A Framework for Security e-irg, Zürich, April 2008. Christoph Graf christoph.graf@switch.ch

Similar documents
Federated Identity Management Interest Group

The NREN cloud strategy should be aligned with the European and national policies, but also with the strategies of the member institutions.

Licia Florio Project Development Officer Identity Federations in Europe

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

RedIRIS Identity Service

Building trust in the cloud. Alastair McAulay PA Consulting Group

Overcoming the PKI hierarchy problem. PMAs and TACAR. Diego R. Lopez RedIRIS

South Africa's Federated Identity Management Initiative

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Experiences of an academic CSIRT

Security Officer: An NREN Secondee Perspective

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Introduction to SAML

Overview of DFN`s Certificate Services - Regular, Grid and short-lived -

EGI-InSPIRE. Cloud Security Implementations/Policies/Certification. Sven Gabriel, Nikhef

Pilot Projects Coordination Workshop Date: 18. February 2003 Time: 09:30 12:30 Place: University of Bern, Gesellschaftsstrasse 6

VOPaaS Virtual Organisation Platform as a Service

Deliverable D9.2 Market Analysis for Virtual Organisation Platform as a Service (VOPaaS)

GridPP36 Security Report

Ticketing system integration

GARR Cloud Services. GARR strategy towards the provisioning of Cloud Services. On behalf of the GARR Cloud Team

Federated Identity Management for Research Communities (FIM4R)

Bob Jones Technical Director

This translates into a view that is focused on what subordinates think their old boss job was.

The UK Access Management Federation

How to gain and maintain ISO certification

Experiences in Supporting Service Providers and User Communities. Lukas Hämmerle, GÉANT/SWITCH Conference 26 November 2014

Incident Response. Carlos Fuentes SWE Security Contact. egee INFSO-RI

Performance Testing for Managers. Presented by Stuart Moncrieff at SIGiST Melbourne on June 15 th, 2011

Dedicated or Cloud Servers

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Cross-Certification and PKI Policy Networking

DAM-LR Distributed Access Management

A new Service Activity: SA6 In support of European collaboration

APAN Task Force proposal

GN3plus JRA3 T1 Attribute and Group management in the AAI environment

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Introduction to perfsonar

DANCERT RFC2350 Description Date: Dissemination Level:

RDA Report Working Meeting Session 5 IG Federated Identity Management. Presentations

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

TERENA Trusted Cloud Drive

AAI - Authentication and Authorization Infrastructure Task Force Certificate Authority Final Report

Issues in federated identity management

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

MS7.1.1 Cloud Assessment Document

Connecting UK Schools to JANET

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

Application Layer vs. TCP Layer WAN Optimization > White Paper

Enterprise Security Architecture

Toward the Clouds, Together!

2.1.1 This policy and any future changes requires ratification by CAUDIT.

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

Best Practices for the use of e-infrastructures by large-scale research infrastructures

What Cloud computing means in real life

Thinking about College? A Student Preparation Toolkit

End-to-End & Campus Issues Basic Considerations Towards Defining a Strategy

8th WSEAS International Conference on SYSTEMS THEORY and SCIENTIFIC COMPUTATION (ISTASC 08) Rhodes, Greece, August 20-22, 2008

Security in OSG. Tuesday afternoon, 3:15pm. Igor Sfiligoi Member of the OSG Security team University of California San Diego

Paul Brebner, Senior Researcher, NICTA,

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

For financial advisers only. An espresso guide to selling income protection

A BRAINSTORMING ON SECURITY FIRE DRILLS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

NNIT Cybersecurity. A new threat landscape requires a new approach

perfsonar MDM release Product Brief

Federated Identity Management

Migrating Scientific Applications from Grid and Cluster Computing into the Cloud Issues & Challenges

Continuous Integration

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Federated Identity Management

Dynamic Circuit Network (DCN) / perfsonar Shared Infrastructure

Seven Things You Must Know Before Hiring a Tax Preparer

AMRES Experience with Implementing the Campus Best Practices Model

National Infrastructure Security Co-ordination ordination Centre. Peter Burnett Head of Information Sharing

D. Regvart (CARNET), Y. Demchenko (UvA), S. Filiposka (UKiM), M. de Vos (SURFnet), T. Karaliotas (GRNET), K. Baumann (SWITCH), D.

How to start research and how to present it?

IGI Portal architecture and interaction with a CA- online

New InCommon Working Groups

Network Segmentation

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Case Studies in Federated Identity Management for Research Communities

Making Sense of the Numbers DOs and DON'Ts of Quality Performance Testing

DIGGING DEEPER: What Really Matters in Data Integration Evaluations?

Networks Services People 1

Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft. Global Grid User Support - GGUS - within the LCG & EGEE environment

IT Security. Securing Your Business Investments

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

In house or Outsource: Exploring your Payroll

Any sufficiently advanced technology is indistinguishable from magic... ARTHUR C. CLARKE.

