WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012

WLCG Security TEG, risks and Identity Management

David KelseyGridPP28, Manchester

18 Apr 2012

Overview

• WLCG Security TEG• EGI & GridPP Security Risk Analysis• Federated Identity Management

18 Apr 12 Security, Kelsey 2

WLCG Security TEG• https://twiki.cern.ch/twiki/bin/view/LCG/WLCGSecurityTEG

– Chaired by Romain Wartel and Steffen Schreiner• ~20 active members

– Security people, Sites and Experiments– More on mail list, but still not enough Site input

• List of sub-tasks– Risk Assessment (Romain)– AAI on worker nodes (Steffen)– AAI on storage systems (Maarten Litmaath)– Usability versus security (Von Welch)– Federated Identity (Dave K)


https://twiki.cern.ch/twiki/bin/view/LCG/WLCGSecurityTEG

WLCG Security Risks

• Risk Management– key aspect of security

• Identify assets to be protected• Evaluate different threats• Prioritise and focus efforts• An ongoing process

– Needs regular review


Security incident & auditing

• Must understand what happened– To prevent it happening again– To contain its impact– But keep services running

• Traceability is essential for this– To protect against misused credentials– And keep services running

• Response commensurate with problem


Assets – to be protected


Security threats


Risk evaluation


Risks (1)


Risks (2)


Mitigation• e.g. Misused identities• Compromised identities once detected

must be blocked and access to resources blocked too– Time is of the essence– A central blocking service is essential– Too many distributed services to rely on

local blocking


Security on WNs• 3 parts

– Security of the pilot job– Security of the user jobs– Traceability & accountability

• 5 requirements– Reduce pilot job credential to minimum– Protect the pilot job– Mutually isolate user jobs– Provide minimal credential for user job– Prove a job’s authenticity and log it before execution


Pilots - protecion & isolation

• Different options– Virtualisation– ID switching (gLExec, sudo)– SELinux– More? (Linux Containers?)

• Only serious option – in short term– ID switching with gLExec– 4 LHC expts (getting) ready for this


Beyond short term - WNs

• Can we develop a more secure proxy/delegation system– Current proxies are too powerful

• No restrictions– (Often) too long-lived– Not secure – proxy can be exposed– Transfer of user proxy with pilot job

does not tie user to the job18 Apr 12 Security, Kelsey 14

Security: Storage & data access

• Data protection issues– Do all types of data need same security?– Confidentiality – data one VO not readable by another VO

• But data transferred over insecure channels

• Access traceability (security and performance) • Information leakage (e.g. filenames)• Accidental commands• Malicious attacks

– For insiders reduce privs– Require 2 users for bulk delete?


Usability vs Security• Usability – key factor for security• Identified a number of issues

– And recommendations• Issues for Users

– Credential management– Proxy storage on complex systems– Lack of web authentication– Lack of internationlisation


Usability – admins/ops• Managing revocation• Expired hosts and service certs• Managing authorisation policies• Client AuthZ of services• Inconsistent user banning• Mixing AuthN and AuthZ e.g. proxy• Lack of debugging and forensics• Inconsistent proxy implementations• X.509 validation overhead


Usability – short termSome recommendations• Hide X.509 from end users

– Easier enrolment via Federated IdM– Use of short-lived credentials

• Tools for multiple credentials• Tools for service credentials• Improve revocation• Standards for logging• Usability evaluation


Sec TEG Future work

• Security model for WNs• More on security for storage• Usability evaluation• Identity Management (see later)


EGI & GridPP risk analysis• EGI security assessment being

completed now (EGI D4.4 refers) – more detailed than WLCG analysis

• https://documents.egi.eu/public/ShowDocument?docid=863

• GridPP security milestone– C3.11 Review GridPP Security Risk

Assessment (related to EGI D4.4)– August 2012– Involve whole GridPP security team here!


https://documents.egi.eu/public/ShowDocument?docid=863





Federated Identity Management

• Use of a digital identity credential issued by one body (typically home institute) for access to other services

• Federations – common trust and policy framework– E.g. the UK Access Management Federation

• For WLCG/GridPP/EGI we already use federated identities in form of X.509 PKI (IGTF)

• TERENA Cert Service connects national identity federation to a CA for personal certs


Federated IdM in HEP• But many other services (not just Grid)

– E.g. Collaboration tools – Wikis, mail lists, webs, agenda pages, etc.

• Today CERN has to manage 10s of thousands of users

• eduroam is one solution (for wireless)• What about other services/federations?

– Using Shibboleth, OpenID, etc


Federated IdM in Research• A collaborative effort started in 2011• Involves photon/neutron facilities, social science &

humanities, high energy physics, atmospheric science, bioinformatics and fusion energy

• 3 workshops to date (next one in June 2012)• https://indico.cern.ch/conferenceDisplay.py?confId=177418

• Documenting common requirements, a common vision and recommendations– To research communities, identity federations, funding

bodies

• An important use case for inter-federation


https://indico.cern.ch/conferenceDisplay.py?confId=177418

https://indico.cern.ch/conferenceDisplay.py?confId=177418

WLCG Federated Identity• Security TEG just started on this

– Very much linked to IdM for Research work• Trust is essential

– not just technology• How to involve IGTF?• We need to agree a good HEP pilot

project to get some experience


More GridPP involvement in the WLCG Security TEG is welcome

Questions?Discussion?


Documents

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012