wiki:CompSec-QSR-2Q2010

Version 1 (modified by Adam Slagell, 9 years ago) (diff)

--

CompSec Project Status Report

Period: Q1 2010 (Apr 1–Jun 30, 2010)

I. Major accomplishments

A. Milestones achieved

We reworked the SOW to meet evolving GENI needs

We created the following documents

  1. Threat & Vulnerability Report v0.1;

B. Deliverables made

The milestones were specifically the documents we delivered, as listed above.

II. Description of work performed during last quarter

A. Activities and findings

Our first activity was addressing feedback from the GPO on the Asset Valuation and Risk Assessment report. Next, we worked for a couple weeks negotiating a new SOW.

After we reworked the SOW in April, we quickly began the work on the threat and vulnerability report due at the end of May. This was focused mostly upon the major build-outs in Spiral 2 (OpenFlow and WiMAX). The first couple weeks were spent understanding those projects and activities in detail.

After that, we developed a list of potential threat agents to GENI and highlighted those we determined most applicable to an organization like the GENI federation. For each of these threat agents we described their likely motivations and capabilities.

Most of the work was then identifying specific threats and categorizing them. For each threat we identified the vulnerabilities that could be exploited to realize the threat, the types of threat agents that would likely perpetrate such a threat, the assets that such a threat would most directly affect and potential countermeasures that could be employed to deter or mitigate such threats. Lastly, we identified several threats that we will have to investigate in the future as we broaden the scope from just WiMAX and OpenFlow.

Next we worked on two documents in parallel during the month of June: The aggregate Provider Agreement and the Interim Operational Security Plan. Both required initial exploration of what other communities had done for these (e.g., Open Science Grid, TeraGrid, Planetlab & Emulab). The Operational Security Plan drew heavily from the plans from OSG, which is the federation we found most similar to GENI. Of course, it had to be adapted significantly for GENI, and it had to address the specific threats to GENI that we identified in the previous milestone.

The aggregate provider agreement was more egalitarian. While a lot of the ideas came from these other communities, and discussions with people about the shortcomings of these agreements in other communities, it had to be changed dramatically for GENI. Further, it drew as much from OSG as it did from Teragrid and Planetlab.

B. Project participants

Adam Slagell

C. Publications (individual and organizational)

The only related publications are the documents we created as the deliverables, specifically the Threat & Vulnerability Report for Milestone 4.

D. Outreach activities

There have no been substantial out reach activities beyond those already within the GENI community.

E. Collaborations

Other collaborations were just conversations and phone calls with other GENI participants (e.g., Steve Schwabb and John-Paul Herron). These were mostly discussions about operational security, identity managment and the emergency stop procedures

F. Other Contributions

N/A