Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "2019-bidding/security"

From EGIWiki
Jump to navigation Jump to search
Line 17: Line 17:
== Coordination ==
== Coordination ==


*'''Security Operations Coordination''' - Central coordination of the security activities ensures that policies, operational security, and maintenance are compatible amongst all partners, improving availability and lowering access barriers for use of the infrastructure. This coordination ensures that incidents are promptly and efficiently handled, that common policies are followed by providing services such as security monitoring, and by training and dissemination with the goal of improving the response to incidents. This includes liaison with external security organisations, coordination security training, of security service challenges and of security threat risk assessment.  
*'''Security Operations Coordination''' - Central coordination of the EGI security activities ensures that policies, operational security, and maintenance are compatible amongst all partners, improving availability and lowering access barriers for use of the infrastructure. This coordination ensures that incidents are promptly and efficiently handled, that common policies are followed by providing services such as security monitoring, and by training and dissemination with the goal of improving the response to incidents. This includes liaison with external security organisations, coordination security training, of security service challenges and of security threat risk assessment.  


*'''Security Policy Coordination''' - Security policy development covers diverse aspects, including operational policies (agreements on vulnerability management, intrusion detection and prevention, regulation of access, and enforcement), incident response policies (governing the exchange of information and expected actions), participant responsibilities (including acceptable use policies, identifying users and managing user communities), traceability, legal aspects, and the protection of personal data. Since research is global, such policies must be coordinated with peer infrastructures in Europe and elsewhere, such as PRACE, Open Science Grid, XSEDE, and like efforts in the Asia Pacific. Coordination mechanisms such as the FIM4R group, TERENA REFEDS, SCI, Open Grid Forum and the IGTF will need to be employed.  
*'''Security Policy Coordination''' - EGI Security policy development covers diverse aspects, including operational policies (agreements on vulnerability management, intrusion detection and prevention, regulation of access, and enforcement), incident response policies (governing the exchange of information and expected actions), participant responsibilities (including acceptable use policies, identifying users and managing user communities), traceability, legal aspects, and the protection of personal data. Since research is global, such policies must be coordinated with peer infrastructures in Europe and elsewhere, such as PRACE, Open Science Grid, XSEDE, and like efforts in the Asia Pacific. Coordination mechanisms such as the FIM4R group, TERENA REFEDS, SCI, Open Grid Forum and the IGTF will need to be employed.  


*'''Security Incident Response Coordination''' - Coordination of incident response activities in collaboration with the Incident Response Task Force. The primary responsibility for basic incident response and forensics still lies with each NGI, while the EGI Global IRTF will coordinate incident response and information exchange. For complex multi-site incidents and in cases where advanced forensics is needed, the EGI Global IRTF will step in and take an active part, to protect the continued integrity of the EGI infrastructure as a whole. Validation of EGI Global incident response capability is done by coordinating security service challenges that both assess readiness of infrastructure operations and verify adequate traceability features in the software used. This task will also liaise with other CSIRTs via for example TF-CSIRTS and FIRST
*'''Security Incident Response Coordination''' - Coordination of EGI incident response activities in collaboration with the Incident Response Task Force. The primary responsibility for basic incident response and forensics still lies with each NGI, while the EGI Global IRTF will coordinate incident response and information exchange. For complex multi-site incidents and in cases where advanced forensics is needed, the EGI Global IRTF will step in and take an active part, to protect the continued integrity of the EGI infrastructure as a whole. Validation of EGI Global incident response capability is done by coordinating security service challenges that both assess readiness of infrastructure operations and verify adequate traceability features in the software used. This task will also liaise with other CSIRTs via for example TF-CSIRTS and FIRST


*'''Software Vulnerability Group Coordination''' - The Software Vulnerability Group aims to eliminate existing software vulnerabilities from the deployed infrastructure and prevent the introduction of new ones, and runs a process for handling software vulnerabilities reported. This depends on investigation and risk assessment by a collaborative team drawn from technology providers and other security groups, known as the Risk Assessment Team (RAT).  
*'''Software Vulnerability Group Coordination''' - The Software Vulnerability Group aims to eliminate existing software vulnerabilities from the deployed infrastructure within EGI and prevent the introduction of new ones, and runs a process for handling software vulnerabilities reported. This depends on investigation and risk assessment by a collaborative team drawn from technology providers and other security groups, known as the Risk Assessment Team (RAT).  


