Security Update

Josh Drake

OSG Security Team

OSG Staff Meeting

November 10th, 2021

10 Nov 2021 | OSG Staff Meeting

Q3/4 2021 Review

​

• Operations
• 2 security incidents handled
• 1 Security Exercise conducted
• 8 vulnerability announcements sent
• May-November 2021 Report for details on incidents and announcements

​

• A handful of moderate to low severity vulnerabilities were uncovered by vulnerability scanning
• Thanks to all teams for quick action on these issues

​

• PATh/TrustedCI engagement concluded in July
• A project plan and Jira epic have been created to address the engagement’s recommendations in the coming 18 months

2

10 Nov 2021 | OSG Staff Meeting

Q3/4 2021 Review

​

• Staffing Changes
• Mike Stanfield departed IU at the end of June
• Zalak Shah departed IU at the end of October
• Josh Drake became new security lead in July
• Susan Sons and Ryan Kiser rejoined the security team in July
• Scott Russell (IU, TrustedCI) will be joining the security team for several months to work on policy revisions
• Currently hiring two new analysts who may be added to OSG security team

​

3

10 Nov 2021 | OSG Staff Meeting

TrustedCI engagement update

• Conducted a high-level risk assessment
• Identified critical assets and services for all OSG/PATh areas
• Conducted interviews with leadership and all area coordinators between June and October
• Evaluated OSG control sets with CIS v8.1 baseline control baseline
• Risk assessment will be discussed in more detail at later staff call

​

• TrustedCI Engagement Report was released in late July

​

• Drafted a project plan to address the report’s recommendations over the coming 18 months.

​

4

10 Nov 2021 | OSG Staff Meeting

TrustedCI Recommendations

• Adopt the Trusted CI Security Framework
• Realign core security policies with pillars of Mission Focus, Organizational Governance, Available Resources and Foundational Controls
• Revise our existing MISPP and Incident Response policies to better reflect the mission of the project and the organizational structure.
• Adopt new policies for secure baseline configuration of OSG infrastructure, containers, authN/authZ, and third-party services/vendors
• Assess existing controls and adopt a baseline control set for internal and third party services

​

• Alignment Project Plan here

5

10 Nov 2021 | OSG Staff Meeting

Areas of Concern

• Reliance on third-party vendors and services
• Largely unavoidable, but controls can be put in place to review and assess vendors/service providers to better catalogue risk

​

• Addressing new and evolving workflows
• Better controls and policies covering containerized workflows, log aggregation, and monitoring.

6

10 Nov 2021 | OSG Staff Meeting

Planning Ahead - Q4

• Security Exercise Planned for November
• Examining unauthenticated permissions in Jira and Freshdesk

​

• Planning joint exercise with EGI/WLCG

​

• Begin revisions to core security policies
• MISPP
• IRP

​

• Working with software team on a compute node scanning tool for Open Science Pool

7

10 Nov 2021 | OSG Staff Meeting

Questions?

8

10 Nov 2021 | OSG Staff Meeting