WBS 2.1) Forensics -- splunk, incident training Certify tool

Policy work JSPG and OSG policies – incident response policy has priority (WBS 2.1.2 and 2.3.) Revising old security plan against NIST guidelines (WBS 2.1.4) Risk assessment (WBS 2.1.4, 2.3)