*'''International Grid Trust Federation (IGTF) and EUGridPMA''' - A common authentication trust domain is required to persistently identify all EGI participants. This task is about the representation of EGI in IGTF and EUGridPMA. This representation will bring operational and policy needs of EGI to the attention of the PMA, bring issues raised by the PMA to the attention of the appropriate groups within EGI, and keep the EGI Council informed of progress and policies of the EUGridPMA. This task is also responsible for the coordination of the provision of EGI versions of the IGTF Certification Authority distributions as required by the EGI Council.
*'''International Grid Trust Federation (IGTF) and EUGridPMA''' - A common authentication trust domain is required to persistently identify all EGI participants. This task is about the representation of EGI in IGTF and EUGridPMA. This representation will bring operational and policy needs of EGI to the attention of the PMA, bring issues raised by the PMA to the attention of the appropriate groups within EGI, and keep the EGI Council informed of progress and policies of the EUGridPMA. This task is also responsible for the coordination of the provision of EGI versions of the IGTF Certification Authority distributions as required by the EGI Council.
Line 29: Line 29:
In particular the activity will have to liaise with the following entities:  
In particular the activity will have to liaise with the following entities:  
* NGI and EIROs security teams. In the hierarchical operational structure of EGI most of the communications go from EGI to the Operations Centres, and then from the Operations Centres to the Resource Centres.
* NGI and EIROs security teams. In the hierarchical operational structure of EGI most of the communications go from EGI to the Operations Centres, and then from the Operations Centres to the Resource Centres.
* Resource Centres security teams. To ensure prompt reaction and support in case of security incident or critical violation of security policies.
* EGI Resource Centres security teams. To ensure prompt reaction and support in case of security incident or critical violation of security policies.
* Other European and international e-infrastructures and research infrastructure. The liaison must be direct peer to peer and in the context of security initiatives such as WISE as an example, respectively to tackle specific topics or to develop a collaboration framework for security.
* Other European and international e-infrastructures and research infrastructure. The liaison must be direct peer to peer and in the context of security initiatives such as WISE as an example, respectively to tackle specific topics or to develop a collaboration framework for security.
* Cross infrastructure policy groups, such as for example FIM4R and REFEDS.
* Cross infrastructure policy groups, such as for example FIM4R and REFEDS.

Revision as of 09:47, 18 November 2019

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security



EGI Services and Service Management Support menu: Bids Old Bids Performance

Go back to the EGI Services Bidding page.

Service name: Security coordination and security tools

Introduction

Security is recognised as an important aspect of e-Infrastructures and requires coordination between the EGI participants at various levels, in particular for the prevention and handling of incidents.

To keep a distributed infrastructure secure there is need for a coordination activity of the security effort at NGI and resource center level, and for tools that automatically test the EGI sites for vulnerabilities. The activity ensures the central coordination of security activities, including incident response, vulnerabilities handling and security policies development.

Technical description

The security coordination activities must liaise with the resource providers (~40 among NGIs and EIROS) the resource centres (~300) and oversee the technologies used in the production infrastructure, for example: O.S. Platforms, HTC, Cloud, Storage, AAI capabilities.

Coordination

  • Security Operations Coordination - Central coordination of the EGI security activities ensures that policies, operational security, and maintenance are compatible amongst all partners, improving availability and lowering access barriers for use of the infrastructure. This coordination ensures that incidents are promptly and efficiently handled, that common policies are followed by providing services such as security monitoring, and by training and dissemination with the goal of improving the response to incidents. This includes liaison with external security organisations, coordination security training, of security service challenges and of security threat risk assessment.
  • Security Policy Coordination - EGI Security policy development covers diverse aspects, including operational policies (agreements on vulnerability management, intrusion detection and prevention, regulation of access, and enforcement), incident response policies (governing the exchange of information and expected actions), participant responsibilities (including acceptable use policies, identifying users and managing user communities), traceability, legal aspects, and the protection of personal data. Since research is global, such policies must be coordinated with peer infrastructures in Europe and elsewhere, such as PRACE, Open Science Grid, XSEDE, and like efforts in the Asia Pacific. Coordination mechanisms such as the FIM4R group, TERENA REFEDS, SCI, Open Grid Forum and the IGTF will need to be employed.
  • Security Incident Response Coordination - Coordination of EGI incident response activities in collaboration with the Incident Response Task Force. The primary responsibility for basic incident response and forensics still lies with each NGI, while the EGI Global IRTF will coordinate incident response and information exchange. For complex multi-site incidents and in cases where advanced forensics is needed, the EGI Global IRTF will step in and take an active part, to protect the continued integrity of the EGI infrastructure as a whole. Validation of EGI Global incident response capability is done by coordinating security service challenges that both assess readiness of infrastructure operations and verify adequate traceability features in the software used. This task will also liaise with other CSIRTs via for example TF-CSIRTS and FIRST
  • Software Vulnerability Group Coordination - The Software Vulnerability Group aims to eliminate existing software vulnerabilities from the deployed infrastructure within EGI and prevent the introduction of new ones, and runs a process for handling software vulnerabilities reported. This depends on investigation and risk assessment by a collaborative team drawn from technology providers and other security groups, known as the Risk Assessment Team (RAT).
  • International Grid Trust Federation (IGTF) and EUGridPMA - A common authentication trust domain is required to persistently identify all EGI participants. This task is about the representation of EGI in IGTF and EUGridPMA. This representation will bring operational and policy needs of EGI to the attention of the PMA, bring issues raised by the PMA to the attention of the appropriate groups within EGI, and keep the EGI Council informed of progress and policies of the EUGridPMA. This task is also responsible for the coordination of the provision of EGI versions of the IGTF Certification Authority distributions as required by the EGI Council.

