TWiki> LCG Web>WLCGFederatedOperationsSecurityWG (revision 1)EditAttachPDF

Problem statement

Operation of services in all cases, whether locally or centrally deployed and operated, carries security risks for resource providers at WLCG sites. The standard for any service operator is to uphold the security, accountability, and incident response obligations of the host institution (e.g. a WLCG center) and participating research infrastructure (e.g. WLCG or experiments). These obligations need to be articulated in a federated trust model appropriate to operation of distributed service platforms by trusted operations teams.


The main challenge to be addressed is to document a trust model for centralized service orchestration capability across WLCG centers (“federated operations”) to enable efficient operation of WLCG computing services and innovation of new platforms in support of HL-LHC software development. This Working Group aims to clearly articulate entities and processes which implement such capabilities. The methods and trust relationships will be described in documents (both existing and to be written) such as service level agreements and security policy documents, including security incident response and traceability. The trust model enables delegation of the service operator responsibility by the resource provider.


Complete all deliverables by May 31, 2020.


e-group and mailing list,

Group membership

The group welcomes any contribution and discussion as long as they focus on the agreed WLCG deliverables and goals stated in this document. The group recognises the value of collaborations with connected communities. Joining the group can be done (pending moderator approval to avoid spam) HERE.

(It is possible to login directly using eduGAIN or a Google account (among others) on the CERN SSO page, without applying for a CERN account.)

Plan for Deliverables (last update: Oct 2019)

  1. [Q4 2019] Survey and organize information about security concerns that stakeholders have with the federated NoOps model advanced by the SLATE project and by others, including the assurances that resource providers are looking for. Document what those concerns are.
    • Identify survey tool
    • Formulate questions
    • Send to communities noted below
    • Collect, synthesize and summarize survey methodology and results
    • Inform communities of results
  2. [Q1 2020] Document current SLATE and related technologies, architecture, workflows and operations and how they address the WLCG Security Policies and Trusted CI Framework and identify potential gaps.
    • Establish and confirm the relevant topics in the context of the working group.
      • Draft list include:
      • Incident response
      • Traceability
      • SLA / Security Operations policy
      • TBC
    • WLCG security policies: Evaluate SLATE compliance and areas of work, for each topic, in the context of the WLCG security policies.
    • [Q2 2020?] Trusted CI - SLATE engagement workplan:
      • Status update on SLATE security policies (following the Trusted CI Master Information Security Policy & Procedures template)
      • Initial risk assessment of 5 core SLATE "workflows"
      • Discussion of available container image security scanning tools and their applicability to SLATE
  3. Identify further areas that Federated Operations processes and policies should address, together with any constraints or other concerns associated with each area.
    • Produce a document with these additional areas.
    • Audiences for this documentation are:
      • WLCG resource providers and cybersecurity responsibles
      • Federated NoOps platform developers, e.g. the software and computing teams of the experiments (e.g. ATLAS Distributed Computing) and R&D teams (e.g. HSF related development, IRIS-HEP, etc.)
      • SLATE and other federated NoOps project teams
  4. Integrate the outcomes of 1-3 and document the complete set of policies, procedures, and security controls and produce the new Federated Operations trust model document.
  5. Evaluate the new trust model in the context of the existing WLCG Security Policies ( Determine if the new federated trust model can respect these policies and recommend updates as necessary.
  6. Apply the Trusted CI Framework ( to the new federated NoOps model and provide feedback to the Trusted CI organization.
  7. Report concerns, progress, etc at appropriate places:
    • NSF Cybersecurity Summit
    • WLCG Grid Deployment Board meetings
    • Experiment software and computing meetings
    • Relevant conferences such as WLCG Collaboration meetings, HSF, OSG meetings, CHEP, GridPP, PEARC20, etc.

Work timeline and meetings

(ISO 8601 format: YYYY-MM-DD)
  • 2019-11-05 : CHEP2019: /
    • "Towards a NoOps Model for WLCG" -- SLATE presentation and status update
  • 2019-10-15: NSF Cybersecurity Summit: /
    • Report out during proposed WISE workshop
    • Chris and Rob submitted proposal for plenary talk
    • Have a side meeting to review draft of deliverables 1&2 and highlighted content
  • 2019-09-10 Kick off meeting to define charter and deliverable: /
    • Attendees: Jim Basney, Rob Gardner, Kay Avila, John Hover, Romain Wartel, Jeny Teheran, Shawn McKee, Mike Stanfield, Irwin Gaines, Dave Kelsey, Frank W, Lincoln Bryant, Andrew Adams, Stephane Jezequel, Joe Breen, David Crooks, Vlad Grigorescu, Vincent Brillault, Brian Bockelman, Chris Weaver
  • 2019-07-16 Initial discussion: “We need a WG”: /
    • Attendees: Chris Weaver, Dave Kelsey, Frank Wuerthwein, Igor Sfiligoi, Jim Basney, Johannes Elmsheuser, Lincoln Bryant, Nikolai Hartmann, Paul Millar, Robert Gardner, Romain Wartel, Petr Vokac, Tom Barton, Stephane Jezequel, Shawn McKee, Vincent Brillault, Brian Bockelman, Xavier Espinal, Elizabeth Sexton-Kennedy

WG Documents

  • Stay tuned!

Related Presentations


Edit | Attach | Watch | Print version | History: r5 | r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2019-12-13 - RomainWartel
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback