Changes between Version 1 and Version 2 of CompSec-QSR-2Q2011


Ignore:
Timestamp:
08/05/11 12:37:22 (11 years ago)
Author:
Adam Slagell
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CompSec-QSR-2Q2011

    v1 v2  
    2323
    2424=== A. Activities and findings ===
    25 Primarily, I worked on creating a concept of a clearinghouse and a base policy for its operation. After I had that, I conferred with Aaron Falk of the GPO several times to come to a common conception of the clearinghouse, though we were never far off besides terminology. The multiple version reflect the changing terminology and structure of a clearinghouse as Aaron was getting feedback on his concept from other GENI stakeholders. The changes in terminology where also the reason for the small update to the Operational Security Plan.
     25Primarily, I worked on creating a concept of a clearinghouse and a base policy for its operation. After I had that, I conferred with Aaron Falk of the GPO several times to come to a common conception of the clearinghouse, though we were never far off besides terminology. The multiple versions reflect the changing terminology and structure of a clearinghouse as Aaron was getting feedback on his concept from other GENI stakeholders. The changes in terminology where also the reason for the small update to the Operational Security Plan.
    2626
    27 The overall purpose of the security plan and its basic structure was presented at the GEC 11. Much of it is not actionable until funding for operating a security team is established, though one can still comment on the proposed way to create and run such a team. More immediately, people where asked to comment on the recommendations that came from a risk assessment of GENI. It became apparent that no one had looked at this document even though it was mentioned at the GEC. However, Ted Faber and the GMOC will review it in the near future. The real struggle then will be communicating the ideas in this and the other agreements to all stakeholders as it should impact the current development and operations. This is the perennial problem with creating policies for GENI, especially now since we have multiple tracks and not everyone will see my presentations.
     27The overall purpose of the security plan and its basic structure was presented at the GEC 11. Much of it is not actionable until funding for operating a security team is established, though one can still comment on the proposed way to create and run such a team. More immediately, people where asked to comment on the recommendations that came from a risk assessment of GENI, which are presented at the end of the plan. It became apparent that no one had looked at this document even though it was mentioned at the previous GEC. However, Ted Faber and the GMOC will review it in the near future. The real struggle then will be communicating the important points in this and the other agreements to all stakeholders as it should impact the current development activities and operations. This is the perennial problem with creating policies for GENI, especially now since we have multiple tracks and not everyone will see my presentations.
    2828
    29 There are many details that need to be filled in on the clearinghouse policy. It was hard to get feedback at the short GEC 11 session because it came before the big federation/clearinghouse discussion. Hopefully the clearinghouse conception can solidify in the near future and allow the clearinghouse agreement to be updated. This is unlikely to happen without a prototype implementation and another round of discussions at GEC 12. Therefore, it is probably best to focus on other policies and plans in the interim.
     29There are many details that need to be filled in on the clearinghouse policy. It was hard to get feedback at the short GEC 11 session because it came before the big federation/clearinghouse discussion. Hopefully the clearinghouse conception can solidify in the near future and allow the clearinghouse agreement to progress. This is unlikely to happen without a prototype implementation and another round of discussions at GEC 12. Therefore, it is probably best to focus on other policies and plans in the interim.
    3030
    3131One problematic issue was raised at the GEC 11. Many agreements and plans assume that an activity or problem can be associated with a particular slice and hence slice owner. This is not necessarily true for openflow deployments. It remains to be seen how problematic this will be in practice and whether or not this is a rare exception.
    3232
    33 I believe there should be a shift in focus on the work to be done before the next GEC. Currently, the only thing is a 1.0 version of the Operational Security Plan, but I don't think much remains to be done with that unless there is significant feedback. That seems unlikely, though. Also, it can't really be implemented until there is funding to establish a security team. The clearinghouse agreement could see minor updates as there are lots of small questions that could be answered before the GEC, but I don't see potential for filling in the major questions such as the attributes needed without stronger use cases.
     33I believe there should be a shift in focus on the work to be done before the next GEC. Currently, the only milestone is a 1.0 version of the Operational Security Plan, but I don't think much remains to be done with that unless there is significant feedback. That seems unlikely, though. Also, it can't really be implemented until there is funding to establish a security team. The clearinghouse agreement could see minor updates as there are lots of small questions that could be answered before the GEC, but I don't see potential for filling in the major questions such as the attributes needed without stronger use cases.
    3434
    35 The
     35I believe most work should be focused on the an Acceptable Use Policy (AUP) for new users. An RUP exists, but is missing several key items and uses outdated terminology. Therefore, I propose the following activities during the next trimester:
     36
     37* Create an AUP based off of the RUP, the requirements needed as stated in other recent agreements (e.g., LLR plan and CH policy) and the requirements needed as presented in Aaron's recent federation talk at GEC 11.
     38* Update the clearinghouse policy by answering several of the small unknowns. This will be a minor version number update.
     39* Update the op. sec. plan as feedback is received. This would be a minor version update instead of a 1.0 version as on the SOW.
     40* Continue role as LLR rep. This will likely mean updating the plan based on some feedback I am expecting.
    3641
    3742
     
    4045
    4146=== C. Publications (individual and organizational) ===
    42 The only related publications are the documents we created as the deliverables, specifically "Legal and Law Enforcement Process and Procedure document" and the Operational Security Plan
     47The only related publications are the documents we created as the deliverables, specifically GENI Clearinghouse Policy and the Operational Security Plan
    4348
    4449=== D. Outreach activities ===
     
    4752=== E. Collaborations ===
    4853
    49 Other collaborations were just conversations and phone calls with other GENI participants (e.g., Steve Schwabb, Ted Faber, Justin Cappos and John-Paul Herron). These were mostly discussions and reviews of the documents and agreements we have been producing.
     54None outside of normal GEC activities and discussions and phone calls with the GPO and other GENI projects.
    5055
    5156