Risk and Security Management for Distributed Supercomputing with Grids

Similar documents
Grid security and NREN CERTS in the Nordic Countries

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

Grid Security Policy

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Grid-CERT Services. Modification of traditional and additional new CERT Services for Grids

Information Security Controls Policy

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

CCISO Blueprint v1. EC-Council

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

How to Conduct a Business Impact Analysis and Risk Assessment

Ingram Micro Cyber Security Portfolio

Objectives of the Security Policy Project for the University of Cyprus

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Sharing Best Security Practices with your Peers - on an International Level

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Certified information Systems Security Professional(CISSP) Bootcamp

SECURITY & PRIVACY DOCUMENTATION

E-guide Getting your CISSP Certification

Data Security and Privacy Principles IBM Cloud Services

Education Network Security

Grid Services Security Vulnerability and Risk Analysis

Call for Expressions of Interest

Cyber Security Program

Cyber Security Technologies

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Data Protection Policy

ADIENT VENDOR SECURITY STANDARD

Information Security Controls Policy

ITU-IMPACT Capacity Building for Least Developed & Developed Countries

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security Standards for Electric Market Participants

Resolution: Advancing the National Preparedness for Cyber Security

Wireless e-business Security. Lothar Vigelandzoon

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Juniper Vendor Security Requirements

Application for Certification

CompTIA Cybersecurity Analyst+

Checklist: Credit Union Information Security and Privacy Policies

ISSP Network Security Plan

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Shon Harris s Newly Updated CISSP Materials

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Industrial Control System Cyber Security

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Advent IM Ltd ISO/IEC 27001:2013 vs

CISSP* CBK (ISC) GUIDE TO THE. OFFICIAL (ISCf. \Xjfl^J Taylor &. Francis Group ' Boca Raton London New York. CRC Press THIRD EDITION

REQUEST FOR EXPRESSIONS OF INTEREST

ISO & ISO & ISO Cloud Documentation Toolkit

Standard for Security of Information Technology Resources

LBI Public Information. Please consider the impact to the environment before printing this.

Security+ SY0-501 Study Guide Table of Contents

Bradford J. Willke. 19 September 2007

Baseline Information Security and Privacy Requirements for Suppliers

The Case for National CSIRTs

The NIS Directive and Cybersecurity in

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

NEN The Education Network

Cyber security tips and self-assessment for business

MINIMUM SECURITY CONTROLS SUMMARY

Certified Information Security Manager (CISM) Course Overview

Information Technology Branch Organization of Cyber Security Technical Standard

ISO/IEC TR TECHNICAL REPORT

AUTHORITY FOR ELECTRICITY REGULATION

External Supplier Control Obligations. Cyber Security

Security

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

EXAM PREPARATION GUIDE

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Cyber Risks in the Boardroom Conference

Information Security Management System

C106: DEMO OF THE INFORMATION SECURITY MANAGEMENT SYSTEM - ISO: 27001:2005 AWARENESS TRAINING PRESENTATION KIT

Post-Secondary Institution Data-Security Overview and Requirements

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

ENISA S WORK ON ICS AND SMART GRID SECURITY

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Information Technology General Control Review

EXAM PREPARATION GUIDE

Nebraska CERT Conference

Agenda. TÜV Secure it GmbH short introduction. Risk Analysis Case Study. Certification Procedure. w w w. t u v. c o m 2/ 18. TÜV Secure it GmbH 2003

Tool-Supported Cyber-Risk Assessment

Development Authority of the North Country Governance Policies

Canada Life Cyber Security Statement 2018

The Honest Advantage

IT Foundations Networking Specialist Certification with Exam

Fiscal 2015 Activities Review and Plan for Fiscal 2016

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Certification Exam Outline Effective Date: April 2015

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Security Note. BlackBerry Corporate Infrastructure

Ohio Supercomputer Center

ISO/IEC Information technology Security techniques Code of practice for information security management

A company built on security

Transcription:

Risk and Security Management for Distributed Supercomputing with Grids Urpo Kaila <urpo.kaila@csc.fi> Funet CERT & CSC 2006-09-22 19th TF-CSIRT Meeting,Espoo, Finland

Agenda Grid s and supercomputing Some definitions How do they work? Example of Grids Grids and Security Risk management and Security domains Creating baselines for Security Case M-grid revisited Organisation and setup Security Working Group Risk analysis, Security Policy & Acceptable Use Policy User Security Guide, Administrator Security Guide Grid Security and CSIRT s Making Grid Security compatible Incident handling

Some definitions Supercomputers most efficient systems worldwide on a given time for massive parallel processing of advanced research tasks Distributed computing several inter-connected computers share the computing tasks assigned to the system [IEEE] Cluster Similar efficient computers coupled closely together Grid computing Affordable high performance distributed computing with interconnected clusters Moore s law as seen on the Top500 list Pentium 4 = ~ 2-4 GFlops

What is the Grid? Grid according to Ian Foster (2002) in "What is the Grid? A Three Point Checklist : Computing resources are not administered centrally. Open standards are used. Non-trivial quality of service is achieved Different types of grids Info-grid -WWW Data-grid - Databases Compu-grid - Computing Grid must have: Virtual organisations Middleware Truly Distributed Evolved from computational needs of "big science"

How do they work? $ grid-proxy-init Your identity: /O=Grid/O=NorduGrid/OU=csc.fi/CN=Urpo Kaila Enter GRID pass phrase for this identity: $ ngsub -d 1 -f mygridjob.xrsl

The Role of Grid Middleware NorduGrid ARC Tutorial / Arto Teräs and Juha Lento 2005-09-20