Bullying 101: Guide for Middle and High School Students

How To Pass The Comptia Cloud Essentials Exam

N.K. Srivastava GM-R&M-Engg.Services NTPC- CC/Noida

User Account Management

How to Implement Enterprise SAML SSO

Virtual machine interface. Operating system. Physical machine interface

Introduction. Rising demand

Romanian National Computer Security Incident Response Team CERT-RO.

TERENA Community Satisfaction Survey 2012

Transcription:

A Framework for Security e-irg, Zürich, April 2008 Christoph Graf christoph.graf@switch.ch

Outline What is Security? or: Where s the Security Layer? Naming is always a problem or: What is the plural form of security? A framework for Security or rather?: Frameworks for security 2

Quotes about Computer Security Computer security imposes requirements on computers that [..] often take the form of constraints on what computers are not supposed to do. [..] negative requirements are deceptively complicated to satisfy and require exhaustive testing to verify. The designers and operators of systems should assume that security breaches are inevitable. Source: http://en.wikipedia.org/wiki/computer_security 3

Quotes about Security Architecture Security qualities are often considered as non-functional requirements when systems are designed. In other words they are not required for the system to meet it's functional goals [..], but are needed for a given level of assurance that the system will perform to meet the functional requirements that have been defined. http://en.wikipedia.org/wiki/security_architecture 4

Properties of Security The one and only nice property of security: Security creates assurance > That s why we need it! A pretty useless property of security: Security doesn t add functionality > That s why we are tempted to ignore it! The many nasty properties of security: Imposes limits, which often vary over time (often suddenly) Creates dependencies on things beyond our control Is utterly unimpressed by cool features, but forces us to think about very weird stuff happening in weird circumstances In short: it s a pain! > That s why we hate it! 5

Where s the Security Layer? Since security is a pain: can we confine security, where it does not hurt? E.g. dump it into a Security Layer...... and make it someone else s problem? Start from something well structured: the OSI Reference Model Let s figure out how security fits the picture Can we identify the Security Layer? 6

The ideal solution Layer G Layer F Layer E Security Layer Layer D Layer C Layer B Layer A } } Not affected by security Tough luck! Not affected by security 7

The OSI Reference Model (enriched) Application Presentation Session Transport Network Security Data Link Physical 8

Security in the Grid Layer Model Security Access model management and infrastructure Security The term security is used in a different context here. This layer... is a service element offering authentication and authorisation services (AA) adds AA functionality to the Grid is based on business needs (Grid without AA could perfectly make sense) doesn t impose anything (you may choose to ignore this service) Source: http://egee-jra1.web.cern.ch/egee%2djra1/ -> Wouldn t it be a good idea to call this something else than security? 9

Proposed naming Access Management A layered functional element driven by business needs Common understanding needed on relevant use cases, functionality and quality aspects (including the required level of assurance) Access Management Security Guaranteeing the required level of assurance Non-functional requirements Cross-layer activity, imposing limits on any element in the whole supply chain Security 10

Putting things in context (1/2) AAI Grid SWITCHconnect PKI AAA/SWITCH CERT 11

Putting things in context (2/2) The EGEE Security Coordination Group (SCG) The EGEE Operational Security Coordination Team (OSCT) The Middleware Security Group (MWSG) The Joint Security Policy Group (JSPG) EGEE Security Middleware Development (EGEE/JRA1/Security) The Grid Security Vulnerability Group (GSVG) The EUGridPMA MWSG JSPG EGEE/JRA1/Security EUGridPMA SCG OSCT GSVG 12

Relevant scopes Interfederation Inter-VO National/jurisdiction boundaries Federation VO Virtual Organisation (VO) Organisational boundaries Org. Org. Org. Federation CPU CPU Organisation Different affiliation types Org. unit Org. unit Org. unit 13

Framework for Security e-infrastructures Access management: Organisation: SSO: Single-Sign-On solution Federation: VO: AAI: Federated Authentication & Authorisation Service (AAI) Grid Access Management Interfederation: edugain: Interfederation AAI Pilot Service of GÉANT2 Inter-VO: EUGridPMA Security: Organisation: Site security teams Federation: CSIRT (Computer Security and Incident Response Team) VO: Operational & product security groups Interfederation: TF-CSIRT: TERENA s security collaboration and networking platform TI: Trusted Introducer, CSIRT Accreditation service of TERENA Inter-VO: --- 14

Scalability vs. Ripeness Ripeness idea pilot service production EUGridPMA Grid Access Management The Grid World TF-CSIRT CSIRT SSO TI AAI Site security teams edugain The NREN World niche all users Scalability 15

Merging the Worlds The Grid World The NREN World TI TF-CSIRT Peer CSIRT VO 1 VO 2 VO 1 Gateway edugain Gateway AAI SSO Network 16

Conclusions Security has different faces, let s call things by name Security: reasonably scalable services around for a decade (CSIRT collaboration) Access management: Federations: several national production AAIs exist, others emerging Interfederation: edugain in pilot stage, some more years needed VO: solutions deployed, in production stage Parallel structures offer short-term solutions for smaller communities When smaller becomes bigger, think about migrating or gatewaying to (emerging) scalable solutions 17

Christoph Graf christoph.graf@switch.ch

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information