best practices for security management in supercomputing
play

Best practices for Security Management in Supercomputing Cray User - PowerPoint PPT Presentation

Jan 17, 2024 •352 likes •541 views

Best practices for Security Management in Supercomputing Cray User Group meeting, CUG 2008 Helsinki, Finland 2008-05-05 Urpo Kaila <urpo.kaila@csc.fi> CSC - Scientific Computing Ltd. Urpo Kaila <urpo.kaila@csc.fi> Slide 1 of

  1. Best practices for Security Management in Supercomputing Cray User Group meeting, CUG 2008 Helsinki, Finland 2008-05-05 Urpo Kaila <urpo.kaila@csc.fi> CSC - Scientific Computing Ltd. Urpo Kaila <urpo.kaila@csc.fi> Slide 1 of (20)

  2. Agenda � Introduction • The CSC site � What was Information Security all about? • The CIA Model • Security Controls • Best practices for information security • Compliance and Risk Management � Business needs • The ubiquitous customer � How does supercomputing differ? • Some cases, some incidents � Suggestions for how to improve security together • Benchmarking Security • Sharing and developing best practices Urpo Kaila <urpo.kaila@csc.fi> Slide 2 of (20)

  3. • louhi.csc.fi -> Cray XT4 The CSC site also other hosts for computing services CSC • murska.csc.fi -> HP CP4000 BL � Is the Finnish IT center for science ProLiant super cluster � Is a non-profit company • sepeli.csc.fi -> HP ProLiant � supports the national research structure DL145 Cluster � has a staff of about 160 persons • corona.csc.fi -> Sun Fire 25K � as part of the Finnish national research application server infrastructure, develops and offers high- quality information technology services � provide services for universities, research institutions, polytechnics, companies & government CSC’s services � Funet services � Computing services � Application services � Data services for science and culture � Information management services Urpo Kaila <urpo.kaila@csc.fi> Slide 3 of (20)

  4. CSC Facilities � Life Science Centre 3 • High availability, high performance secure hosting facilities • 460 kW redundant cooling capacaity, Floor space 1000 m2 including technical infrastructure • 85 % of cooling capacity in use (April 15, 2008) � Life Science Centre 5 • High availability high performance secure hosting facilities • 800 kW redundant cooling capacity • In production during the summer 2008 � Hosting and security services • Proactive and planned maintenance is the prerequisite for high availability • Electricity, cooling, automation • Fire protection systems • Access control systems, CCTV • Planning and change management • Outsourcing and subcontracting • 24/7/265 HVAC monitoring Urpo Kaila <urpo.kaila@csc.fi> Slide 4 of (20)

  5. CSC and security CSC and FUNET are part of national critical infrastructure • FUNET is the Finnish NREN • Core computing services • The library services • TLD services for FICORA Organising internal security � Information Security Policy and guidelines � Security organisation • The role of senior management • The role of experts and middle management • The security group � Incident response � Physical security and safety � Protecting privacy Networking and providing security services • Funet CERT – the first CERT team in Finland • The Security groups for FUNET constituents • TF-CSIRT and FIRST • Grid Security, see for example: https://extras.csc.fi/mgrid/sec/ Urpo Kaila <urpo.kaila@csc.fi> Slide 5 of (20)

  6. What was information security all about? Information security is about protecting systems, data and services on CIA � Confidentiality • To prevent intentional or unintentional disclosure Do not forget! � Integrity • To prevent unauthorized modification and protects consistency Physical, Technical � Availability and Administrative • To protects reliable and timely access Security Controls based on risks and identified assets to be protected • Deterrent • Preventive Information Security is • Corrective � a fundamental part of total quality • Detective � management responsibility � implemented by iterative controls � Corporate security should "own" policies, auditing and incidents, the teams are responsible for controls and monitoring Urpo Kaila <urpo.kaila@csc.fi> Slide 6 of (20)

