3.7Campus Grids
The Campus Grids team’s goal is to include as many US universities as possible in the national cyberinfrastructure. By helping universities understand the value of campus grids and resource sharing through the OSG national framework, this initiative aims at democratizing cyberinfrastructures by providing all resources to users and doing so in a collaborative manner.
In the last year, the campus grids team worked closely with the OSG education team to provide training and outreach opportunities to new campuses. A workshop for new site administrators was organized at Clemson and was attended by representatives from four campuses: University of Alabama, University of South Carolina, Florida International Miami and from the Saint Louis Genome Center. A second workshop was held at RENCI, and included representatives from Duke, UNC-Chapel Hill, and NCSU among others. UNC-CH has recently launched its TarHeel Grid, and Duke University is actively implementing a campus grid being incubated by a partnership between academic computing and the physics department. Sites that have been engaged in the past continue to collaborate with us – Genome Center, New Jersey Higher Education Network – with various level of success. Overall 24 sites have been in various levels of contacts with the campus grids team and seven are now in active deployment. Finally, a collaborative activity was started with SURAGrid to study interoperability of the grids; and an international collaboration with the White Rose Grid from the UK National Grid Service in Leeds as well as the UK Interest Group on Campus Grid was initiated this period. (Barr Von Oehsen from Clemson presented the Clemson Grid at a Campus CI SIG workshop in Cardiff in September 2009).
As a follow-up to work from the prior year, the Clemson Windows grid contributed significant compute cycles to Einstein@home run by LIGO and reached the rank of the 4th highest contributor world-wide; a new accounting probe has recently been completed to report this usage to the OSG accounting system, this will be made available to other campus sites that contribute via BOINC projects. Finally as a teaching activity, five Clemson students (of which two are funded by OSG and two are funded by CI-TEAM) competed in the TeraGrid 2009 parallel computing competition and finished second. One of them, an African-American female, attended the ISSGC 2009 in France thanks to OSG financial support.
Some campuses have started to demonstrate high interest in cloud technologies and the campus CI area is working on this in collaboration with STAR project. STAR provided a virtual machine image containing their certified software and this image was deployed at Clemson and University of Wisconsin to investigate mechanism to run STAR jobs within VMs. Per STAR scientist, Jerome Lauret (member of the OSG council), the Clemson setup that transparently runs jobs submitted to an OSG CE into the provided VM image is as easy to use as the EC2 cloud environment that they have tested.
3.8Security
The Security team continued its multi-faceted approach to successfully meeting the primary goal of maintaining operational security, developing security policies, acquiring, or developing necessary security tools and software, and disseminating security knowledge and awareness. And we are evolving with increased focus toward providing an operationally secure infrastructure that balances usability and security requirements simultaneously. Our mission statement is different from last year's in that we are emphasizing “usability.” This change stems from both our observations and the feedback we received from our community.
We continued our efforts to improve the OSG security program. The security officer asked for an external peer evaluation of the OSG security program which was conducted by the EGEE and TeraGrid security officers and a senior security person from University of Wisconsin. The committee produced a report of their conclusions and suggestions, according to which we are currently adjusting our current work. This peer evaluation proved so successful that we have received requests from EGEE and TeraGrid officers to join an evaluation of their security programs.
In collaboration with ESNet Authentication and Trust Fabric Team, we have organized two security workshops: 1) the Living in an Evolving Identity World Workshop brought technical experts together to discuss security systems; and, 2) the OSG Identity Management Requirements Gathering Workshop brought the user communities together to discuss usage of the security systems. Usability has surfaced as a key element in both workshops. Historically, we have understood that ease-of-use of the PKI infrastructure greatly affects the security of our environment: a too complex security environment forces users to circumvent security all together or increases the barriers of entry into the grid world. We have conducted a detailed user survey with our VO contacts to pinpoint problem areas; the workshop reports are available at https://twiki.grid.iu.edu/bin/view/Security/OsgEsnetWorkshopReport). Accordingly, we have added priority to improve these problem areas in the next year.
During the past year, we increased our preparations for the LHC re-start of data taking:
-
We conducted a risk assessment of our infrastructure and held a 2-day blueprint meeting with our executive team. We identified the risks over our authentication infrastructure that could significantly affect OSG operations. We subsequently met with ESNet management since they provide the backbone of our authentication infrastructure. We jointly developed mitigation plans for the identified risks and have been implementing the plans. For example, we completed a tool to monitor suspicious behavior in ESNet certificate issuance infrastructure.
-
We identified that our software distribution mechanism is a high-risk attack target and thus we decided to use signed software packages that can be automatically validated by site administrators during software updates.
-
In order to increase the security quality of VDT software, we reached out to our external software providers and exchanged our security practices such as vulnerability announcement, patching policies, update frequencies and such.
-
With the help of Professor Barton Miller of University of Wisconsin, we organized a “Secure Programming Workshop” in conjunction with the OGF. The tutorial taught the software providers the secure coding principles with hands-on code evaluation. A similar tutorial was also given at EGEE'09 conference to reach out to European software providers, which forms a significant part of the VDT code.
-
We formed a software vulnerability process with the help of VDT team. The security team watches the security bulletin boards on a daily basis and triggers the vulnerability evaluation process if a possible vulnerability is suspected that could affect the VDT code.
-
To measure LHC Tier-2s ability to respond to an ongoing incident, we conducted an incident drill. The drill included all LHC Tier-2 sites and a LIGO site, 19 sites in total. Each site has been tested one-on-one; a security team member generated a non-malicious attack and assessed sites responses. In general the sites performed very well with only a handful of site needing minor assistance or support in implementing the correct response actions. Our next goal is to conduct an incident drill to measure the preparedness of our user community and the VOs.
During the last year, the USATLAS and USCMS management asked OSG for increased security support for the LHC US Tier-3 sites. Tier-3s usually are small sites managed by graduate students. Thus, they may lack the security skills of a professional site administrator. To address this need:
-
We focused on Tier-3s at the OSG Site Administrators Workshop. Before the workshop, we individually contacted each site, asked for their needs and encouraged participation. Their feedback helped shaping our preparation significantly.
-
After the workshop, we have continued our efforts by meeting with a Tier-3 site admin one-on-one each week. The summaries of our meetings can be found at https://twiki.grid.iu.edu/bin/view/Security/FY10SecuritySupport and this effort continues in coming year.
-
We give special guidance to our Tier 3 sites during security vulnerabilities. So far, we have had two high-risk root-level kernel vulnerabilities. In addition to our regular response process, we contacted each Tier-3 site individually, and helped them test and patch their systems. There is a clear need for this type of support at least until Tier3s become more familiar with site management. However, individualized care for close to 20 sites is not sustainable due to our existing effort level and we are investigating automated tools to relieve this burden. In addition, we want to build a security community, where each site admin is an active contributor and can work with his/her peers. We have started a security blog and a ticketing system to accommodate information sharing and we plan to increase awareness of these tools to create an active community.
OSG did not have any grid incident during past year. Our efforts were preventive in nature and we spent most efforts on software patching (both grid and systems software) and responding to tangential incidents that were not attacks on the grid infrastructure but affected OSG sites indirectly. For example, we had attacks coming in via SSH ports and affecting HEP users but none of the attacks targeted the grid middleware or grid user credentials. Nevertheless, we undertook response as though OSG was attacked. We started an incident sharing community across TeraGrid, EGEE, NorduGrid, and OSG security officers; this continues to be immensely useful for operational security.
During the last year, we identified a problem with updating OSG-recommended security configurations at sites; we identified the need for an administrative update tool to solve the issue and this tool is now in testing for a future release. To provide better monitoring, the security team wrote a suite of security probes which allow a site administrator to compare local security configurations against OSG-suggested values; these monitoring probes have been released with OSG 1.2. In the next year, we plan to focus more on monitoring efforts which we consider a critical element of our risk assessment and mitigation plans.
Share with your friends: |