egi inspire
play

EGI-InSPIRE Cloud Security Implementations/Policies/Certification - PowerPoint PPT Presentation

Feb 25, 2023 •430 likes •716 views

EGI-InSPIRE Cloud Security Implementations/Policies/Certification Sven Gabriel, sveng@nikhef.nl Nikhef http://nikhef.nl EGI-CSIRT https://wiki.egi.eu/wiki/EGI CSIRT:Main Page EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 1

  1. EGI-InSPIRE Cloud Security Implementations/Policies/Certification Sven Gabriel, sveng@nikhef.nl Nikhef http://nikhef.nl EGI-CSIRT https://wiki.egi.eu/wiki/EGI CSIRT:Main Page EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 1 EGI-InSPIRE RI-261323 www.egi.eu

  2. Current Grid Infrastructure History 10+ years: Data Grid / EGEE / EGI / WLCG • Current Infrastructure grew under coordination of the Grid-Projects Data-Grid/EGEE 1-3/EGI. • Framework of SLAs, Policies, Procedures was developed to assure that reliable operation of the Infrastructure is possible. • Procedures/Policies define how to get part of the infrastructure, how to access resources, how to use the resources (AUP) • Grid Security Policy 1 1 https://documents.egi.eu/public/ShowDocument?docid=86 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  3. Current Grid Infrastructure Resource Provider/Centers (RP/C) Certification https://documents.egi.eu/document/76 • The name, email address and telephone number of the Site Manager and Site Security Contact in accordance with the requirements of the Site Operations Policy. 1 . • It is checked that they are operationally ready to fulfil the SLAs. • It is checked the RP/C does not expose known vulnerabilities. • RP/Cs security teams have a incident reponse procedure, know how to apply it (checked in SSCs). • Details on RP/C certification can be found in PROC09 2 1 https://documents.egi.eu/document/75 2 https://wiki.egi.eu/wiki/PROC09_Resource_Centre_Registration_and_Certification EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  4. Current Grid Infrastructure Cloud Technology / Evolution of VO-WMS / CVMfs / ID Managment • Grid Environment is Constantly changing, new technologies have to be integrated. • This does not change the policies. • To help to understand potential Security issues with new technologies a questionnaire should be answered. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 2 EGI-InSPIRE RI-261323 www.egi.eu

  5. Security Policies/Procedures Incident Response related • Keep logfiles centrally to allow for an audit trail • Keep your systems updated • Have mechanisms in place for fine grained access control. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 3 EGI-InSPIRE RI-261323 www.egi.eu

  6. EGI-CSIRT EGI-CSIRT / SVG / Incident Prevention • Vulnerability Assessment (SVG, chaired by Linda) • If CRITICAL: Advisories 1 / Patch status Monitoring (pakiti, nagios) • Enforce application of software updates 2 . 1 https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts 2 https://documents.egi.eu/public/ShowDocument?docid=283 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  7. EGI-CSIRT Security Monitoring: Pakiti, Nagios EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  8. EGI-CSIRT Incident Response Task Force (IRTF): Leif Nixon • Provides Incident Response capabilities for the Infrastructure. • Weekly Rota / Handover Telco / Minutes Recorded in private wiki • Private Ticket System (RT-IR) for handling/follow up on security issues. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 4 EGI-InSPIRE RI-261323 www.egi.eu

  9. Trust / Accreditation TF-CSIRT Interfacing to other (Grid/NREN/VO) CSIRTs • Collaboration with other CERTs, share Information, Trust • Describe / Document your CSIRT, operational requirements to be met • RFC-2350 • Provided information gets evaluated. EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 5 EGI-InSPIRE RI-261323 www.egi.eu

  10. Trust / Accreditation TF-CSIRT Interfacing to other (Grid/NREN/VO) CSIRTs EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 5 EGI-InSPIRE RI-261323 www.egi.eu

  11. WLCG risk assessment Cloud Security EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 6 EGI-InSPIRE RI-261323 www.egi.eu

  12. WLCG risk assessment • Mostly apply to cloud (missing threats) • Most important identified asset: Trust • Most dangerous threat: Misused identities • Focuses on traceability for: • Incident containment • Incident re-occurring prevention EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 7 EGI-InSPIRE RI-261323 www.egi.eu

  13. Virtual Machine endorsement Security Policy for the endorsement and operation of Virtual Machine images 1 • 2 roles: • Endorser: Certify VM Image • VM Operator: Root access on the VM • Security requirements for both roles • Users are not endorsers: An Endorser should be one of a limited number of authorised and trusted individuals appointed either by the Infrastructure Organisation, a VO or a resource centre 1 https://documents.egi.eu/public/ShowDocument?docid=771 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 8 EGI-InSPIRE RI-261323 www.egi.eu

  14. Virtual Machine endorsement • endorser/operator = site: current situation • endorser = VO: could provide more flexibility • operator = VO: could provide technical debugging • endorser/operator = end user: not foreseen useful EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 9 EGI-InSPIRE RI-261323 www.egi.eu

  15. Traceability Grid Security Traceability and Logging Policy 2 • Idea: understand and prevent incidents • Requirements: • Grid software MUST produce application logs: • Source of any action • Initiator of any action • Logs MUST be collected centrally • Logs MUST be kept 90 days 2 https://edms.cern.ch/document/428037 EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 10 EGI-InSPIRE RI-261323 www.egi.eu

  16. Traceability Endorsement Site VO User Site Operator VO User EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 11 EGI-InSPIRE RI-261323 www.egi.eu

  17. Traceability Virtualization only introduces new possibilities: • Logging requirements not changed/impacted: • Every action/every user • Forwarded to a central server • New logs required (policy extension?): • Which endorsed VM is running? • Who is operating it (Site/VO) ? • User compartmentalization: • Similar to glexec? (one UID per user) • Re-instantiate VM for each user (not job) • Perfect easy compartmentalization • High impact for unique short jobs EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 12 EGI-InSPIRE RI-261323 www.egi.eu

  18. Traceability Complete root access for user is dangerous: • Endorsed VM: • Contains up-to-date software (by policy) • Contains secured configuration (by policy) • Can include protections/logging... • User in full-power: • Can break configuration (maliciously or by error) • Can disable logging (maliciously or by error) • Can falsify data (non-trusted logs) • Simple accountability/traceability: user responsible • Difficult detailed incident analysis • VM cannot be re-used by different users No identified reason for such situation: highly discouraged EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 13 EGI-InSPIRE RI-261323 www.egi.eu

  19. Traceability Complete user control: no security • Unknown VM: • Can be vulnerable (not patched, outdated...) • Can be badly configured (no logs, anonymous access...) • Could be fully-encrypted (no forensics possible) • User in full-power: • Can falsify data (non-trusted logs) • Simple accountability/traceability: user responsible • Potentially impossible incident analysis • VM cannot be re-used by different users No identified reason for such situation: highly discouraged EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 14 EGI-InSPIRE RI-261323 www.egi.eu

  20. Traceability • VM creation/deletion easy (could be VO/user initialized) • VM lifetime foreseen shorter than current WN • If trusted operator/endorser: • Application logs centrally kept • More system logs probably needed • Unknown/modified file preservation would help forensics • If non-trusted operator/endorser: • Application logs (central) not trustworthy • System logs (central) not trustworthy • VM disk MUST be preserved after deletion Policy extension required? EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 15 EGI-InSPIRE RI-261323 www.egi.eu

  21. Monitoring Three evolutions possible: • Probe every VM for vulnerabilities: • Much more work than now (who?) • Extremely diverse security contacts • Limit VM lifetime: • Vulnerability window restricted (automatic) • How long (soft/hard limits ?) ? • Hours ? • 2-3 days ? • Week(s) ? • Month(s) ? • If Trusted endorser/operator: • Identify vulnerable VM in trusted VM store • Contact all VM operators (who?) • Kill switch to be implemented (who?) EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 16 EGI-InSPIRE RI-261323 www.egi.eu

  22. Incident response • Need well defined security contacts • Require root access on VM for: • Site admin ? • EGI/OSG security team, WLCG security officer ? • VM freezing/isolation (could break jobs): • Who is authorized to do it? • Procedure (under which circumstances ?) ? • Analysis using backend services (e.g. disk providers): • Who is authorized to do it? • Procedure (under which circumstances ?) ? • Private data protection ? EGI Federated Clouds F2F meeting 13/14 Jan 2014, Oxord, UK 17 EGI-InSPIRE RI-261323 www.egi.eu

Recommend

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is Changing 377 Academic, Public, School & Institutional Libraries 847 Deliveries per Week 139 1-Day per week 126 2-Day per week 49

589 views • 25 slides
EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Last release A) Monitoring of unsupported middleware version Information collected about old middleware version is

164 views • 4 slides
Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

9/19/12 EGI-InSPIRE Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 AP www.egi.eu EGI-InSPIRE RI-261323 History Transition from 10 ROCs to now 37 NGIs

621 views • 23 slides
Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND SUPPORTS INSPIRATIONAL TEACHERS. Thought leaders in You can education will receive sharing OUR a recorded Co-hosted topics to version by

573 views • 33 slides
USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING Museum Renovation Overview Forces at Play Background Development and design Workshop Q&A/Open discussion

390 views • 37 slides
Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded? It was Written by a group of people who saw the london bridge in 1636. Hoping to make suggestions that the government of to which it would adhere. 2.

332 views • 9 slides
Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for all Member States and EEA MedSea project at Ifremer INSPIRE Directive in Europe INSPIRE is based on the infrastructures for spatial information

679 views • 42 slides
Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives Inspire We will inspire the public with new ways of using and experiencing our collection Re-imagine our Kew site as a vibrant, welcoming,

214 views • 9 slides
Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Tool Overview - Features Application Hosted By CCIN2P3 Team : Cyril L'Orphelin , Olivier Lequeux , Pierre

309 views • 9 slides
EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic Sinica Grid Computing EGI User Forum, 13, April, 2011 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Introduction to drug

661 views • 37 slides
CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your guide Inspire Weve been inspiring customers to explore the power of imaging for over 80 years. Inspire And today were still working together 5

558 views • 37 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2011-12 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Impact of the States 2011-13 Biennial Budget Overview of

651 views • 40 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2010-11 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Overview of 2010-11 Preliminary Budget What will this mean

676 views • 51 slides
PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy Philosophy The choices we make dictate the life we lead. Based on empowerment, personal accountability and respect for Based on empowerment,

586 views • 35 slides
Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA (inspiremovement.org) The Inspire Movement is an international network of Christians who are committed to developing mission-shaped discipleship in the leadership and

421 views • 4 slides
Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

THA Best Practices: Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School / University of Brighton The INSPIRE project Open innovation and SMEs Data and methodology INSPIRE cases

551 views • 25 slides
Todays Speaker: Darryle Clott Teachers Inspire : One of the most important things we do is

Todays Speaker: Darryle Clott Teachers Inspire : One of the most important things we do is

Todays Speaker: Darryle Clott Teachers Inspire : One of the most important things we do is inspire students to be everything they can possibly be. Associate, Ethics in Leadership Institute, Viterbo University Retired in 2004 from

866 views • 69 slides
INSPIRE Investing in Neighborhoods and Schools to Promote Improvement, Revitalization and

INSPIRE Investing in Neighborhoods and Schools to Promote Improvement, Revitalization and

INSPIRE Investing in Neighborhoods and Schools to Promote Improvement, Revitalization and Excellence Welcome Kyle Leggs SW District Planner Baltimore City Department of Planning (410) 396-4135 Kyle.leggs@baltimorecity.gov Link to INSPIRE

296 views • 27 slides
News from UMD Cristina Aiftimiei (EGI.eu/INFN) Joao Pina (EGI/LIP) www.egi.eu EGI-InSPIRE

News from UMD Cristina Aiftimiei (EGI.eu/INFN) Joao Pina (EGI/LIP) www.egi.eu EGI-InSPIRE

News from UMD Cristina Aiftimiei (EGI.eu/INFN) Joao Pina (EGI/LIP) www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 www.egi.eu Overview UMD2 decommissioning News on gfal2-util New products entering UMD Status of the UMD

626 views • 16 slides
June 1, 2020 "Inspire, Challenge & Prepare" 1 Superintendents Budget Message

June 1, 2020 "Inspire, Challenge & Prepare" 1 Superintendents Budget Message

District Budget Committee Meeting June 1, 2020 "Inspire, Challenge & Prepare" 1 Superintendents Budget Message "Inspire, Challenge & Prepare" 2 Proposed General Fund Budget for 2020-2021 "Inspire,

504 views • 24 slides
Aims of this presentation Introduction to inspire+ PE and School Sport Apprenticeships

Aims of this presentation Introduction to inspire+ PE and School Sport Apprenticeships

Aims of this presentation Introduction to inspire+ PE and School Sport Apprenticeships Impact The Apprenticeship Levy & Cost Supporting existing school staff Introduction to inspire+ School Sport Partnership

157 views • 12 slides
Six ixth Form Open Evening 2019 2019 Thursday 10 th October 2019 INSPIRE CHALLENGE ACHIEVE

Six ixth Form Open Evening 2019 2019 Thursday 10 th October 2019 INSPIRE CHALLENGE ACHIEVE

Six ixth Form Open Evening 2019 2019 Thursday 10 th October 2019 INSPIRE CHALLENGE ACHIEVE INSPIRE CHALLENGE ACHIEVE Welcome INSPIRE CHALLENGE ACHIEVE Dedicated Sixt xth Form Team Co Heads of Sixth Form: Mrs J Bellis Pastoral Mrs

264 views • 24 slides
1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you

1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you

1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you in our prayers, 3 remembering before our God and Father your work of faith and labor of love and steadfastness of hope in our Lord Jesus Christ. 1

488 views • 11 slides
E VOKE DE L IVE R INSPIRE COL L ABORAT E SUST AIN E VOL VE Q4 & Ye a r e nd

E VOKE DE L IVE R INSPIRE COL L ABORAT E SUST AIN E VOL VE Q4 & Ye a r e nd

E VOKE DE L IVE R INSPIRE COL L ABORAT E SUST AIN E VOL VE Q4 & Ye a r e nd 2018 DE SIGN Earnings Presentation E NHANCE L E AD INNOVAT E PE RF ORM E NVISION ACHIE VE CRE AT E T RANSF ORM GROW Cautionar y

458 views • 27 slides

More recommend