Security Awareness for the OSG: OSG Security in a Nutshell
About This Document
This document covers what site should be knowledgeable about regarding security in the OSG.
OSG embraces Integrated Security Management Principles, where everyone is responsible for the security. Everyone is obliged to:
- work diligently
- follow the OSG controls
- be proactive
- feed into process
Our goal is to prevent the unacceptable security risks to OSG. Risk is a function of threat and vulnerability. R(Threat, Vulnerability). A threat that has no existing vulnerability at OSG does not constitute a risk; a vulnerability without any existing threat does not constitute a risk.
A system with no risks can only happen when it is entirely isolated from the outside world and under tight security controls. OSG's goal is not to create a "perfect" system but prevent unacceptable risks. The impact of a risk is proportional to the loss caused by the risk. A risk with very small likelihood and very large loss potential has a higher impact than a risk with higher likelihood but a much smaller loss. OSG risk assessment evaluates the risks to OSG core services/assets and classifies their impacts.
For example, an acceptable risk with LOW impact: A security event has LOW risk if it occurs less than 10 times per year AND does not disrupt the perception of the OSG as a reliable computational facility AND no single occurrence of the event disables substantially all of OSG’s operational Compute Element service for more than two days.”
The OSG security plan describes the security controls (activities, audits, checks, etc) that should be followed to minimize the risks. It includes management (policies, roles and responsibilitites), operational (how people should behave) and technical (how service/machine should behave) controls.
The OSG Security Officer is responsible for coordinating, monitoring, responding to, and supporting the security of the OSG infrastructure. She leads the Security Team; promotes the mechanisms of integrated security management; ensures that the OSG Staff know their responsibilities and implement them; organizes the assessment of the security controls, drawing upon others as necessary to evaluate the operation of the security office itself.
OSG Software coordinator (Alain Roy) and Operations coordinator (Rob Quick) are members of the security team. The Security Officer reports to Executive Director (Ruth Pordes) and the Facility Coordinator (Miron Livny)
Each VO, site, and support center is responsible for its own security. A VO, site or support center has their own security officers and are responsible for providing their own security. For example, each VO and site is expected to have their security policies stated and implemented. OSG does not develop policies or implement them on its member's behalf. The OSG security team helps OSG members by providing examples, templates, services and tools; however, the ultimate responsibility lies with the member entity to ensure its security.
Each VO and site is accountable for its actions in the OSG. They are expected to follow and comply with the OSG policies. A VO is responsible for the behavior of its members. OSG provides access to users due to their membership with a VO and OSG's trust in that VO. When users violates OSG policies, OSG holds the corrsponding VO responsible and may even bar that VO from OSG membership. therefore, it is a VO's responsibility to ensure that their users understand VO and OSG policies when they join the VO.
Likewise, a site is responsible for its resources and services provided to the OSG community. For example, security hygiene of the resources, the due diligence to apply security patches, and cooperating during a security incident are among the site responsibilities. A site not meeting their responsibilities may be barred from OSG membership.
In a nutshell, OSG expects each of its members to comply with the OSG policies and agreements and show due diligence to follow their own security policies. (All of the security policies are listed on Security Policies and procedures table.)
OSG security team carries the responsibility to protect
- core OSG assets and
- help and coordinate OSG members to achieve their own security
- audit and examine OSG membership based on security policies
OSG core assets are owned by OSG and they are services, documents, software stack and procedures that are vital for OSG to perform its functions. The OSG security team monitors and reviews the asset protection (including services and software stack), audits the asset owners, prepares and maintains policies, and maintains operational security. For example, OSG infrastructure (the software stack) is reviewed against vulnerabilities and additional patches or improvements are requested by the security team; the configuration of OSG services are audited by the security team yearly and adjustments are requested.
In order to help OSG members, the security team provides security education, template policies and tools. These tools would help members to maintain their own security.
In addition, the security team develops policies for its members to follow and audits the members on compliance. The security team is responsible for reporting non-compliant behaviors to the executive board
Finally the security team is responsible for maintaining the operational security in OSG. This includes: keeping up-to-date contact information from the members; ensuring the OSG infrastructure allows secure distributed computing across the member institutions; incident response and mitigation; monitoring the activity across member organizations to detect abnormalities; distributing information/help to its members about vulnerabilities and flaws; scanning and testing running services (bot member services and core assets) to measure their security health.
For more information, review the OSG security Plan and this presentation