osg security review mine altunay december 4, 2008
TRANSCRIPT
OSG Security ReviewOSG Security ReviewMine Altunay Mine Altunay
December 4, 2008December 4, 2008
31 Jan 2008 2
Security OverviewSecurity Overview
• Current Initiatives OSG Security Roadmap
AuthN: Certificate Authorities distribution problem(WBS 2.1.1 and 2.1.9 and 2.1.9.1) AuthZ needs: MyProxy certificate renewal and lifetimes, Additional Banning Features and ca mgmt tool – requests from site admins at SLAC
Technical and operational needs for long and short term (WBS 2.1.4) Incident Mitigation Plans (WBS 2.3). Comm. with site admins (Aashish) Monitoring, security related RSV probes More fire drills and site education (WBS 2.1). Aashish and Igor will set up fire drills. Policy work
Top-level Grid Policy, OSG Registration Policy and procedures Risk assessment (WBS 2.1.4, 2.3)
• Accomplishments Since Last Report Privacy Policy & Approval of CA Policy have been completed and sent to EB. Jim set up periodic meetings with Miron and Ruth to discuss fundamental security issues Security plan revision against NIST guidelines completed. Security controls are being completed. New surveys for core assets are partially completed CA management tool for OSG site admins are completed, tested and integrated into VDT.
Ready for next release Banning capability into GUMS is implemented. Ready for the release.
Great feedback at SLAC on CA mgmt tool and banning feature
31 Jan 2008 3
Security OverviewSecurity Overview
• Accomplishments Since Last Report Security oriented RSV probes are defined. Central probes are almost finished
(Anand). Site probes are Arvind’s. Weekly gratia reports to VO admins are generated and sent each week. This is
being transitioned to Gratia soon Proxy clean-up work has completed and initiated similar work in EGEE Operational work continues CA distribution service transfer. February is set as a deadline. Has not finalized
yet Education was assigned to Doug, but he was out so this is stalled Desired security interactions with software providers is written CHEP Review Committee, reviewed 12 submissions and sent a submission on
behalf of OSG Incident Response procedure is set up and is ready to sent to EB IGTF CA incident response team and evaluation (Jim)
31 Jan 2008
Security Overview
• Issues / Concerns Effort is not an issue. It was when Doug first left for medical leave.
Jim does RA work. Aashish and Anand helped greatly
I spend time in software tools group. I have to be careful Igor, Aashish and Anand helps . Total of 2.50 FTE.
4
31 Jan 2008 5
Security OverviewSecurity Overview
• Current Initiatives (6/08) Incident response procedure – top priority (WBS 2.1.2 and 2.3.) OSG Registration Policy and Requirements from members (WBS 2.3.1) OSG Core Assets/Software in VDT Stack (WBS 2.1.7) DOEGrids RA workflow – introducing requested notifications (WBS 2.2) VO incident response teams (WBS 2.1.1 and 2.1.2) Command Line Security Management Tools (WBS 2.1.1) Banning tool requirements. With CDIGS. (WBS 2.1.9) Including OSG Staff contact info into OIM (WNBS 2.1.1 and 2.1.2) Grid Tactical Plan (FNAL) and MOU with VO services/Privilege Project (WBS 2.1.9) ST&E control deadlines are approaching (WBS 2.1.1)
• Current Initiatives (3/08) OSG Security roadmap
Technical and operational needs for long and short term (WBS 2.1.4) Incident Mitigation Plans (WBS 2.3) AuthN needs: GSI auth problems, CRLs, proxy clean up and VOMS-GUMS authN AuthZ needs: Banning tool, Uniform FQAN, MyProxy, AC validation More fire drills and site education (WBS 2.1) Forensics -- splunk, incident training Certify tool
Policy work JSPG and OSG policies – incident response policy has priority (WBS 2.1.2 and 2.3.) Revising old security plan against NIST guidelines (WBS 2.1.4) Risk assessment (WBS 2.1.4, 2.3)