Security Requirements for
Grid Providers
Some Original Slides by Irwin Gaines (FNAL)
20-Apr-2006
Adapted by Bob Cowles (SLAC/OSG)
28-Mar-2007
US Labs
Security Requirements
• Congress passed law in 2002 requiring
federal agencies and contractors secure
their computer systems
• National Institute of Standards (NIST) was
tasked with developing the guidance and
the process to promote compliance
28Mar07
ISGC 2007
2/20
NIST Process
FIPS 199 / SP 800-60
SP 800-53 / FIPS 200
Security Control
Selection
Selects minimum security controls (i.e.,
safeguards and countermeasures) planned or
in place to protect the information system
Security
Categorization
Defines category of information
system according to potential
impact of loss
SP 800-37
Security Control
Monitoring
Continuously tracks changes to the information
system that may affect security controls and
assesses control effectiveness
SP 800-53 / FIPS 200 / SP 800-30
SP 800-37
Security Control
Refinement
System
Authorization
Uses risk assessment to adjust minimum control
set based on local conditions, required threat
coverage, and specific agency requirements
Determines risk to agency operations, agency
assets, or individuals and, if acceptable,
authorizes information system processing
SP 800-18
Security Control
Documentation
In system security plan, provides an
overview of the security requirements for the
information system and documents the
security controls planned or in place
28Mar07
SP 800-70
Security Control
Implementation
Implements security controls in new
or legacy information systems;
implements security configuration
checklists
ISGC 2007
SP 800-53A / SP 800-37
Security Control
Assessment
Determines extent to which the security
controls are implemented correctly, operating
as intended, and producing desired outcome
with respect to meeting security requirements
3/20
Grid Connection
• Grids are virtual sites in a sense, and will be
examined and perhaps even audited using same
criteria
• And all the US labs that have resources used by
grids must live by NIST guidelines, so perhaps it
is useful build on the NIST framework for
documenting grid computing security
requirements
28Mar07
ISGC 2007
4/20
NIST Process Details
• Each system needs:
– Functional description
– Hardware and software description (especially description of
boundaries)
– Risk assessment
– Security plan (showing controls to mitigate the greater
impact or likelihood risks)
– System Sensitivity Categorization (low/moderate/high
sensitivity)
– Contingency plan
– Security control testing and evaluation
• Process for certification and accreditation
28Mar07
ISGC 2007
5/20
NIST Control families
•
Management
–
–
–
–
•
Operational
–
–
–
–
–
–
–
–
–
•
Operational Personnel Security PS
Operational Physical and Environmental Protection PE
Operational Contingency Planning CP
Operational Configuration Management CM
Operational Maintenance MA
Operational System and Information Integrity SI
Operational Media Protection MP
Operational Incident Response IR
Operational Awareness and Training AT
Technical
–
–
–
–
28Mar07
Management Risk Assessment RA
Management Planning PL
Management System and Services Acquisition SA
Management Certification, Accreditation, and Security Assessments CA
Technical Identification and Authentication IA
Technical Access Control AC
Technical Audit and Accountability AU
Technical System and Communications Protection SC
ISGC 2007
6/20
Security Sensitivity
• Low Impact
– Affects individual users or small VOs
• Medium Impact
– Affects large VO or significant infrastructure
impact
• High Impact
– Takes down Grid infrastructure or large VO
28Mar07
ISGC 2007
7/20
Grid Participants
• Identity Provider – runs an identity vetting
service as a CA or IdM
• Authorization Provider – provides
authorization information
• Software Provider – provides software
used by other participants
• Service Provider – provides
computational, data storage or higher level
services
28Mar07
ISGC 2007
8/20
Relationship to Grid VOs
• VOs assemble software stacks using VDT
Components and other software.
– Grids for compute and data intensive science
are open, evolving.
• In general VOs run services, and/or
supervise the services others run for them.
– An example is VOMS (people, roles)
28Mar07
ISGC 2007
9/20
Challenge
• Put initial baseline in place ASAP
• Use the framework to expand controls
– Describe the expectations for participants at
different levels of impact (gold, platinum, …)
• Expectations would become policy
statements referenced directly or indirectly
by “AUP” for VOs, service providers, etc.
28Mar07
ISGC 2007
10/20
Draft VO Policy (1)
• You shall provide and maintain, in a
central repository provided by the Grid,
accurate contact information as
specified in the VO Registration Policy,
including but not limited to at least one
Administrative Contact (VO Manager)
plus alternate and one VO Security
Contact who shall respond to enquiries
in a timely fashion as defined in the Grid
operational procedures
28Mar07
ISGC 2007
11/20
Draft VO Policy (2)
• You shall maintain a VO membership service that can be
used to generate authentication/authorization/id-mapping
data for the services running on the sites and records
user contact information consistent with the Grid
procedures for VO registration. You recognize this is a
critical function to operation within the Grid and that
network or server failures associated with this service
may prevent VO users from accessing any Grid services.
You shall take reasonable measures to ensure the
information recorded in the membership service is
correct and up-to-date
28Mar07
ISGC 2007
12/20
Draft VO Policy (3)
• You shall provide information on where to report
problems with VO-supplied software and
respond promptly to reports of problems
(particularly security problems). You recognize
that a Sites may disable a VO if its practices
present, in the Site’s judgment, an unacceptable
risk.
• All VO-provided software must be covered by
appropriate license agreements allowing its use
by the VO users at site supplying VO with
resources
28Mar07
ISGC 2007
13/20
Draft VO Policy (4)
• You shall comply with the Grid Security Policies,
including any audit data requirements that
require you to maintain logs of access to and
changes in databases or repositories maintained
in support of the VO (e. g. membership database
or software repository). You shall periodically
assess your compliance with these policies,
inform the Grid Security Officer of the
assessment including violations encountered in
the assessment, and correct such violations
forthwith
28Mar07
ISGC 2007
14/20
Draft VO Policy (5)
• You shall use audit and membership
information for administrative, operational,
accounting, monitoring and security
purposes only. You shall apply due
diligence in maintaining the confidentiality
of such information
28Mar07
ISGC 2007
15/20
Draft VO Policy (6)
• Provisioning of services to and use of the
Grid is at your own risk. Any software
provided by the Grid is provided on an asis basis only, and subject to its own license
conditions. There is no guarantee that any
procedure applied by the Grid is correct or
sufficient for any particular purpose. The
Grid and other Sites are not liable for any
loss or damage in connection with VO
participation in the Grid
28Mar07
ISGC 2007
16/20
Draft VO Policy (7)
• You shall control access by Users for
administrative, operational and security
purposes and shall inform the Users if you
limit or suspend access. You shall comply
with the Grid Incident Handling policy
regarding the notification of security
incidents and where appropriate, shall
restore access as soon as reasonably
possible
28Mar07
ISGC 2007
17/20
Draft VO Policy (8)
• You shall comply with the Grid operational
procedures including the requirement to
include at least one User, designated by
the Grid, for the sole purpose of evaluating
the availability of your Grid Services
28Mar07
ISGC 2007
18/20
Draft VO Policy (9)
• The Grid may control VO access to the
Grid for administrative, operational and
security purposes and remove VO
registration information from Grid
information systems if you fail to comply
with these conditions
28Mar07
ISGC 2007
19/20
Comments / Questions?
28Mar07
ISGC 2007
20/20