Problem statement

Operation of services in all cases, whether locally or centrally deployed and operated, carries security risks for resource providers at WLCG sites. The standard for any service operator is to uphold the security, accountability, and incident response obligations of the host institution (e.g. a WLCG center) and participating research infrastructure (e.g. WLCG or experiments). These obligations need to be articulated in a federated trust model appropriate to operation of distributed service platforms by trusted operations teams.

Charter

The main challenge to be addressed is to document a trust model for centralized service orchestration capability across WLCG centers (“federated operations”) to enable efficient operation of WLCG computing services and innovation of new platforms in support of HL-LHC software development. This Working Group aims to clearly articulate entities and processes which implement such capabilities. The methods and trust relationships will be described in documents (both existing and to be written) such as service level agreements and security policy documents, including security incident response and traceability. The trust model enables delegation of the service operator responsibility by the resource provider.

Timeframe

Complete all deliverables by May 31, 2020.

Contact

e-group and mailing list, wlcg-federated-operations-security-wg@cernNOSPAMPLEASE.ch.

Group membership

The group welcomes any contribution and discussion as long as they focus on the agreed WLCG deliverables and goals stated in this document. The group recognises the value of collaborations with connected communities. Joining the group can be done (pending moderator approval to avoid spam) HERE.

(It is possible to login directly using eduGAIN or a Google account (among others) on the CERN SSO page, without applying for a CERN account.)

Plan for Deliverables (last update: Oct 2019)

  1. [Q4 2019] Survey and organize information about security concerns that stakeholders have with the federated operations model advanced by the SLATE project and by others, including the assurances that resource providers are looking for. Document what those concerns are.
  2. [Q1 2020] Document current SLATE and related technologies, architecture, workflows and operations and how they address the WLCG Security Policies and Trusted CI Framework and identify potential gaps.
    • Establish and confirm the relevant topics in the context of the working group.
      • Draft list include:
      • Incident response
      • Traceability
      • SLA / Security Operations policy
      • TBC
    • WLCG security policies: Evaluate SLATE compliance and areas of work, for each topic, in the context of the WLCG security policies.
    • [Q2 2020?] Trusted CI - SLATE engagement work plan:
      • Status update on SLATE security policies (following the Trusted CI Master Information Security Policy & Procedures template)
      • Initial risk assessment of 5 core SLATE "workflows"
      • Discussion of available container image security scanning tools and their applicability to SLATE
  3. Identify further areas that Federated Operations processes and policies should address, together with any constraints or other concerns associated with each area.
    • Produce a document with these additional areas.
    • Audiences for this documentation are:
      • WLCG resource providers and cybersecurity responsibles
      • Federated operations platform developers, e.g. the software and computing teams of the experiments (e.g. ATLAS Distributed Computing) and R&D teams (e.g. HSF related development, IRIS-HEP, etc.)
      • SLATE and other federated operation project teams
  4. Integrate the outcomes of 1-3 and document the complete set of policies, procedures, and security controls and produce the new Federated Operations trust model document.
  5. Evaluate the new trust model in the context of the existing WLCG Security Policies (http://wlcg.web.cern.ch/security/computer-security). Determine if the new federated trust model can respect these policies and recommend updates as necessary.
  6. Apply the Trusted CI Framework (https://trustedci.org/framework) to the new federated operations model and provide feedback to the Trusted CI organization.
  7. Report concerns, progress, etc at appropriate places:
    • NSF Cybersecurity Summit
    • WLCG Grid Deployment Board meetings
    • Experiment software and computing meetings
    • Relevant conferences such as WLCG Collaboration meetings, HSF, OSG meetings, CHEP, GridPP, PEARC20, etc.

Work timeline and meetings

(ISO 8601 format: YYYY-MM-DD)

WG Documents

  • Stay tuned!

Related Presentations

References


This topic: LCG > WebHome > WLCGFederatedOperationsSecurityWG
Topic revision: r5 - 2020-02-26 - RobertGardner
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback