Trust Framework for Multi-Domain Authorization Internet2 Spring Meeting Arlington April 25 th 2012 Leon Gommans:

Slides:



Advertisements
Similar presentations
Authentication Authorization Accounting and Auditing
Advertisements

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.
© 2006 Open Grid Forum Network Services Interface Introduction to NSI Guy Roberts.
NRL Security Architecture: A Web Services-Based Solution
Lawrence Berkeley National LaboratoryU.S. Department of Energy | Office of Science Network Service Interface (NSI) Inder Monga Co-chair, Network Services.
International Conference on Small States and Economic Resilience April 2007 Valetta, Malta Islands and Small States Institute Government intervention.
Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,
Your Technology Is Connected. Are You? Your technology doesn’t exist in a vacuum. Welcome to the networked and interconnected technology ecosystem where.
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
The judicial system in Albania The judicial power is exercised by the courts of first instance, the courts of appeal and the High Court. Courts may be.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Spring 99 1 Lecture Notes on SE An internet trading framework: Introduction Consider a set of internet vendors that sell to internet clients airplane tickets,
Emerging Latino Communities Initiative Webinar Series 2011 June 22, 2011 Presenter: Janet Hernandez, Capacity-Building Coordinator.
SWITCHaai Team Federated Identity Management.
Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.
Accredited Standards Committee X9, Inc. An Introduction to Financial Industry Global Standards.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
LU Chenglong ( ) DIAO Wenrui ( )
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Copyright 2010, The World Bank Group. All Rights Reserved. 1 GOVERNMENT FINANCE STATISTICS COVERAGE OF THE GFS SYSTEM Part 1 This lecture defines the concept.
XXXIX Course on International Law Current Issues in International Development: Some Perspectives from the World Bank Lecture 1 The Rule of Law in the World.
Texas Regional Entity Update Sam Jones Interim CEO and President Board of Directors July 18, 2006.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Module 2 Slide 1 NATIONAL COMMUNICATIONS COMMISSION REGULATORY PRACTICES WORKSHOP MODULE: 2 A The Independent Regulator.
© Securities Commission, Malaysia 1 What the Audit Oversight Board will do ICAA-MICPA Audit Forum 3 August 2010.
E-Authentication: Enabling E-Government Presented to PESC May 2, 2005 The E  Authentication Initiative.
Organizational and Legal Issues -- Developing organization and governance models for HIE Day 2 -Track 5 – SECOND SESSION – PRIVACY AND SECURITY CONNECTING.
OGF DMNR BoF Dynamic Management of Network Resources Documents available at: Guy Roberts, John Vollbrecht.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]
The concepts of Generic AAA are described in RFC2903 [1] (Generice AAA Architecture) and RFC2904 [2] (Authorization Framework). Several.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
“Empowering captive members & authenticated users to confidently promote and encourage fair, secured and efficient bilateral and multi-lateral trades”
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
LHCONE Point-to-Point Circuit Experiment Authentication and Authorization Model Discussion LHCONE meeting, Rome April 28-29, 2014 W. Johnston, Senior Scientist.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Dynamic Network Services In Internet2 John Vollbrecht /Dec. 4, 2006 Fall Members Meeting.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team Kickoff Meeting.
Possible Governance-Policy Framework for Open LightPath Exchanges (GOLEs) and Connecting Networks June 13, 2011.
Electronic Banking & Security Electronic Banking & Security.
Operating Framework of Connection Networks OGF/NSI Working Group Chicago Oct. 10, 2012 John Vollbrecht & Leon Gommans University of Amsterdam.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
The Payment Processing System
Operating Framework of Connection Networks
Case C-174/14 JUDGMENT OF THE COURT (Fourth Chamber) 29 October 2015
Core Services block.
Zueyong Zhu† and J. William Atwood‡
Ian Bird GDB Meeting CERN 9 September 2003
Dynamic Network Services In Internet2
Session 11 Other Assurance Services
Grid Network Services: Lessons from SC04 draft-ggf-bas-sc04demo-0.doc
Distribution and components
EMV® 3-D Secure - High Level Overview
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Establishing the Infrastructure for Radiation Safety Preparatory Actions and Initial Regulatory Activities.
The Payment Processing System
Internet Interconnection
Firewalls and GMPLS Networks: A token based approach
Institutional changes The role of Bilateral Oversight Boards
AAA: A Survey and a Policy- Based Architecture and Framework
Presentation transcript:

Trust Framework for Multi-Domain Authorization Internet2 Spring Meeting Arlington April 25 th 2012 Leon Gommans: John Vollbrecht: This work is funded by GigaPort3 / Surfnet / Air France - KLM Building and organising trust amongst a group of service providers and their users

Content - Introduction - Evolution AAA Authorization Framework - What is the problem? - What we learned from MasterCard - Service Provider Group concept - A “GLIF” lookalike as hypothetical example

Questions from the IRTF AAA Arch work. How to organise a service with multiple organisations? How to organise a service with multiple organisations? User ? Governance? Agreement? Trust? Org Group ? Agreement? Trust?

Why are the questions important? Suppose I want to set up a connection between UvA in Amsterdam to another University or Institute. Although possible, setting up connections to any place across the globe for a scientist is still hard (authority, knowledge, payment, etc.) Can this problem be solved? By my network provider on his own? – It will be hard, in particular when based on bi-lateral agreements, different technology standards, policies, fee structures, etc. By a network provider as member of a Service Provider Group? We believe it can be. What is a Service Provider Group? A Service Provider Group (SPG) is a organisation structured to provide a defined service that is only available if its members collaborate.

Imagine how a Network SPG could look The SPG appears to me as a worldwide connection service such that: 1.The service is provided to me by my local provider acting as SPG agent. 2.I can make connection to places outside my own provider 3.I trust any connection to work as agreed. 4.I understand the connection characteristics I get. 5.I know the SPG will monitor my connection. 6.I know who to talk to in case of questions or issues. 7.I have an agreed way to deal (financially, operationally) with connection failures.

What does joining a SPG mean for my Network Provider? 1.It allows it to make connections to places outside its own domain. 2.Expands usage by enabling connections by customers from other domains. 3.SPG standards ensure consistency of services between domains. 4.SPG policies define monitoring, debugging and auditing of multi-domain connections. 5.SPG regulations ensure fairness amongst providers: Resource treatment, value add, competition, risk, etc.

Why did we study MasterCard as SPG? eduroamSkyteamEGI.euMasterCard ServiceWiFi Internet Access Airport Priorities E-Science Grid Operation Payment & Processing Maturity Documentationpublicprivatepublic Members36 Federations 15 Airline Partners 30 Countries 300 Data Centres countries Risk InvolvedLowMedium?High Level studiedDetailedLow Detailed ComplexityLowMedium High

What does MasterCard do? connecting financial institutions, merchants and cardholders with payment processing services MasterCard allows its member financial institutions to serve merchants and cardholders with a card payment & processing service that is trusted worldwide.

The anatomy of the MC SPG Legislative Rooted Judicial Exe- cutive Exe- cutive En- force ment Ad mini- Str ation Ad mini- Str ation MasterCard Corporation (Directorate) Mem ber Banks MC Service Provider Group Organisational Level Perspective Organisational Distribution of Power Perspective National & International Law, Rules and Regulations National Law, Rules and Regulations

Distribution of Power Perspective Legislative Membership Service Licenses Risk Management Non-compliancy Fees Chargebacks Liability … Legislative Membership Service Licenses Risk Management Non-compliancy Fees Chargebacks Liability … Executive Enforcement Rules Licenses Messages Reports Markings AML … Enforcement Rules Licenses Messages Reports Markings AML … Membership Agreements Processes Monitoring Fee collection Appeals Auditing … Membership Agreements Processes Monitoring Fee collection Appeals Auditing … MasterCard Corporation (Directorate) Member Banks Judicial Arbitration Penalties Appeals … Judicial Arbitration Penalties Appeals … Admini stration Cardholder Agreement Merchant Agreement Disputes Reports Auditing … Cardholder Agreement Merchant Agreement Disputes Reports Auditing …

CC SPG Level Model

User MasterCard Why Users Trust MasterCard Standards, Rules, Policies and its Enforcement Emotional judgement Rational judgement Willingness to rely

Why members trust each other Member Bank Member Bank Member Bank Member Bank Member Bank Member Bank MasterCard Corporation Reputation Agreement MC Service Provider Group

Service Provider Group Characteristics A group of member organizations that act together to provide a service none could provide on its own To a customer the SPG appears as a single provider To members the SPG appears as a collaborative group with standards, rules and policies that are defined and enforced by the group SPG has “Directorate” with Judicial, Legislative and Executive power in and for SPG Customer signs SPG Service Agreement with member Member acts as agent for SPG

Three organizational levels – SPG and Customer – SPG and customer set up service agreement – SPG authorizes Service based on agreement and resource availability – SPG provides Service to consumer Organization levels provide framework that puts independent functions in separate levels

SPG concepts – Directorate provides trust exercising power in every layer Enterprise – Defines service and service agreements – Defines policies Authorization – Enforces policies – Assigns providers to service instance Operation – Monitors service instances – Supports customer

GLIF-like Connection Service SPG Service makes connections between users over multiplexed ports from user to SPG Providers are networks and exchanges whose connectivity allows them to make the requested connections Work on this kind of project is being done at GLIF, OGF NSI WG, GENI, Mantychore, OpenFlow and more

Connection SPG - Organization levels Enterprise – Defines connection characteristics – Makes/ enforces rules and policy – Responsible for actions of other levels Authorization – Authorizes connection requests – Assigns providers to requests – Provisions connection instances Operation – Controls physical equipment – Monitors and reports on each connection instance

GLIF-like Service Provider Group Actors Members – – Regional and national network providers – Exchanges [GOLEs] – Local or commercial networks – perhaps as associate members – Organizations that authorize users – not necessarily the same as members providing networks Customers/ Users – Groups, individuals, with a “service agreement” with SPG member – Professor Researchers or Student at School of Member – Networks using SPG to extend their service Directorate – Executive direction of SPG – Provider policy group – Operation Monitoring group

Connection Service SPG Directorate Enterprise Level Activities Directorate with Legislative, Judicial and Executive power – For MasterCard it is “the Corporation” for GLIF it is tbd Define membership requirements Specify common goals as well as resources and capabilities Define how users relate to members Funding, security requirements Establish funding for SPG capabilities Define Connection parameters and Service levels Monitor and enforce member-member rules Develop and maintain authorization and operation infrastructures and policies Set up and monitor all SPG infrastructure operations

Trust infrastructure and Connection Transaction Trust Setup - infrastructureDynamic connection Transaction

Authorizing GLIF-like Connections Customer requests a connection Directorate algorithm determines how to satisfy a connection request – Uses topology and policy information Authorization result Approved connection for user Provisioning for each participating provider agent Authorization depends on policy of participating actors

Authorization Transaction Customer requestor initiates the transaction Agents trust each other in level because they trust members Requestor is authenticated by “home” member Request is authorized by participating members [tree/ chain or combination may be used] Successful Authorization  “operation provisioning” request Transaction path is part of infrastructure setup by Enterprise level

Authorization Paths Basic Push Model Basic Pull Model Basic Agent Model Transaction Architecture Two levels and path between them Levels and path can be implemented independently Risk analysis needed of each level independently and then as a whole Possible to plug and play level infrastructures

Authorization Paths Risk analysis of paths is part of Trust of SPG Authorization and Provisioning varies – Inline (pull) vs out of band requests – Direct (agent) vs Ticket (push) – Security requirements Risk and Security analysis supports Trust of SPG Cost analysis is a financial performance not trust issue

Level 1 - Operation Operation agents control networks and exchanges Operation agents setup connections on direction from authz level Operation level monitors connection – Reports to customer and Directorate

Layer architecture in “Service Provider Organization” Enterprise Level initiates and maintains service creation infrastructure in Authorization and Operation levels – Basis of trust in other layers Authorization Level applies policy to a request – Policy of SPG and of individual members – Creates an “approved instance” that is given to Operation level Operation Level carries out approved instance – Monitors and reports on instances

SPG Conclusions Enterprise level needed establish basic trust relations between members Trust requires rules, policy, a Directorate [and funding for Directorate] Separating Authorization and Operation creates infrastructure that can be analyzed and trusted Standardized Inter-level transaction methods allow risk analysis for each method

Questions you might help with How does directorate concept fit GLIF-like model – Is it possible to combine for profit and not for profit organizations – What trust is needed what risks can be taken – What rules and policies will need to be in place – How does it compare to MC or EduRoam Is a ticket or token (push) model useful for connection service How does scheduling fit the three level model What is the difference between a user and a member in a the connection service Others?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.