Fermilab Computing Division

CS Document 3010-v1

The Open Science Grid -- Operational Security in a Highly Connected World

Document #:
Document type:
Submitted by:
Mine Altunay
Updated by:
Mine Altunay
Document Created:
13 Nov 2008, 16:38
Contents Revised:
13 Nov 2008, 16:38
Metadata Revised:
13 Nov 2008, 16:38
Viewable by:
  • Public document
Modifiable by:

Quick Links:
Latest Version

Open Science Grid stakeholders invariably depend on multiple
infrastructures to build their community-based distributed systems. To meet this need, OSG has built new gateways with TeraGrid, Campus Grids, and Regional Grids (NYSGrid, BrazilGrid). This has brought new security challenges for the OSG architecture and operations. The impact of security incidents now has a larger scope and demands a coordinated response.

Operationally, we took first steps towards building an incident sharing community among our peer grids. To reach higher-education user communities, especially HEP researchers, outside the grids, OSG members joined REN-ISAC. We also defined (jointly with EGEE) a set of operational security tools and began implementation. And, because
across the infrastructures certificate hygiene is a top priority, we worked with the IGTF (International Grid Trust Federation) to develop risk assessment and incident response processes.

Architecturally, we analyzed how proxy credentials are treated end-to-end in the OSG infrastructure. We discovered that the treatment of proxies, after a job is finished, has some shortcomings. Given long proxy lifetimes, a breach of a host can affect multiple users and grids.

Finally, we are working on a banning service that can deny access to resources by suspect users at the gatekeeper. We designed this site service to receive alerts from a central banning service managed by the security team in cases of emergencies. We envision that coupled with our operational efforts, this service would be a first-line defense against security incidents.

Files in Document:
Associated with Events:
CHEP 2009 held from 21 Mar 2009 to 27 Mar 2009 in Prague, Czech Republic
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators