www.egi.eu egi-inspire ri-261323 egi-inspire egi-inspire ri-261323 egi federated cloud security -...

www.egi.euEGI-InSPIRE RI-261323

EGI-InSPIRE


EGI Federated Cloud Security - what is needed

Linda Cornwall (STFC)

and the EGI CSIRT team

20th January 2015 1


EGI Federated Cloud Model

• IaaS provided by distributed RPs• Brokerage on top of this• Endorsed VMs only allowed (provided in AppDB)

• ‘User’ is in change – which is what the policy group has called ‘VM Operator’• This has lead to some confusion in the past• See Security Policy for the Endorsement and

Operation of Virtual Machine Images https://documents.egi.eu/public/ShowDocument?docid=771

20th January 2015 2


3 main players

• RP = Resource Provider – Provides IaaS

• VM Operator – person instantiating VMs• On behalf of the VO• Would usually have ‘root’ access to VM• Has appropriate high level of skills

• End User – User (e.g. scientist) who connects to VMs to carry out their work• Less skilled


Lower level of skill VM Operator?

• Do we envisage a lower skilled level person instantiating VMs e.g. specialized ones which for certain applications?• Probably NOT with User having root?• Possibly with specific S/W installed?• Would this be appropriate for small VOs?


Responsibility Fed Cloud view?

• RP agrees to support a VO.• VM Operator instantiates VMs on behalf of a VO.

• AUP signed by VO

• VM Operator is then wholly responsible for the VM• RP does NOT get to look at image

• Takes no action unless AUP or law broken• Not updating for critical vulnerabilities does not trigger action• Probably this is where security team disagrees with Fed

Cloud people’s view• Anyway how does RP know if AUP broken if can’t look at an

image?


RP scanning VMs

• Commercial providers e.g. Amazon DO scan VMs• Customers DO have to agree that Amazon

has a right to scan VMs

• Probably necessary from a ‘due diligence’ legal point of view

• AUP should be modified so that VOs/VM Operators agree RPs have a right to scan VMs.


Highly confidential Data

• Is data to be stored or processed on the Fed Cloud which is highly confidential and hence RP scanning not acceptable?• Heard called the ‘embassy cloud’ where RP has

no access to data.

• General thought is that private data, e.g. biomed should be on private data server• Is there any requirement to host e.g. private

biomed in the cloud?• Is RP scanning acceptable?


What can VM operator do?

• Fed Cloud wishes to define that the VM Operator can do anything they wish• No restrictions as commercial operators do not

have restrictions• But commercial operators have their own large

security teams• We are likely to have a ‘due diligence’ legal

responsibility issue

• Need to flag to management that there are legal issues which they should investigate


RPs and VOs and AAI

• EGI has AUP with VO• RPs agree to support VO• AAI is VOMS only at present

• DN and technology as Grid

• Need to ensure any new AAI is adequately secure• Both from technical and trust view• Getting something that works is one thing. Ensuring it is free

from vulnerabilities is another. Building trust with other entities is another


VM Operator as service provider

• The VM Operator is effectively a service provider, providing services to the end user• Hence Policies on the service provider are applicable to

the VM Operator• What Fed Cloud has called a ‘User’ IS therefore a service

provider• The VO, and the VM Operator is a service provider and

has the same responsibilities as other service providers• Service providers is like a site admin – can we trust them?

• Need to update policy on service operation


Logging and traceability

• We have policies on logging and traceability• These effectively feed into requirements on the

RPs and VM Operators to log and keep• Essential for incident response• Not clear what logging is in place at present

• Need to define more specific required logging and traceability• What is logged• How long logs are kept


‘End User’ access

• VM Operator will need to give End Users access to resources.• What methods does the EGI Fed Cloud use now?• Does it depend on institute IDs?

• Institutes tend to have quite strict conditions.

• EGI Fed Cloud should provide recommended methods and criteria for End User access.• Both concerning technology and trust


Security Incident Response

• What when an incident occurs?• And they will

• Can an incident be traced to end user?• If it cannot it is necessary to suspend the

whole VO. • After VO is suspended, will need to be able to

investigate before can re-enable• So incident response, whether via the VM

operator/VO or by EGI CSIRT remains essential


2 ‘reasonable’ options

• EGI CSIRT has access to information• This means logging and traceability

policy/requirements must be met• Need to trace to the end user• Full co-operation from the VO, VM Operator

• VO has it’s own CSIRT/IRTF function and investigates• Might be appropriate for large VO (e.g. probably

netflicks has own security team)• Not reasonable for small/medium VOs


What advantages are there to using Fed Cloud rather than commercial?

• One may be that a VO does NOT need to have it’s own security team• As well as help with AAI, endorsed VMs etc.,

EGI Fed cloud can provide the security services


Problematic VMs

• There is a desire in Fed Cloud NOT to suspend VMs• Commercial providers don’t do this

• What do we need to do?

• In case of multiple instances of a problematic VM.• Need some way of quarantining images


Endorsed VM images

• Endorser is responsible for endorsed images• This responsibility continues while image is

available• Includes ensuring they are up to date concerning

vulnerabilities

• After VMs instantiated, are they updated? • How do you ensure VMs which are in use are

kept up to date?• Or are they fairly short lived?


Problematic images

• If a VM has problems, do others having same VM Id get suspended?• Only one may be problematic, due to a

modification, how can it be quickly found whether a one off due to change to that image or whether a problem with all instances?

• How is data/work kept if images are problematic? • I.e. how to quarantine and keep


VM requirements

• Requirements on endorsed images including patching

• Training/best practice needed for VM endorsers

• How do we endure images in operation are up to date concerning security patches? (short life or updates)

• Criteria for suspending and quarantining problematic images, including keeping work


General

• Need to write down usage model in detail• Need to write down security model• Responsibility/legal model, agreed with

management• Enough people to carry out work – some as

part of EGI engage• Security Threat Risk assessment –

• When more is documented and better info is available to carry this out


Questions and discussion.

• ??

www.egi.eu egi-inspire ri-261323 egi-inspire egi-inspire ri-261323 egi federated cloud security -...

Documents