Post on 13-Dec-2015
transcript
www.egi.euEGI-InSPIRE RI-261323
EGI-InSPIRE
www.egi.euEGI-InSPIRE RI-261323
EGI Federated Cloud Security - what is needed
Linda Cornwall (STFC)
and the EGI CSIRT team
20th January 2015 1
www.egi.euEGI-InSPIRE RI-261323
EGI Federated Cloud Model
• IaaS provided by distributed RPs• Brokerage on top of this• Endorsed VMs only allowed (provided in AppDB)
• ‘User’ is in change – which is what the policy group has called ‘VM Operator’• This has lead to some confusion in the past• See Security Policy for the Endorsement and
Operation of Virtual Machine Images https://documents.egi.eu/public/ShowDocument?docid=771
20th January 2015 2
www.egi.euEGI-InSPIRE RI-261323
3 main players
• RP = Resource Provider – Provides IaaS
• VM Operator – person instantiating VMs• On behalf of the VO• Would usually have ‘root’ access to VM• Has appropriate high level of skills
• End User – User (e.g. scientist) who connects to VMs to carry out their work• Less skilled
www.egi.euEGI-InSPIRE RI-261323
Lower level of skill VM Operator?
• Do we envisage a lower skilled level person instantiating VMs e.g. specialized ones which for certain applications?• Probably NOT with User having root?• Possibly with specific S/W installed?• Would this be appropriate for small VOs?
www.egi.euEGI-InSPIRE RI-261323
Responsibility Fed Cloud view?
• RP agrees to support a VO.• VM Operator instantiates VMs on behalf of a VO.
• AUP signed by VO
• VM Operator is then wholly responsible for the VM• RP does NOT get to look at image
• Takes no action unless AUP or law broken• Not updating for critical vulnerabilities does not trigger action• Probably this is where security team disagrees with Fed
Cloud people’s view• Anyway how does RP know if AUP broken if can’t look at an
image?
www.egi.euEGI-InSPIRE RI-261323
RP scanning VMs
• Commercial providers e.g. Amazon DO scan VMs• Customers DO have to agree that Amazon
has a right to scan VMs
• Probably necessary from a ‘due diligence’ legal point of view
• AUP should be modified so that VOs/VM Operators agree RPs have a right to scan VMs.
www.egi.euEGI-InSPIRE RI-261323
Highly confidential Data
• Is data to be stored or processed on the Fed Cloud which is highly confidential and hence RP scanning not acceptable?• Heard called the ‘embassy cloud’ where RP has
no access to data.
• General thought is that private data, e.g. biomed should be on private data server• Is there any requirement to host e.g. private
biomed in the cloud?• Is RP scanning acceptable?
www.egi.euEGI-InSPIRE RI-261323
What can VM operator do?
• Fed Cloud wishes to define that the VM Operator can do anything they wish• No restrictions as commercial operators do not
have restrictions• But commercial operators have their own large
security teams• We are likely to have a ‘due diligence’ legal
responsibility issue
• Need to flag to management that there are legal issues which they should investigate
www.egi.euEGI-InSPIRE RI-261323
RPs and VOs and AAI
• EGI has AUP with VO• RPs agree to support VO• AAI is VOMS only at present
• DN and technology as Grid
• Need to ensure any new AAI is adequately secure• Both from technical and trust view• Getting something that works is one thing. Ensuring it is free
from vulnerabilities is another. Building trust with other entities is another
www.egi.euEGI-InSPIRE RI-261323
VM Operator as service provider
• The VM Operator is effectively a service provider, providing services to the end user• Hence Policies on the service provider are applicable to
the VM Operator• What Fed Cloud has called a ‘User’ IS therefore a service
provider• The VO, and the VM Operator is a service provider and
has the same responsibilities as other service providers• Service providers is like a site admin – can we trust them?
• Need to update policy on service operation
www.egi.euEGI-InSPIRE RI-261323
Logging and traceability
• We have policies on logging and traceability• These effectively feed into requirements on the
RPs and VM Operators to log and keep• Essential for incident response• Not clear what logging is in place at present
• Need to define more specific required logging and traceability• What is logged• How long logs are kept
www.egi.euEGI-InSPIRE RI-261323
‘End User’ access
• VM Operator will need to give End Users access to resources.• What methods does the EGI Fed Cloud use now?• Does it depend on institute IDs?
• Institutes tend to have quite strict conditions.
• EGI Fed Cloud should provide recommended methods and criteria for End User access.• Both concerning technology and trust
www.egi.euEGI-InSPIRE RI-261323
Security Incident Response
• What when an incident occurs?• And they will
• Can an incident be traced to end user?• If it cannot it is necessary to suspend the
whole VO. • After VO is suspended, will need to be able to
investigate before can re-enable• So incident response, whether via the VM
operator/VO or by EGI CSIRT remains essential
www.egi.euEGI-InSPIRE RI-261323
2 ‘reasonable’ options
• EGI CSIRT has access to information• This means logging and traceability
policy/requirements must be met• Need to trace to the end user• Full co-operation from the VO, VM Operator
• VO has it’s own CSIRT/IRTF function and investigates• Might be appropriate for large VO (e.g. probably
netflicks has own security team)• Not reasonable for small/medium VOs
www.egi.euEGI-InSPIRE RI-261323
What advantages are there to using Fed Cloud rather than commercial?
• One may be that a VO does NOT need to have it’s own security team• As well as help with AAI, endorsed VMs etc.,
EGI Fed cloud can provide the security services
www.egi.euEGI-InSPIRE RI-261323
Problematic VMs
• There is a desire in Fed Cloud NOT to suspend VMs• Commercial providers don’t do this
• What do we need to do?
• In case of multiple instances of a problematic VM.• Need some way of quarantining images
www.egi.euEGI-InSPIRE RI-261323
Endorsed VM images
• Endorser is responsible for endorsed images• This responsibility continues while image is
available• Includes ensuring they are up to date concerning
vulnerabilities
• After VMs instantiated, are they updated? • How do you ensure VMs which are in use are
kept up to date?• Or are they fairly short lived?
www.egi.euEGI-InSPIRE RI-261323
Problematic images
• If a VM has problems, do others having same VM Id get suspended?• Only one may be problematic, due to a
modification, how can it be quickly found whether a one off due to change to that image or whether a problem with all instances?
• How is data/work kept if images are problematic? • I.e. how to quarantine and keep
www.egi.euEGI-InSPIRE RI-261323
VM requirements
• Requirements on endorsed images including patching
• Training/best practice needed for VM endorsers
• How do we endure images in operation are up to date concerning security patches? (short life or updates)
• Criteria for suspending and quarantining problematic images, including keeping work
www.egi.euEGI-InSPIRE RI-261323
General
• Need to write down usage model in detail• Need to write down security model• Responsibility/legal model, agreed with
management• Enough people to carry out work – some as
part of EGI engage• Security Threat Risk assessment –
• When more is documented and better info is available to carry this out