Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

Similar documents
EUROPEAN MIDDLEWARE INITIATIVE

Building More Secure Information Systems

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Grid Computing Security

AAI in EGI Current status

Troubleshooting Grid authentication from the client side

Grid Security Policy

Advanced Security Measures for Clients and Servers

State of Colorado Cyber Security Policies

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Security Standards for Electric Market Participants

The Common Controls Framework BY ADOBE

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

IPM Secure Hardening Guidelines

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Network Security Policy

Introduction to SciTokens

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

SLCS and VASH Service Interoperability of Shibboleth and glite

NIST Security Certification and Accreditation Project

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Security+ SY0-501 Study Guide Table of Contents

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

GSI Online Credential Retrieval Requirements. Jim Basney

CIS Controls Measures and Metrics for Version 7

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Checklist: Credit Union Information Security and Privacy Policies

CIS Controls Measures and Metrics for Version 7

SECURITY & PRIVACY DOCUMENTATION

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Information Security for Mail Processing/Mail Handling Equipment

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

AUTHORITY FOR ELECTRICITY REGULATION

NIST SP Controls

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

U.S. E-Authentication Interoperability Lab Engineer

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Cyber Security Program

Information Security Policy

Verizon Software Defined Perimeter (SDP).

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Cyber Security Requirements for Electronic Safety and Security

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

EGEE and Interoperation

Rev.1 Solution Brief

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CS 356 Operating System Security. Fall 2013

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

HIPAA Regulatory Compliance

Security Fundamentals for your Privileged Account Security Deployment

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA


MIS Week 9 Host Hardening

Designing and Operating a Secure Active Directory.

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

CYBER SECURITY POLICY REVISION: 12

Xerox Mobile Print Solution

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Data Security and Privacy Principles IBM Cloud Services

First Principles Vulnerability Assessment. Motivation

Department of Public Health O F S A N F R A N C I S C O

TEL2813/IS2820 Security Management

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Using the MyProxy Online Credential Repository

External Supplier Control Obligations. Cyber Security

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Interagency Advisory Board Meeting Agenda, December 7, 2009

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

MINIMUM SECURITY CONTROLS SUMMARY

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Grid Security Incident Handling and Response Guide

The NIST Cybersecurity Framework

CCISO Blueprint v1. EC-Council

CompTIA Cybersecurity Analyst+

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

A AAAA Model to Support Science Gateways with Community Accounts

Appendix 12 Risk Assessment Plan

Security Architecture

Transcription:

Interfacing Operational Grid Security to Site Security Eileen Berman Fermi National Accelerator Laboratory

Introduction Computing systems at Fermilab belong to one of two large enclaves The General Computing Enclave (GCE) supports the general scientific, engineering and administrative communities. Site security policies apply here Well defined policies, procedures, processes The Open Science Enclave (OSE) supports scientific collaboration with other institutions whose users are not under the direct management control of Fermilab. Grid security policies apply here April 9, 2008 ISGC08 2

GCE and OSE User Administrator User User Authentication GSI (storage) GSI (jobs) Kerberos April 9, 2008 ISGC08 3

Open Science Enclave A computing resource is part of the OSE if it is managed by Fermilab and allows grid users to install and/or run software using credentials which are not issued and revocable by Fermilab. Other explicitly identified computing resources supporting the operation of the OSE may be designated part of the OSE by Fermilab. April 9, 2008 ISGC08 4

OSE Resources VO Membership Registration Service VOMRS Server VOMS Server VO Management Service NOT IN OSE Site Wide Gateway SAZ Server GUMS Server Grid User Mapping Service Site AuthoriZation Service CMSOSGCE CMSOSGCE2 FNGP-OSG FCDFOSG1 FCDFOSG2 D0CABOSG1 D0CABOSG2 D0CABSRV1 (PBS MASTER) D0CABSRV2 (PBS MASTER) BlueArc NFS April 9, 2008 ISGC08 5

Motivation for OSE The lack of operational control that exists over badged employees and experimenters determines a need to provide compensatory controls to cover for this to Minimize the exposure of computing resources in the OSE to known vulnerabilities Reduce the risk of compromise of computing resources in the General Computing Enclave. Need to define and implement Security Plan, Risk Assessment, Contingency Plan Baseline Document Policies, Procedures, Processes governing the OSE April 9, 2008 ISGC08 6

OSE Security Controls Security of computing systems is achieved and maintained by a combination of Management controls over the users and administrators Operational controls Technical controls Follow National Institute of Standards and Technology (NIST) guidelines April 9, 2008 ISGC08 7

NIST Process SP 800-53 / FIPS 200 Security Control Selection Selects minimum security controls (i.e., safeguards and countermeasures) planned or in place to protect the information system FIPS 199 / SP 800-60 Security Categorization Defines category of information system according to potential impact of loss SP 800-37 Security Control Monitoring Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness SP 800-53 / FIPS 200 / SP 800-30 Security Control Refinement Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements SP 800-18 Security Control Documentation In system security plan, provides an overview of the security requirements for the information system and documents the security controls planned or in place SP 800-70 Security Control Implementation Implements security controls in new or legacy information systems; implements security configuration checklists SP 800-37 System Authorization Determines risk to agency operations, agency assets, or individuals and, if acceptable, authorizes information system processing SP 800-53A / SP 800-37 Security Control Assessment Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements April 9, 2008 ISGC08 8

