Focus on:  Hide Contributions
Login

Token Trust & Traceability WG

Europe/Zurich
Description

Fortnightly for the risk assessment season.

Token Tracebility and Traceability WG
Zoom Meeting ID
64974356171
Host
Matthew Steven Doidge
Useful links
Join via phone
Zoom URL
Hide

https://codimd.web.cern.ch/nPsSdd5SQnC7rY-phglSfg?view

 

# TTT Meeting 11/7/25
#### "Bonus" meeting progressing risk work

Attending: Matt, Linda, DaveK, Maarten, DaveD, Jens, Luna  
Apologies: Mischa, DavidC

## Since Last Meeting
* Linda shared EGI Cloud and WISE risk assessments as further examples  

## Risk Discussion - Workflows and Ranges
ML - has added TR-7 to the sheet  
Current mitigations need filling out - perhaps some from the last column are in the previous column.  
Areas of most concern?  
Jens - Bearer tokens being passed around, finding minimum privilage is difficult.  
ML - some of these horizontal bands will need to be sub-devided, as dependent on workflows, and different workflows will also have different mitigations.  
Would we (for example) create 3a/3b/3c  
Hopefully the current 7 cases are mostly orthogonal  
DK - one way to deal with it is seperate sheet for each line.  
ML- one problem solved, seperate sheets.  
Luna - feel free to add sheets in, wonders at the slight lack of input  
ML - need to know risks, then start weighting them  
MD - thinks that some issues are from being in a pre-production phase, "maximal scopes etc"  
ML - not the case in most places  
Luna - this is an example of us needing to be sure.  
ML - need to find out how potential damage is mitigated. Can serve as examples for others to follow.  
Technologies are proven, others can follow suit (and at least not do any worse).  
Again very much tied to workflows, e.g. Production (robots), Users  
DD - we have limit by roles  
ML - need to refer others to this  

Next sheet would be dedicated to workflows. Will send email to WG that there is more material there for comment.  

DK - Have we defined ranges?  
1-3, 1-4, 1-5? Discuss WISE using 1-4 to avoid the middle ground.  
ML - good to have medium (3)  
LC - some preference for 1-5  

Stick to 1-5.  
Need to write this down in a table.  
Use the WISE format, but for likelihood have 5 as "montly"  
https://wiki.geant.org/display/WISE/RAW-WG?preview=/53773456/84476186/WISE_Risk_Management_Template_Instructions_v1.1.pdf  

Use similar for Impact.  

Once we have a spreadsheet we would have copies and fill them in indenpendently, then compare and look for variance.   

Add a second page for workflows for next meeting. Then start on risk assessment.  

What would we do about if we don't have an idea of a risk? Leave blank or give average?  
Thinking to leave it blank, and can add later on.  

DC - mentions heathrow risk register  
ML - for a previous assessment looked at all the high impact risks. DC - But high enough wants mitigation.  
MD - If enough of us leave something blank that's a data point in and of itself  

ML - will need to pull in a few experts  
JJ - some differences expected, between example SKA and WLCG  
ML - more for the second sheet, to account for potential differences/risks/mitigations.  
DK - opinions of experts ("insiders") might differ from us  
ML - invite people "close to the fire" in a workflow, panda, rucio etc  

ML - different VOs also do something differently. But won't have tonnes of workflows.  

ML - hopes "sheet 2" won't get too messy, only needing to single out a few peculiar flows.  
This will be added to the TokenTF who will be adding operational risks and their mitigation strategies.  

ML - volunteers to start second sheet  
Nots differences between atlas and CMS TPC as an example of seperate lines on the sheet.  
Can write something for multiple VOs.  
User workflows - jobs, get data, not much more.  
Some of these will be "multipled by N", but not every experiment is unique - e.g. atlas and lhcb likely to TPC the same  

DK - a sheet for each line?  
Luna - agrees with David, a sheet per TR?  

ML - maybe TR-4 would be a better start then -3  
Need to avoid unnessicery duplications  

Second sheet could have workflows, and indicate which of the TRs there is an implcation.   

Maarten will make a start and indicate how worried we are?  

Once we have some meat we can decide between us if we're sufficently happy and take it from there.  

Also can add to description. Remember the description sheet.  

ML - will need to provide details into a document (as with the WLCG and others)  
Would like to end up with something "nicely spelled out" with one short section per box.  

## Next steps
Maarten will start on the workflow "second sheet"  
Matt will add "ratings" to the google doc with what was decided today.  
Others encouraged to share ideas on the list.  

## AOB/Next meeting
* Next meeting 15.00 CET on Tuesday 22nd July (usual slot)- https://indico.cern.ch/event/1566580/

There are minutes attached to this event. Show them.
    • 16:00 16:05
      Actions, Since Last Meeting 5m
    • 16:05 16:30
      Discussion: Risk Analysis - first principles. 25m

      Inspiration may be taken from these assessments from EGEE and WLCG done many years ago:

    • 16:30 16:55
      Discussion 25m

      https://github.com/TTT-WG/TTT-WG/issues

    • 16:55 17:00
      AOB, next meeting 5m

      Usual time for next meeting, Tuesday 22nd July?

Powered by Indico v3.3.7-pre