OSG%20VO%20Security%20Policies%20and%20Requirements - PowerPoint PPT Presentation

About This Presentation
Title:

OSG%20VO%20Security%20Policies%20and%20Requirements

Description:

can still blacklist particular. VO members, if desired. WN. WN. WN. WN ... Site analyzes the attack, temporarily blacklists Researcher A (if it can trace it) ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 11
Provided by: malt9
Category:

less

Transcript and Presenter's Notes

Title: OSG%20VO%20Security%20Policies%20and%20Requirements


1
OSG VO Security Policies and Requirements
  • Mine Altunay
  • OSG Security Team
  • July 2007

2
Who am I?
  • Recently joined OSG Security Team
  • Ramping up to be full time OSG Security
  • Working through the OSG Security Plan
  • Helping develop any new items for the Security
    Plan in Year 2

3
Site allows access by Researcher
Storage
VO trusts Researcher
Site trusts VO
grid job
VO Infra. Services
Researcher A from University X, which is a
member of the VO
VO-accessible Site Resources
VO
Site
  • Three separate security domains
  • Univ., VO and Site
  • Two trust relationships
  • Researcher accesses Sites resources due to the
    trust between the VO and the Site.

4
  • Site grants access to the VO.
  • VO delegates the access privilege to its trusted
    members
  • VO manages its members access rights
  • different access rights to different VO members
  • E.g. grouping of users based on tasks or roles
    played in an experiment
  • VO policy may define groups and roles

5
Job 1s Data
Job 2s Data
VO mappings
Group Univ. X Role Researcher
Researcher A from University X
Group Univ. Y Role Researcher
GUMS
VO mappings
Retrieve VO mappings
VOMRS
Researcher B from University Y
  • GUMS retrieves membership
  • info from VO
  • enforces VO assigned privileges
  • at the Site
  • VOMRS manages member-role
  • mappings
  • Tanyas talk

6
Enforced Security Policy
Sites data storage
  • Site Policy determines
  • VO has access to the storage
  • can still blacklist particular
  • VO members, if desired
  • VO Policy determines
  • each VO members privileges

7
Job 1s Data
Job 2s Data
Unauthorized access
grid job 1
VO Infra. Services
Researcher A from University X
grid job 2
VO
Site
Researcher B from University Y
8
What if something goes wrong?Incident Response
  • Researcher A launches attack against the Site
  • Site discovers the attack
  • Site analyzes the attack, temporarily blacklists
    Researcher A (if it can trace it)
  • Site can
  • Call GOC at 1 317-278-9699, or
  • submit a trouble ticket,
  • Email goc_at_GOC_at_opensciencegrid.org
  • Or email security-discuss-L_at_opensciencegrid.org

9
  • Inform VO security contact
  • Site trusts the VO, not individual members
  • VO finds which member has the privilege
  • Logs and mapping repository (VOMRS)
  • Determines culpability and take measures over
    Researcher As privileges

10
VO Policy
  • VO must
  • List Security Contact and Administrative Contact
  • For incident handling, reporting VO-service
    problems
  • Comply with Grid Security Policies archival,
    accounting and audit (logs and changes)
  • Maintain a membership service to generate
    authentication and authorization data for
    accessing resources
  • Treat the membership and logged information
    confidentially and exercise due diligence
  • Ensure availability of VO services, comply with
    grid operational policies
  • Respond promptly to members queries, inform any
    status changes
Write a Comment
User Comments (0)
About PowerShow.com