Security Report

1
SecurityReport

• D. Petravick
• Fermilab/OSG security officer
• March 8, 2006

2
One thing to remember

• Risk - Vulnerabilities threat
• We do not have an aggressive outside threat
  community.
• Our low risk in current configuration is brittle.
• Seeing some internal abuse.
• Batch user left behind a backdoor for future
  jobs.
• Claim that this was abuse was disputed by the VO

3
Improved policy framework

• To build on Policies for each role
• VO, site
• Rem OSG embraces thick V0s
• EGEE tends to find them anomalous
• Bob C JSPG Full set of controls over
• Service providers. Would apply to VOs
• Software providers.
• Identity providers.
• Authorization Providers.

4
DOE meeting

• Phrased as what research needs to be done
• OSG whitepaper
• The OSG sees a need for continuous improvement in
  its security-related operational and technical
  controls.
• Grid-view of apropos security data.. much of this
  information must come from service-level logic
  and so requires standards for reporting policies
  and data format
• Increase the communitys ability to produce
  secure software and systems analyze source A
  Service Credential Validation Service (SCVS)

5
Outline of report

• PRD-1 Multi-Site Situational Awareness and
  Response
• PRD-2 Managing Authentication and
  Attribute-Based Authorization
• PRD-3 Software, Data, and Systems Assurance
• PRD-4 Cyber security Policy Specifications

6
NSF Meeting CYB06

• Summit -- Develop a report to NSF management on
  cyber security topics.
• NSF develops a written reply to that report.
• Covers needs generally, is not confined to
  research activities.
• Looking for evidence of report writing

7
DOE, NSF Compared

• Org 1 -- Framed as a call for research
• Org 2 -- framed as a sincere call for input from
  senior practitioners.
• a Summit.