  7. louhi-login8 csc/user> xtshowcabs Compute Processor Allocation Status as of Tue Apr Availability ABC C0-0 C1-0 C2-0 C3-0 C4-0 n3 jjeeeeea aalllllo iaammmmm fffkmmmm mmmmjjjj Availability Downtime p.a. n2 jjeeeeea aalllllo iaammmmm fffkmmmm mmmmmjjj n1 jjjeeeea aalllllo iiaammmm ffffmmmm mmmmmjjj 95% 18.25 days c2n0 jjjeeeea aalllllo iiaammmm ffffkmmm mmmmmjjj n3 ;;jjjjjj aaaaaaaa liiiiiii qqnnffff mmmmmmmm 98% 7.30 days n2 ;;jjjjjj aaaaaaaa liiiiiii qqnnffff kmmmmmmm n1 ;;ljjjjj aaaaaaaa lliiiiii qqnnffff kmmmmmmm 99% 3.65 days c1n0 ;;fjjjjj aaaaaaaa lliiiiii qqnnffff kmmmmmmm n3 SSSSSS;; SSSSSaaa oooooool mfqqqqqq mmmmmmmk 99.5% 1.83 days n2 ;; aaa oooooool mmqqqqqq mmmmmmmk 99.8% 17.52 hours n1 ;; aaa oooooool mmqqqqqq mmmmmmmk c0n0 SSSSSS;; SSSYSaaa oooooool mmqqqqqq mmmmmmmk 99.9% 8.76 hours s01234567 01234567 01234567 01234567 01234567 99.99% 52.6 min 99.999% 5.26 min � In the real world, it do take time to rerun your jobs after an (planned or not) planned outage! One second outage, one months job, for example! � Premiere Gmail ( 50 $/ year/account ) guarantees 99,9% uptime � What would be the proper availability for computing services? Urpo Kaila <urpo.kaila@csc.fi> Slide 7 of (20)

  8. Compliance and Best Practices Minimum level of security � Comply with national laws, government regulation and contracts � Privacy and security laws Several interrelated best � In Finland, the requirements for compliance practices for IS and IM are getting tougher • COBIT • More auditing • ISO27001 and other IS027* • Security becomes a part of contracts � Optimal level of security • ISM3 � Security supporting business • ITIL � The warm an fuzzy feeling of reasonable trust • (ISC)2 CBK and quality � Non - Optimal level of security � Too much or too little security is bad security � "low security" can also mean just bad quality � "high security" can mean awkward to use Urpo Kaila <urpo.kaila@csc.fi> Slide 8 of (20)

  9. NIST (selected*) Security Principles (800-27) � Establish a security policy � Security as an integral part of the overall system design � External systems are insecure � Identify trade-offs between risk and costs � Implement layered security � Avoid single points of vulnerability � Minimize the system elements to be trusted Picture for Mgrid Secwg by Arto Teräs/ CSC � Isolate public access systems from mission critical resources � Implement boundary mechanisms to separate computing systems and network infra � Authenticate Need � Ensure access control Attention! continuous Danger of � Use unique identities effort! lagging � Implement least privilege behind * 33 good principles => http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf Urpo Kaila <urpo.kaila@csc.fi> Slide 9 of (20)

  10. Risk Management TERMS Threat: Risk = likelihood x impact (the classical Hacker breaks in on Louhi formula) Vulnerability: Unpatched ssh-demon on “Mitigate” Impact Louhi frontend Disaster Risk: High Likelihood of a hacker Medium cracking Louhi Problematic Residual Low Exposure/ Impact: Service outage for two Likelihood weeks while reinstalling � Fire louhi due rootkits, PR loss � Sharing account Safeguard: � Lack of monitoring Patch ssh-demon, � Misuse of resources implement patch � Infrastructure problem management � Regulatory requirements � Lack of required skills � Change management problems Urpo Kaila <urpo.kaila@csc.fi> Slide 10 of (20)

  11. A typical business vs. security issue Business needs is when you have to decide when to patch known kernel vulnerability. Security must support business Users hate the boot but the risk of system compromise with risk for root Ubiquitous supercomputing needs to be kits and backdoors might be still • Fast and flexible worse. • Easy to use • Affordable • Powerful • Reliable and secure • Best of breed • services instantly accessible from everywhere Sourcing and networking increases complexity & dependence Technical challenges • The demand for speed and throughput • Interdependences of systems • Managing trust IT Governance • More bits for the bucks • Compliance • Risk avoidance Urpo Kaila <urpo.kaila@csc.fi> Slide 11 of (20)

