OSG%20VO%20Security%20Policies%20and%20Requirements

1
OSG VO Security Policies and Requirements

• Mine Altunay
• OSG Security Team
• July 2007

2
Who am I?

• Recently joined OSG Security Team
• Ramping up to be full time OSG Security
• Working through the OSG Security Plan
• Helping develop any new items for the Security
  Plan in Year 2

3
Site allows access by Researcher
Storage
VO trusts Researcher
Site trusts VO
grid job
VO Infra. Services
Researcher A from University X, which is a
member of the VO
VO-accessible Site Resources
VO
Site

• Three separate security domains
• Univ., VO and Site
• Two trust relationships
• Researcher accesses Sites resources due to the
  trust between the VO and the Site.

4

• Site grants access to the VO.
• VO delegates the access privilege to its trusted
  members
• VO manages its members access rights
• different access rights to different VO members
• E.g. grouping of users based on tasks or roles
  played in an experiment
• VO policy may define groups and roles

5
Job 1s Data
Job 2s Data
VO mappings
Group Univ. X Role Researcher
Researcher A from University X
Group Univ. Y Role Researcher
GUMS
VO mappings
Retrieve VO mappings
VOMRS
Researcher B from University Y

• GUMS retrieves membership
• info from VO
• enforces VO assigned privileges
• at the Site

• VOMRS manages member-role
• mappings
• Tanyas talk

6
Enforced Security Policy
Sites data storage

• Site Policy determines
• VO has access to the storage
• can still blacklist particular
• VO members, if desired

• VO Policy determines
• each VO members privileges

7
Job 1s Data
Job 2s Data
Unauthorized access
grid job 1
VO Infra. Services
Researcher A from University X
grid job 2
VO
Site
Researcher B from University Y
8
What if something goes wrong?Incident Response

• Researcher A launches attack against the Site
• Site discovers the attack
• Site analyzes the attack, temporarily blacklists
  Researcher A (if it can trace it)
• Site can
• Call GOC at 1 317-278-9699, or
• submit a trouble ticket,
• Email goc_at_GOC_at_opensciencegrid.org
• Or email security-discuss-L_at_opensciencegrid.org

9

• Inform VO security contact
• Site trusts the VO, not individual members
• VO finds which member has the privilege
• Logs and mapping repository (VOMRS)
• Determines culpability and take measures over
  Researcher As privileges

10
VO Policy

• VO must
• List Security Contact and Administrative Contact
• For incident handling, reporting VO-service
  problems
• Comply with Grid Security Policies archival,
  accounting and audit (logs and changes)
• Maintain a membership service to generate
  authentication and authorization data for
  accessing resources
• Treat the membership and logged information
  confidentially and exercise due diligence
• Ensure availability of VO services, comply with
  grid operational policies
• Respond promptly to members queries, inform any
  status changes