OSE Security Controls - Trust In the OSE, the trust relationship is established and maintained between Fermilab and each Virtual Organization (VO) Often brokered through the Grid (e.g. OSG) Controls are partially delegated to the VOs Management Controls Technical controls This generally results in more compensatory controls on the resources April 9, 2008 ISGC08 9

OSE Additional Security Controls Management Controls System administrators of resources within the OSE will be highly professional well trained Fermilab administrators. Each VO requesting access to OSE resources shall execute an agreement with Fermilab governing the use of the resources. User training Credential access Support level May be brokered by Grid (e.g. OSG) April 9, 2008 ISGC08 10

OSE Additional Security Controls Operational Controls Use OSE Baseline Configuration Handle grid security incidents to ensure coordination and communication among different grid computing service providers and users. Grid Users are trained in OSE use by their VOs. April 9, 2008 ISGC08 11

OSE Additional Security Controls Technical Controls All VO members are to be either Entered in CNAS (Fermilab personnel db), or Each VO will keep documentation of their procedures for granting credentials and a list of currently authorized individuals All resources in the OSE must have prior management authorization Resources may not offer network services that do not demand either Kerberos or GSI credentials Except for web servers Wireless and modem access to OSE resources is not permitted. Temporary network connections of unregistered resources is not permitted April 9, 2008 ISGC08 12

OSE Security Baseline The Fermilab OSE Security Baseline configuration settings represent industry best practices for securing Grid computing resources, based on recommendations from several sources including The Virtual Data Toolkit The Open Science Grid Collaboration The Fermilab OSE Working Group It details both the minimum (mandatory) and recommended (best practice) levels of security settings. April 9, 2008 ISGC08 13

OSE Security Baseline - Common In common with the General Computing Enclave (site) there are rules that govern Physical Security Secure Installation Account Security passwords (root accounts for administration) Unnecessary Services April 9, 2008 ISGC08 14

OSE Security Baseline Minimize interactive user accounts Grid job accounts configured to use /sbin/nologin Use Grid User Mapping Service (GUMS) Grid credential mapping to site identity For jobs, pilot glideins, glexec, and storage Use Site AuthoriZation Service (SAZ) For jobs, glideins, glexec, and storage Pilot Workload Management Systems (WMS) must use glexec Special authorization needed for a VO to run a Pilot WMS All Compute resources must use the Gratia Accounting System April 9, 2008 ISGC08 15

OSE Security Baseline - Network No offering of bridging or routing services (except hypervisor) Firewall - restrict connections to necessary services only (iptables) Database write or update access subject to additional constraints IPMI services must use a private network X11 service cannot accept network connections Cannot be configured as a boot server April 9, 2008 ISGC08 16

OSE Security Baseline Network Cannot offer network file services (AFS, NFS, ) LDAP services email services on the network SNMP write operations on the network TFTP services across the public network backbone DHCP services (except for virtual machines internal only) DNS services XDMCP services modem or wireless access services April 9, 2008 ISGC08 17

OSE Security Baseline - Services Only OSG or EGEE repository base grid middleware to be used job authentication, authorization, execution and file transfer Only approved Certificate Authorities Required permissions on host certs (644) and keys (600) Should disable web server indexing April 9, 2008 ISGC08 18

OSE Security Baseline - Services Only approved instances of VO Member Registration Service (VOMRS) VOMS, GUMS, SAZ MyProxy services with X.509 certificate authentication VOBox or Edge services April 9, 2008 ISGC08 19

OSE Security Baseline Files NFS file permissions User home areas of GCE computer accounts are not to be made accessible in the OSE All shared file systems writable in the OSE must have the "noexec" option set wherever they are mounted in the GCE Umask for non-root users must disallow write by others and perhaps group Umask for root must disallow write by group and other and perhaps all access Home ares and. files must not be writeable by other All world writeable directories should have the sticky bit set April 9, 2008 ISGC08 20

OSE Security Baseline Logging Sytems and grid middleware should be configured to provide logging Logs will be forwarded to a central location System logs should be maintained for one year Grid middleware logs should be maintained for one year Log files should have 644 protection or stronger April 9, 2008 ISGC08 21

OSE Policies & Procedures Extensive communication between Site security and OSE working group aids development of policies and procedures An inventory service has been developed to allow job dispatching headnodes to report about the worker nodes to which they dispatch jobs Current discussions include End-to-End security for user jobs VO responsibilities Provide an Operational organization to respond in a reasonable time to requests Provide a Security incident response plan Describe and operate its technical infrastructure in a transparent manner which permits verification of its functioning Not permit use of unlicensed software Have an Acceptable Use Policy (AUP) April 9, 2008 ISGC08 22

Conclusion Security policies for grid resources must generally be different from those of general computing. Good policies and implementation serve to protect the site's resources, reduce security incidents and the effort of responding to them, preserve the site's reputation, and reassure site security officers. April 9, 2008 ISGC08 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback