Security Clouds

From GridPP Wiki
Jump to: navigation, search

Previous Work

In 2009 HEPIX created a virtualisation working group. It presented its final report at the Autumn 2013 HEPiX meeting [1].

Outputs include:

  • Endorsement policy [2]
  • Image contextulisation
  • The HEPiX Virtualisation Working Group: Towards a Grid of Clouds (Tony Cass 2012 J. Phys.: Conf. Ser. 396 032020) [3]
  • EGI Security Policy for the Endorsement and Operation of Virtual Machine Images [4]
  • EGI Traceability and Logging Policy [5]
Recommendation by HEPiX VMG to move future work in this area from to WLCG GDB.

Other work:

  • PCI/DSS Cloud guidelines [6]
Areas to investigate
  • Root access
    • Patching
    • Configuration
    • Privileged ports
    • Device access
    • Filesystem modification (anti-forensics)
    • RAW sockets
    • Configuration management (eg Puppet)
  • VM Images
    • Patching
    • Credentials
    • Validation
    • Contextualisation
    • Endorsement delay
  • Policy/Legal
    • JANET connection/security policy
      • The JANET Security Policy refers to
        "JANET(UK) must ensure that the operation of the network is appropriately monitored, that the response to security problems is coordinated, and that temporary or permanent measures are implemented, up to and including disconnection, where necessary to protect the network or to comply with the law"
        and
        "Implementing appropriate measures for giving, controlling and accounting for access to JANET, backed by regular assessments of the risks associated with the measures chosen"
      • JANET is classed as a private network. If JANET were a public network then additional requirements which
        "may include authenticating users and keeping records of their activity in accordance with the Data Retention (EC Directive) Regulations 2009 as well as protecting the privacy of users in accordance with the Regulation of Investigatory Powers Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003"
    • UK legislation
    • EU directives (data protection, network information security)
  • New Threats
    • Widespread vulnerability research into underlying cloud technologies
    • Shallower learning curve for attackers
    • Critical potential weak points (management/hypervisor)
  • Incident Response
    • Traceability
    • Monitoring
  • Network
    • IP usage/attribution
    • External firewalling
    • Internal (VM to VM) firewalling

Retrieved from "https://www.gridpp.ac.uk/w/index.php?title=Security_Clouds&oldid=3484"