wiki:CompSec-QSR-2Q2011

Version 3 (modified by Adam Slagell, 13 years ago) (diff)

--

CompSec Project Status Report

Period: Q1 2010 (Apr 1, 2011 - Jul 29, 2011)

I. Major accomplishments

A. Milestones achieved

We created the following documents

  1. Operational Security Plan v. 0.5.1
  2. GENI Clearinghouse Policy v. 0.1
  3. GENI Clearinghouse Policy v. 0.2
  4. GENI Clearinghouse Policy v. 0.2.1

B. Deliverables made

The milestones were specifically the documents we delivered, as listed above.

II. Description of work performed during last quarter

A. Activities and findings

Primarily, I worked on creating a concept of a clearinghouse and a base policy for its operation. After I had that, I conferred with Aaron Falk of the GPO several times to come to a common conception of the clearinghouse, though we were never far off besides terminology. The multiple versions reflect the changing terminology and structure of a clearinghouse as Aaron was getting feedback on his concept from other GENI stakeholders. The changes in terminology where also the reason for the small update to the Operational Security Plan.

The overall purpose of the security plan and its basic structure was presented at the GEC 11. Much of it is not actionable until funding for operating a security team is established, though one can still comment on the proposed way to create and run such a team. More immediately, people where asked to comment on the recommendations that came from a risk assessment of GENI, which are presented at the end of the plan. It became apparent that no one had looked at this document even though it was mentioned at the previous GEC. However, Ted Faber and the GMOC will review it in the near future. The real struggle then will be communicating the important points in this and the other agreements to all stakeholders as it should impact the current development activities and operations. This is the perennial problem with creating policies for GENI, especially now since we have multiple tracks and not everyone will see my presentations.

There are many details that need to be filled in on the clearinghouse policy. It was hard to get feedback at the short GEC 11 session because it came before the big federation/clearinghouse discussion. Hopefully the clearinghouse conception can solidify in the near future and allow the clearinghouse agreement to progress. This is unlikely to happen without a prototype implementation and another round of discussions at GEC 12. Therefore, it is probably best to focus on other policies and plans in the interim.

One problematic issue was raised at the GEC 11. Many agreements and plans assume that an activity or problem can be associated with a particular slice and hence slice owner. This is not necessarily true for openflow deployments. It remains to be seen how problematic this will be in practice and whether or not this is a rare exception.

I believe there should be a shift in focus on the work to be done before the next GEC. Currently, the only milestone is a 1.0 version of the Operational Security Plan, but I don't think much remains to be done with that unless there is significant feedback. That seems unlikely, though. Also, it can't really be implemented until there is funding to establish a security team. The clearinghouse agreement could see minor updates as there are lots of small questions that could be answered before the GEC, but I don't see potential for filling in the major questions such as the attributes needed without stronger use cases.

I believe most work should be focused on the an Acceptable Use Policy (AUP) for new users. An RUP exists, but is missing several key items and uses outdated terminology. Therefore, I propose the following activities during the next trimester:

  • Create an AUP based off of the RUP, the requirements needed as stated in other recent agreements (e.g., LLR plan and CH policy) and the requirements needed as presented in Aaron's recent federation talk at GEC 11.
  • Update the clearinghouse policy by answering several of the small unknowns. This will be a minor version number update.
  • Update the op. sec. plan as feedback is received. This would be a minor version update instead of a 1.0 version as on the SOW.
  • Continue role as LLR rep. This will likely mean updating the plan based on some feedback I am expecting.

B. Project participants

Adam Slagell

C. Publications (individual and organizational)

The only related publications are the documents we created as the deliverables, specifically GENI Clearinghouse Policy and the Operational Security Plan

D. Outreach activities

There have no been substantial out reach activities beyond those already within the GENI community.

E. Collaborations

None outside of normal GEC activities and discussions and phone calls with the GPO and other GENI projects.

F. Other Contributions

N/A