Open Science Grid Security Overview for the Site

Open Science Grid Security Overview for the Site Admins Mine Altunay OSG Security Officer Site Admins Meeting at SLAC 13 -14 November 2008

First things first: Incident Response What to do in case of an incident: You discovered, or are suspicious of, a Grid incident REPORT immediately to OSG team. We can and we will help you 1. 2. 3. 4. 5. 6. 7. 13 -14 Nov 2008 Find out who is your site security contact to OSG (ASK me tomorrow how to do this if you do not who that person) Tell your site security person there is a security incident or potential incident. Site security person will email goc@opensciencegrid. org, OR call 1 317 -278 -9699 OR email security@opensciencegrid. org, You can call security team directly, but we are not 24/7, GOC operates 24/7 and will respond immediately and will call the security team’s cell phones Tell in your email or phone call: I. Your contact info (name-phone-email) II. Which site are you calling from III. Do you know the suspicious machine’s IP IV. Is there any grid credentials at risk? V. Is your grid identity compromised? Call us EVEN when you are NOT sure of an incident. We will help you determine if it is really an incident or not. We care about YOUR SITE’S privacy and reputation. We keep it confidential even if it turns out to be a real incident. We won’t release to other OSG sites or staff if you have privacy concerns. OSG Security, Site Admins SLAC 2

More Work for you: Change in CA distribution • CA packages distributed from TWO services: VDT (legacy) and GOC (new and will be permanent) VDT will stop distributing CA certs in future FEBRUARY 1 st – VDT WILL STOP distributing whole CA package. It will ONLY distribute IGTF CAs as a convenience service GOC will distribute the whole CA package : IGTF+Fermilab+Tera. Grid CAs You MUST know how to make the transition from VDT to GOC VDT CA distribution http: //vdt. cs. wisc. edu/releases/1. 10. 1/certificate_authorities. html GOC CA distribution : http: //software. grid. iu. edu/pacman/cadist/ca-certsversion OSG web pages: https: //twiki. grid. iu. edu/bin/view/Security/CADistribution 13 -14 Nov 2008 OSG Security, Site Admins SLAC 3

Even More Work Changes in CAs • • Your site does NOT have to install or deploy the entire CA package So what will you install and maintain 13 -14 Nov 2008 Whichever VO you want to support? VOs work with specific CAs not the entire CA package OSG work with VOs to get a list of CAs they work with OSG will publish these list centrally per VO Your site will go and see which CAs you should download maintain and install to support VOs that you care You will not have to deal with CRL or expiry problems for CAs you do not care at all LESS WORK for you in Future OSG Security, Site Admins SLAC 4