  12. How does supercomputing differ? � Differences with other IT services • Experimental, cutting (bleeding?) edge technology • A small amount of users • Users do not pay for the service themselves • Jobs not time critical, can be repeated in case of outages • Very high costs per users • Often public funding � Similarities with other IT services • All the same threats and some more • Requirements for efficiency and quality rising • Delivered as a service, not as art • Dependent of infrastructure and subcontractors Urpo Kaila <urpo.kaila@csc.fi> Slide 12 of (20)

Recommend

SECURITY PROJECT MANAGEMENT BEST PRACTICES AND GAP ANALYSIS Presented to the PSWG - WECC August

SECURITY PROJECT MANAGEMENT BEST PRACTICES AND GAP ANALYSIS Presented to the PSWG - WECC August

SECURITY PROJECT MANAGEMENT BEST PRACTICES AND GAP ANALYSIS Presented to the PSWG - WECC August 7, 2019 AGENDA Introductions The ClearVue Team Benefits of Project Management Project Management Phases Ideal PM Process for Security Projects

601 views • 40 slides
OECD REVIEW OF SURVEYS ON THE DIGITAL SECURITY RISK MANAGEMENT PRACTICES OF BUSINESSES Benjamin

OECD REVIEW OF SURVEYS ON THE DIGITAL SECURITY RISK MANAGEMENT PRACTICES OF BUSINESSES Benjamin

OECD REVIEW OF SURVEYS ON THE DIGITAL SECURITY RISK MANAGEMENT PRACTICES OF BUSINESSES Benjamin C. Dean OECD Expert Workshop on Improving the Measurement of Digital Security Incidents and Risk Management Swiss Re Centre for Global Dialogue.

258 views • 13 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
How We Use Bro at NCSA Sam Oehlert National Center for Supercomputing Applications University of

How We Use Bro at NCSA Sam Oehlert National Center for Supercomputing Applications University of

How We Use Bro at NCSA Sam Oehlert National Center for Supercomputing Applications University of Illinois at Urbana Champaign Why We Use Bro At NCSA Security engineer = operational security Incident Response leans heavily on Bro

340 views • 15 slides
ICAO Best Management Practices and ICAO Best Management Practices and the International Strike

ICAO Best Management Practices and ICAO Best Management Practices and the International Strike

ICAO Best Management Practices and ICAO Best Management Practices and the International Strike Database. Michael J. Begier, National Coordinator Airport Wildlife Hazards Program CARSAMPAF / 9 07 September 2011 p Most wildlife involved in

308 views • 15 slides
Establishing Enterprise g p Risk Management in Management Practices Management Practices

Establishing Enterprise g p Risk Management in Management Practices Management Practices

Establishing Enterprise g p Risk Management in Management Practices Management Practices Introductions/Opening Remarks Introductions/Opening Remarks Speakers: Cynthia Vitters, Chief Risk Officer, Federal Student Aid Mike Wetklow, Branch Chief,

712 views • 28 slides
Governance structures and leading practices for risk management in practices for risk management

Governance structures and leading practices for risk management in practices for risk management

Governance structures and leading practices for risk management in practices for risk management in central banks Helena Tejero, Division Head, Risks &amp; Processes, Bank of Spain Central Bank Governance Forum 2014 IMF / Hawkamah, Dubai,

469 views • 15 slides
Far more than Petaflops: The Jlich Supercomputing Centre ScicomP 15 &amp; SP-XXL Thomas

Far more than Petaflops: The Jlich Supercomputing Centre ScicomP 15 &amp; SP-XXL Thomas

Mitglied der Helmholtz-Gemeinschaft Far more than Petaflops: The Jlich Supercomputing Centre ScicomP 15 &amp; SP-XXL Thomas Lippert Barcelona Supercomputing Centre Institute for Advanced Simulation May 20, 2009 Jlich Supercomputing

840 views • 80 slides
Management Practices, Working Conditions and Productivity around the World Renata Lemos

Management Practices, Working Conditions and Productivity around the World Renata Lemos

Management Practices, Working Conditions and Productivity around the World Renata Lemos University of Cambridge Centre for Economic Performance, LSE Outline Motivation Measuring Management: The Data Management Practices and

592 views • 25 slides
How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons

492 views • 12 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA/U of I Astronomy Currently in Production BIMA/CARMA millimeter radio array +

285 views • 12 slides
School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3.

School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3.

Berkeley Heights Public Schools School Safety and Security Agenda 1. The Law and Training 2. Practices and Procedures 3. Crisis Planning Committee 4. Physical Security School Security Drill Law This law requires: 1 Fire Drill per

294 views • 14 slides
Digit Digital al Se Security y Training Be Best Practices A digital training brought to you

Digit Digital al Se Security y Training Be Best Practices A digital training brought to you

Digit Digital al Se Security y Training Be Best Practices A digital training brought to you by RSAT Security in partnership with Supreme Technologies Group. Topics Covered Week 5 Week 1 Social Media Introduction to Information Security

410 views • 19 slides
Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is &quot;Security&quot;? ISO/IEC 27000:2009 Information Security is... Confidentiality Integrity Availability And some other things Controls

236 views • 20 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Illinois Council on Best Management Practices August 2015 Illinois Council on Best Management

Illinois Council on Best Management Practices August 2015 Illinois Council on Best Management

Illinois Council on Best Management Practices August 2015 Illinois Council on Best Management Practices Coalition of agricultural organizations and agribusinesses: Illinois Farm Bureau Illinois Corn Growers Association Illinois

556 views • 28 slides
Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

BEST PRACTICES IN CRISIS MANAGEMENT Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices Crisis Prevention Organizations must plan for crises or they are, de facto, planning to have a crisis.

417 views • 18 slides
Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP

778 views • 20 slides
The Barcelona Supercomputing Center Sergi Girona Operations Director 04/12/2019 e-IRG workshop

The Barcelona Supercomputing Center Sergi Girona Operations Director 04/12/2019 e-IRG workshop

The Barcelona Supercomputing Center Sergi Girona Operations Director 04/12/2019 e-IRG workshop Dec 2019 Barcelona Supercomputing Center Centro Nacional de Supercomputacin BSC-CNS objectives Supercomputing services R&amp;D in Computer,

166 views • 13 slides
O FFICE OF A GRICULTURAL W ATER P OLICY Agriculture Best Management Practices Darrell Smith

O FFICE OF A GRICULTURAL W ATER P OLICY Agriculture Best Management Practices Darrell Smith

O FFICE OF A GRICULTURAL W ATER P OLICY Agriculture Best Management Practices Darrell Smith Assistant Director Overview Best Management Practices BMP Manuals Agriculture Participation and Projects Irrigation and Nutrient

433 views • 24 slides
Energy metering and management practices of manufacturing companies A systematic literature

Energy metering and management practices of manufacturing companies A systematic literature

Energy metering and management practices of manufacturing companies A systematic literature review Department of Economics and Management, Chair of Management Accounting Ana Mickovic Vienna, 15th IAEE European Conference 2017 KIT University

608 views • 25 slides
Best Practices for Canadian Tax Audit Management Financial Executives International (FEI) Canada

Best Practices for Canadian Tax Audit Management Financial Executives International (FEI) Canada

Best Practices for Canadian Tax Audit Management Financial Executives International (FEI) Canada March 27, 2014 www.ryanco.ca Follow us on Twitter @RyanTax_CA AGENDA Managing audits and assessments Income tax best practices

1.04k views • 51 slides
CULTURAL TURF MANAGEMENT PRACTICES Self-Guided Educational Module Lesson 2 of 4 Learning

CULTURAL TURF MANAGEMENT PRACTICES Self-Guided Educational Module Lesson 2 of 4 Learning

CULTURAL TURF MANAGEMENT PRACTICES Self-Guided Educational Module Lesson 2 of 4 Learning Objectives 2 Understand cultural turf management 1. practices including: a. Mowing b. Fertilization Irrigation c. d. Soil Analysis e. Aeration

514 views • 38 slides

More recommend