EDGI Use Case 'Security of a Production Service Grid' 2006-06-24 ----------------------------------------------------- Etienne URBAH System ------ - A Production Service Grid (Managed Grid of managed Computing Clusters) For example EGI, EELA, DEISA, ... Participants ------------ - Trust Anchor For example IGTF (International Grid Trust Federation) - Security Officer of a Site (of the system) - User (of the Service Grid) - RA (Registration Authority) having vetted the User For example an accredited manager of the Organization employing the User - CA (Certificate Authority) having signed the credentials of the User For example GRID2-FR - Manager of the VO (Virtual Organization) granting access rights to the User - CSIRT (Computer Security Incident Response Team) of the system For example OSCT (Operational Security Coordination Team) was EGEE's CSIRT Description ----------- - The Trust Anchor uses a secure functionality of the System (for example the EUGridPMA repository) to publish an updated list of Certificates and CRLs (Certificate Revocation Lists) of the accredited CAs. - Each Security Officer deploys this updated list of CA Certificates on all resources under his/her responsibility (which belong to the System). - A User, authenticated by a Certificate issued by a CA upon vetting by a RA, and belonging to a VO, uses the System to obtain Security Credentials (for example RFC-compliant X509 proxy, Bag of SAML assertions). - This User uses these Security Credentials in order to make usage of a resource of the System (for example he accesses Data managed by the System, submits an Activity to the System, ...). - After a certain time, the System sends a Security Alarm to a Security Officer on duty. - Upon reception of this Security Alarm, this Security Officer investigates the Security Records of the System (for example Activity Logs) and obtains first proofs that the above User has tried to perform forbidden actions (for example Installation of a root kit, Mass mailing, ...). [Important note: The Security Officer can identify this malicious User ONLY if the Security Records contain at least one reference to the Security Credentials of the User] - This Security Officer immediately : - freezes all resources processing any work of this malicious User, and all incoming requests of this malicious User. [Note: Contrary to destruction and local ban, freezing permits to later generate useful system dump(s)] - uses a secure functionality of the System to send a Security Alert containing these first proofs to the CSIRT. - Upon reception of these first proofs, the CSIRT examines them to verify that this User is malicious indeed, and extracts from his/her Security Credentials : - The identity of the VO having issued access rights to this User, - The identity of the CA having signed his/her Certificate. - The CSIRT immediately uses secure functionalities of the System to : - publish a Global Ban of this User from the System, - send a confirmed Security Alert to the Manager of the above identified VO, and to the above identified CA. - Upon reception of this Global Ban, each Security Officer bans locally this User from all resources under his/her responsibility. - Upon reception of this confirmed Security Alert : - the Manager of the above identified VO suppresses membership of this User, - the CA adds the Certificate of this User to its CRL, - the CA uses secure functionalities of the System to forward this confirmed Security Alert to the RA having vetted this User.