In particular the activity will have to liaise with the following entities:

  • NGI and EIROs security teams. In the hierarchical operational structure of EGI most of the communications go from EGI to the Operations Centres, and then from the Operations Centres to the Resource Centres.
  • EGI Resource Centres security teams. To ensure prompt reaction and support in case of security incident or critical violation of security policies.
  • Other European and international e-infrastructures and research infrastructure. The liaison must be direct peer to peer and in the context of security initiatives such as WISE as an example, respectively to tackle specific topics or to develop a collaboration framework for security.
  • Cross infrastructure policy groups, such as for example FIM4R and REFEDS.

Operations

The provisioning of this activity includes the operations and maintenance of the operational tools that support security, namely:

  • Security Monitoring - the activity should provide monitoring services to check for security vulnerabilities and other security-related problems in the EGI production infrastructure. Monitoring uses ad-hoc probes implemented to address specific security issues as well as generic probes used to gather security-related information. The main features are:
    • Monitor a range security relevant assets like for example: CRLs, file system permissions and vulnerable file permissions
    • Monitor and check the software packages deployed in the services of the production infrastructure and the status of patching security vulnerability by deploying relevant software updates.
  • Incident Reporting Tool - ticketing system for tracking of incident reporting activities.
  • Tools for Security Service Challenge support - Security challenges are a mechanism to check the compliance of sites/NGIs/EGI with security requirements. Runs of Security Service Challenges need a set of tools that are used during various stages of the runs.

Software Compliance

  • Unless explicitly agreed, software being used and developed to provide the service should:
    • Be licensed under an open source and permissive license (like MIT, BSD, Apache 2.0,...).
      • The license should provide unlimited access rights to the EGI community.
    • Have source code publicly available via a public source code repository (if needed a mirror can be put in place under the EGI organisation in GitHub.) All releases should be appropriately tagged.
    • Adopt best practices:
      • Defining and enforcing code style guidelines.
      • Using Semantic Versioning.
      • Using a Configuration Management frameworks such as Ansible.
      • Taking security aspects into consideration through at every point in time.
      • Having automated testing in place.
      • Using code reviewing.
      • Treating documentation as code.
        • Documentation should be available for Developers, administrators and end users.

IT Service Management compliance

  • Key staff who deliver services should have foundation or basic level ITSM training and certification
    • ITSM training and certification could include FitSM, ITIL, ISO 20000 etc.
  • Key staff and service owners should have advanced/professional training and certification covering the key processes for their services
  • Providers should have clear interfaces with the EGI SMS processes and provide the required information
  • Providers should commit to improving their management system used to support the services they provide

Support

  • Daily support activities
    • Support through the EGI helpdesk to users and service providers.
    • Support through abuse@egi.eu for the incident handling.
    • Support hours eight hours a day , Monday to Friday – excluding public holidays of the hosting organisation.
  • Training
    • Security trainings will be provided to the EGI stakeholders, for example during the major EGI events.

Service level targets

Effort (EGI-related activities)

Bids planning a total effort for EGI-related work of 9 Person Months/year should allow these services and activities to be addressed appropriately.

Effort (EOSC-related activities)

Partners are encouraged to submit details of activities and proposed costing of effort for EOSC related activities. This may include activities related to development of new functionality required by EOSC communities (e.g. in the case of accounting, a separate accounting portal view for EOSC) in addition to activities delivering services to these communities.