Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Slides:



Advertisements
Similar presentations
© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
CONTRAIL Security Open Computing Infrastructures for Elastic Services Call FP7-ICT Proposal Number FP Dr Jens Jensen jens.jensen.at.stfc.ac.uk.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EInfrastructure policies April 2004, Dublin Next steps and conclusions Brian Coghlan Patrick Aerts Kyriakos Baxevanidis.
CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Cloud Computing Cloud Security– an overview Keke Chen.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
The InCommon Federation The U.S. Access and Identity Management Federation
EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Aspects of application security Jens Jensen, STFC 3 rd T&S workshop, NeSC July 2008.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
SIF for US Science Michael Helm Esnet 09 June 2011.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Access resources in a federation partner organization.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Cloud Service Provisioning Jens Jensen (STFC), Piyush Harsh (INRIA) et al contrail is co-funded by the EC 7th Framework Programme under Grant Agreement.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
3rd Helix Nebula Workshop on Interoperability among e-Infrastructures and Commercial Clouds Carmela ASERO, EGI.eu 17 September 2013, Madrid
Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.
INDIGO – DataCloud Security and Authorization in WP5 INFN RIA
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
EGI-InSPIRE RI An Introduction to European Grid Infrastructure (EGI) March An Introduction to the European Grid Infrastructure.
Cloud Security– an overview Keke Chen
Data and Applications Security Developments and Directions
Federated Identity Management for Scientific Collaborations
ESA Single Sign On (SSO) and Federated Identity Management
David Kelsey (STFC-RAL)
Presentation transcript:

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford Appleton Laboratory

contrail-project.eu Clouds have “normal” security issues Protect infrastructure against abuse Provider’s reputation User’s data, software, computations Users’ credentials: loss, level of assurance Fabric security Open source vs closed source issues 2

contrail-project.eu …and new security issues (Often) unknown resource location Multitenancy: protect against other users VM Image security: Stale images Maliciously modified images (or apps) Install/patch window 3

contrail-project.eu …and more new security issues Over-allocation of dynamic resources Intentional – scheduling DoS attack (with stolen account) Unintentional – runaway jobs 4

contrail-project.eu Cloud security vs Grid security? In some sense, cloud = grid+elasticity Elasticity poses security issues: dynamically created services But grids have been there: eg WSRF Web Services Resource Framework 5

contrail-project.eu What is the Federation Group of service providers Providing “e-infrastructure” Coordinated deployment (maybe) Agreeing to common policies Support framework Internal and user-facing 6

contrail-project.eu What is the Federation: user Central account Single sign-on (in some sense: single login) Central accounting of all services Enable collaborations Traceability of user id Intelligent resource selection/scheduling 7

contrail-project.eu Accounting Resource used Billing Make use of user’s own account with commercial providers (alternative: hold user’s credit card) 8

contrail-project.eu Federation specific issues Policies needed for establishing and maintaining trust in federations Higher LoA in authentication? Multiple jurisdictions for AAA, support, billing … “solved” by the Grids non-trivial a process, not a single solution (like all sec.) 9

contrail-project.eu Providers: Prepared Protection Prevents Pricy Problems Set the bar high enough to keep the bad guys out Some bad guys are more resourceful and determined than others Ensure legitimate users can still use the service (the bear/bin problem) LoA – higher across national boundaries Usually a single (high) LoA in grids 10

contrail-project.eu Practical Problems: the Practitioner Principle “Normal” users just want to get their work done (High) security gets in the way? Well-known “usability vs security” (Highlight (rare?) wins: increase both, eg SSO) Multiple providers, heterogeneous security Multitenancy – ensure service availability 11

contrail-project.eu How it works today e-Infrastructure Grid and e-Science infrastructures for authentication: IGTF PKI, Shib + superShib, … X.509/RFC3280/GFD.125, SAML, OpenID Delegation: RFC3820, SAML, Oauth Authorisation: attribute authorities RFC3281, SAML, (+VOMS) Accounting: RUS Support: helpdesks: top  national  inst.  person Scalability + resilience (up to a point) 12

contrail-project.eu Cloud world Passwords, shared secrets Vendor support Easier security for small users? Usability: we can bring grid portals to the cloud Grids have mature federations; cloud feds being developed Should clouds target only small users? (how should large users be handled?) 13

contrail-project.eu Gaps Reuse grid federation infrastructure for federating clouds Without losing being lightweight Interoperation, of cloud services, with grids Do IaaS and SaaS and PaaS have different security requirements? Is the Grid LoA sufficient? Too high for some cases – maybe too low for others 14

contrail-project.eu Authentication into federation AuC X509K5LDAPOpenID 15 Base login on existing infrastructures (when this makes sense)

contrail-project.eu Accounting Fed acct AmazonRackspaceAzure OpenNebula resource Grid? 16

contrail-project.eu The CONTRAIL project Federated cloud access SLAs, QoS, QoP Fully secured IaaS and PaaS Using formal methods in some cases EU funded (11 MEUR, a dozen partners or so) Oct 2010-Sep 2013

contrail-project.eu CONTRAIL Federated Cloud access: single account, with metering, billing, etc. Access multiple IaaS and PaaS providers: cloudbursting built in Dynamic SLA negotiation, QoS and QoP. Security as funded activity Case studies have different requirements: Media, geographic data, real-time scientific processing, genomics 18

contrail-project.eu Contrail Issues Federate, making use of existing infrastructures Eg for authentication: IGTF PKI, Terena Shibboleth super-federation, site SSO? Challenge: Work and ∫ with other projects How to do delegation on multiple backend AuC Support access to multiple service providers Need for consistent information from SPs 19

contrail-project.eu Conclusion We need cloud federation We have grid federation These are not the same, but there are overlaps Align with other projects, interoperate Standardise whenever possible 20