Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
UK Campus Grid Special Interest Group Dr. David Wallom University of Oxford.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Technology on the NGS Pete Oliver NGS Operations Manager.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Oxford Jan 2005 RAL Computing 1 RAL Computing Implementing the computing model: SAM and the Grid Nick West.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Integrated e-Infrastructure for Scientific Facilities Kerstin Kleese van Dam STFC- e-Science Centre Daresbury Laboratory
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
Aspects of application security Jens Jensen, STFC 3 rd T&S workshop, NeSC July 2008.
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
Grid Interoperability Shootout GridPP and NGS UK e-Science All Hands Meeting, Nottingham 2007 J Jensen, G Stewart, M Viljoen, D Wallom, S Young (contact.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Cliff Addison University of Liverpool Campus Grids Workshop October 2007 Setting the scene Cliff Addison.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
All Hands Meeting 2005 BIRN Portal Architecture: Security Jana Nguyen
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Next Steps: becoming users of the NGS Mike Mineter
Next Steps.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.
Structural Biology on the GRID Dr. Tsjerk A. Wassenaar Biomolecular NMR - Utrecht University (NL)
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Simplified Experiment Submit Proposal Results Excited Users Do Expt Data Analysis Feedback.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
Rob Allan Daresbury Laboratory NW-GRID Training Event 26 th January 2007 Next Steps R.J. Allan CCLRC Daresbury Laboratory.
The National Grid Service Mike Mineter.
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GridPP2 Data Management work area J Jensen / RAL GridPP2 Data Management Work Area – Part 2 Mass storage & local storage mgmt J Jensen
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
RI EGI-InSPIRE RI Pre-OMB meeting Preparation for the Workshop “EGI towards H2020” NGI_UK John Gordon and.
AAAI Pathfinder J Jensen, STFC 031 Oct,
Jens Jensen, STFC Sep EUGridPMA Manchester
Tweaking the Certificate Lifecycle for the UK eScience CA
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9 May 2008

This Talk… Is about security – practical security Mainly from the service provider’s view Broader view rather than narrow tech Mostly about AAA in line with workshop’s theme Tried to be provocative now and then

Large scale science facilities with users across the world All Images © STFC

all areas of science Biology and medicine Space Earth Materials Physics Arts and humanities Environment and energy … Technology Chemistry

Why Security? Protect our infrastructure (and users’ data)‏ Enforce allocations Accounting for resource use Track resource misuse Peering – across UK, Europe, World

Practical Aspects Most technology is experimental Standard Java Library Implementation C/C++ Library Implementation … third implementation

Practical Aspects A spec alone is useless...(without implementations)‏ Java (alone) is useless C can be linked into everything (almost)‏ –Perl, python, … Need >2 independent implementations –Interoperating !! Usable licence

Practical Aspects Standards are very important Sometimes there are too many

Practical Aspects like traffic (sort of)‏ Technology, Grids, it’s experimental Never ever just trust the standard

What we have for AuC Site security – physical (people, doors, access cards, keys)‏ Site computing – Active Directory e-Science CA (IGTF/X.509)‏ Shibboleth Credential conversion (later in talk)‏

Whose Developer Service provider Sysadmin Supporter Accounting Facility provider User office Granting body PI End user

Dimensions Time (user’s)‏ Time (ours)‏ Space (geo)‏ Financial/resources Ease of use Assurance Trust End to end (user to system)‏

Interest in proposal Registration Authorisation Users’ timeline Science! Termination (or not?)‏ Weak AUC Stronger AUC STATE of AUC?

Organisation Timeline Preserving data, curation Technology migration Lower costs…

User OfficesHR Integrated Account Management STAFF VISITOR AGENCY STAFF External Diamond? Other STFC sites PPARC/CCLRC

Usability for users Should be like a duck Who moves across the pond Paddling of feet unseen

Usability for service provider Let the good guys in Keep the bad guys out Minimal support requirements

How we achieve (some of) it Credential Conversion Scientist wishes to do work Logs in Uses resource

Account mgmt and AuZ Site single sign on databases (connected)‏ fedId, DN, resource username Granting access to resources (AuZ)‏ Single account management –Also holds customers – e.g. beamline scientists Adding more resources

Example Resource SCARF cluster External users use certificates All staff have a default SSO account –Temporary limited recyclable accounts Staff can apply for permanent acct License management for all users –Commercial libraries

MyProxy for CC Grids (NGS, gLite/GridPP, SRB)‏ Kerberos or Active Directory Users do not see the certificate – it's all managed behind the scenes (duck paddling)‏

Applications integrated security We adapt science applications to use the Grid End to end Interfaces to security infrastructure Often security is added only as necessary? –Imposed by Grid infrastructure

Shib for CC PasswordShibboleth Resource access

NGS Deploy production services for Grids SARoNGS – Jan 07 – Jan 08 for NGS –Integrate ShibGrid and SHEBANGS –Shibboleth access with VO attrs from VOMS

NGS e-Science CA: accepted internationally High assurance level Works because everybody in the world is on the same level Robots for automated services (or portals)‏ Not necessarily needed for normal users?

Why does it work? Interoperable Standards based Tested!

Er, what was the question again? How important is usability for my users? Very More for some than for others –Health workers seem to have particular difficulties –Physicists are more hardy folk

…Usability? Security… …a necessary evil?

Experiences Usable security …satisfying user and site requirements… …makes happy(er) and productive users

…And the second question? Usability and interoperability? Interoperability improves reusability Reusable means more versatile Improves usability

…And the final question? What we learn from other communities? Pick usable components for reuse Build on experiences Deploy services for other communities –Try to adapt what they already have

Don’t reinvent the But did they want this? or this?

Final words (promise)‏ Aim to meet user and site requirements Build on stuff that works (or build stuff that works…)‏ Users don’t always know what they want Don’t forget, it’s an experimental science – across all dimensions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.