Examples of Grids and Grid resources TeraGrid - Open scientific discovery infrastructure financed US National Science Foundation DEISA - Distributed Euroapean Infrastructure for Supercomputing Applications EGEE - The Enabling Grids for E-sciencE LHCG - Large Hadron Collider Grid (CERN) e-irg - The e-infrastructure Reflection Group NorduGrid - a Grid Research and Development collaboration The Globus Alliance - an international collaboration that conducts research and development to create fundamental Grid technologies

Grids and Security

Threats WARNING! When working on the Grid, you must accept that some information on your jobs and on your Grid identity is made public. This includes your name, your affiliation, IP address of your client computer, job names and duration, used runtime environment names and other less sensitive information (see the Grid monitor for example). (Nordugrid) What excites hackers? (A. Cormack, 2002) High profile targets to enhance their reputation Powerful CPU for password cracking etc. Large disk to distribute illegal material High bandwidth for denial of service attacks

Security matrix Reactive Security Proactice Security Technical Security Forensics Firewalls Cryptography Patching vulnerabilities IPS Security Management Incident handling Security policies and guides Training and awarness building

Risk and (proactive) security Risk management (à la Wikipedia) Security Domains [à la (ISC) 2 CISSP CBK] 1.1 Establish the context 1.2 Identification 1.3 Assessment 1.4 Potential Risk Treatments 1.4.1 Risk avoidance 1.4.2 Risk reduction 1.4.3 Risk retention 1.4.4 Risk transfer 1.5 Create the plan 1.6 Implementation 1.7 Review of the plan residual risks 1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and Investigations 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security

What has already been done (examples) Joint Security Policy Group LCG/EGEE: The LCG Security and Availability Policy The Grid Acceptable Usage Policy The Virtual Organisation Security Policy PlanetLab Acceptable Use Policy (AUP) E-Infrastructure Reflection Group (e-irg) Authentication and authorisation policies Usage policies Etc

Case M-grid revisited

M-Grid - Material Sciences National Grid Infrastructure in Finland Joint project between CSC, seven universities and The Helsinki Institute of Physics (HIP) Connected to the Nordic NorduGrid network, but access is currently limited to M-grid partners and CSC customers The systems are particularly suitable for highthroughput running of sequential and easy-to-parallel programs The theoretical computing capacity of the system is approximately 2.5 Tflops. M-grid is based on HP ProLiant DL145, DL385 and DL585 servers equipped with 64 bit AMD Opteron processors (642 altogether)

The M-Grid Security Working Group Organisation Started January 2006, meetings once in a month, exept summertime Members: CSC staff, visiting experts and M-Grid administrators: Juha Jäykkä (UTU) Michael Gindonis, Kalle Happonen (HIP) Ivan Degtyarenko (HUT) Vera Hansper (JYU) Reports to M-Grid Administrators meeting Collaborating with the HIP Wiki Task Risk analysis To create a set of security policies and guidelines Technical planning, implementation and supervision Incident handling

The M-Grid Risk analysis 2006 Impact Residual Mitigate Disaster High Medium Problematic Low Internal - Intentional Internal - Accidental External - Intentional External - Accidental Likelihood Over 50 threats identified and analysed! Risk = likelihood x impact Picture by Vera Hansper

M-grid Security Policy (Reviewed) 1. Introduction ( scope, objectives) 2. Participants, roles and responsibilities 3. Physical security 4. User accounts and access control Local accounts Grid accounts Virtual Organization management Certificate Authorities 5. Network security Network access and services Additional services Firewalls 4. Network security (contd.) Firewalls 5. Operational security Patches Monitoring 6. Confidentiality and privacy Grid users Local users and administrators 7. Incident response 8. Compliance Exceptions 9. Approval and review 10. Comments

M-grid Security Policy (examples) Accounts must be protected by a good password or other method providing equivalent security Sites are allowed to create time-limited accounts for persons working in documented collaboration projects outside the site's organization Sites may offer additional services which are open to a large user base, but these must be approved by the M-grid administration A node Sites must not offer any additional services running on the administration server without approval of the M-grid administration.

M-grid Acceptable Use Policy Short, intended for the user, the security policy is to be read when needed Examples of content: By using the M-grid resources you automatically agree to comply with this Acceptable Use Policy You must act in a responsible manner and must not cause harm to other users, to M-grid or to other systems. You may not use M-grid for illegal activities. The M-grid services and systems are intended for professional, academic research or education. Your account is personal and may not be shared with other people

Security Guides M-grid User Security Guide A short technical howto Example: Your proxy certificate is not protected by a password therefore it should not be valid for longer than necessary as proxy certificates can be easily renewed M-grid Administrator Security Guide A Longer howto Under construction

Examples of Technical security tasks Implemented and on-the-wish list Firewall-rpm Log management and monitoring Integrity check Package signing Availability monitoring Automatic alerting Backup of frontend ssh- key managemnt Security audits

Grid Security and CSIRT s

Making Grid Security compatible The grid s tend to interconnect we need compatible security Complex new technologies and fuzzy virtual organisations in our hosts and networks International cooperation needed Technical level Management level Reactive security - Proactive security The risks haven t materialized yet

Grid Incident handling Existing CSIRT s should be used as professional incident handling hubs Constant and proactice knowledge transfer needed between Grid administration, CSIRT s and site administators In the M-Grid Security policy already a paragraph: The administrator, in consultation with CSC should also inform Funet CERT (cert@certdontspam.funet.fi, tel. +358-9- 4572038) if the incident affects other M-grid sites

Finally - Finnish security terminology :) Information Tieto Security turvallisuus Incident poikkeama Many incidents poikkeamia The interrogative form ~ko Also ~kin Have there been oliko Have there also been any security incidents? Oliko tietoturvapoikkeamiakinko?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback