Security for Open Science

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
GT 4 Security Goals & Plans Sam Meder
CVRG Presenter Disclosure Information Tahsin Kurc, PhD Center for Comprehensive Informatics Emory University CardioVascular Research Grid Core Infrastructure.
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
High Performance Computing Course Notes Grid Computing.
Experience Building and Supporting Secure Ad Hoc Collaborations Deb Agarwal Lawrence Berkeley National Laboratory Ad Hoc Collaboration - Internet2 Fall.
Grid Security. Typical Grid Scenario Users Resources.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
Seminar Grid Computing ‘05 Hui Li Sep 19, Overview Brief Introduction Presentations Projects Remarks.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
The DOE Science Grid Computing and Data Infrastructure for Large-Scale Science William Johnston, Lawrence Berkeley National Lab Ray Bair, Pacific Northwest.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Digital Object Architecture
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.
CoG Kit Overview Gregor von Laszewski Keith Jackson.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
A semi autonomic infrastructure to manage non functional properties of a service Pierre de Leusse Panos Periorellis Paul Watson Theo Dimitrakos UK e-Science.
Interoperability Grids, Clouds and Collaboratories Ruth Pordes Executive Director Open Science Grid, Fermilab.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Presented by Scientific Annotation Middleware Software infrastructure to support rich scientific records and the processes that produce them Jens Schwidder.
1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona
GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
SOS August 21, 2006 GGF Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Security CET September 27, 2006 GGF Security for Open Science Project Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
Security Solutions Rachana Ananthakrishnan University of Chicago.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Parag Mhashilkar Computing Division, Fermi National Accelerator Laboratory.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
All Hands Meeting 2005 BIRN-CC: Building, Maintaining and Maturing a National Information Infrastructure to Enable and Advance Biomedical Research.
Security Bob Cowles
Cyber Security Issues in HEP and NP Grids Bob Cowles — SLAC NC August 2004.
Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
Grid Security Atlas Tier 2 Meeting Bob Cowles August 18, 2006 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Copyright © 2006, Oracle. All rights reserved Oracle Web Services Manager.
Accessing the VI-SEEM infrastructure
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
OGF PGI – EDGI Security Use Case and Requirements
VIRTUALIZATION & CLOUD COMPUTING
Grid Security.
TeraGrid Plans for Authentication and Authorization Testbed
Collaborations and Interactions with other Projects
THE STEPS TO MANAGE THE GRID
Chapter 19: Building Systems with Assurance
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
NSF Middleware Initiative: GridShib
MyProxy Integration with PubCookie
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
IT Management Services Infrastructure Services
Presentation transcript:

Security for Open Science Grid Deployment Board Bob Cowles bob.cowles@slac.stanford.edu September 5, 2006 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley National Laboratory - Brian Tierney, Mary Thompson Argonne National Laboratory - Frank Siebenlist, Ian Foster Pacific Northwest National Laboratory - Jeff Mauth, Deb Frincke University of Illinois, NCSA - Von Welch, Jim Basney University of Virginia - Marty Humphrey University of Wisconsin - Miron Livny, Bart Miller National Energy Research Scientific Computing Center - Howard Walter Energy Science Network - Michael Helm University of Delaware – Martin Swany

Topic Areas Auditing and forensics Dynamic ports in firewalls Services to enable sites, communities, and application scientists to determine precisely who did what, where and when. Dynamic ports in firewalls Services to open and close ports dynamically for applications while enforcing site policy. Identity management Services to seamlessly manage identity and access control across sites and collaborations, and to allow for rapid response to security incidents. Secure middleware Services to proactively find and fix software vulnerabilities and guarantee deployed security software is current and correctly configured.

Auditing/Forensics High-Level Approach: Components An end-to-end auditing infrastructure which uses a policy language to allow resource (both systems and data) owners specify where auditing information may be published and who may access the audit logs. Components Logging software (instrumentation) - Applications call easy-to-use libraries to log events with detailed information. Normalizers– Agents transform existing logs so that they can be incorporated into the common schema of the audit system. Collection sub-system (forwarder) – Audit logs are collected by a dependable, secure collection system. Repository (database, publisher) – Audit logs are sent over the network, normalized, and archived. Then they are made available through a query interface. Forensic tools (analysis) – Forensic tools query and process the audit data to find problems and answer questions.

Firewall Ports High-level Approach: Components Tools and services to dynamically open and close ports needed by applications and middleware based on authentication and authorization Components Configuration Broker maintains the overall state of the firewall configuration for the site, validates user credentials, and verifies that requested actions are consistent with site policy restrictions. Firewall Agent interacts with the existing site firewall systems, receiving direction from the Configuration Broker. The Validation Service receives information about the completed firewall changes and continually analyzes network traffic to insure there are no errors in the firewall configuration. The Programming API is the mechanism for software to make requests to the broker.

Identity Management Near Term Approach: Longer term: Build on existing solutions: VOMS, CAS, GUMS, MyProxy, GSI, OCSP Integrate and deploy, e.g. Deploy OCSP service; client support in GT, MyProxy, etc. VOMS support in GridFTP, MyProxy GUMS callout into GT, MyProxy Longer term: XKMS support to ease configuration management Integrate data access control policy with work on semantic workflows PKCS 11 support Ubiquitous hooks in middleware for site security integration E.g. Kerberos, auditing,

Secure Middleware Problem Approach - steps Grid middleware has become essential to science Security of this infrastructure is an essential consideration Approach - steps Architectural analysis to understand the system level view of a middleware component and its external interactions Identify trust boundaries/threat model to understand the dependencies and areas of concern Component and system analysis of the particular software to understand vulnerabilities Disclosure of results process is handled carefully to allow time for mitigation efforts Mitigation mechanisms to provide means of patching or mitigating the potential security vulnerability

Discussion?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.