GT 4 Security Goals & Plans Sam Meder

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Introduction of Grid Security
PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept
Identity Network Ideals – Heterogeneity & Co-existence
The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
High Performance Computing Course Notes Grid Computing.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Grid Security Overview The Globus Project™ Copyright (c) 2002 University of Chicago and The University of Southern California. All.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]
Grid Authorization Landscape and Futures Von Welch NCSA
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Web Services Security Patterns Alex Mackman CM Group Ltd
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Security Solutions Rachana Ananthakrishnan University of Chicago.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
OGSA-WG Basic Profile Session #1 Security
Grid Security.
Usecases and Requirements for OGSA-Security
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
University of Virginia, USA GGF9, Chicago, Illinois, US
Grid Security Overview
Service Oriented Architecture (SOA)
Presentation transcript:

GT 4 Security Goals & Plans Sam Meder

The Ultimate Goal u Enable secure cross-organizational interactions l Least privilege rights delegation l Support for multiple mechanisms -> translation l Virtual Organization security fabric u Membership u Policy u etc l …

Trust Mismatch Mechanism Mismatch Multi-Institution Issues Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust

Why Grid Security is Hard l Resources being used may be valuable & the problems being solved sensitive u Both users and resources need to be careful l Dynamic formation and management of virtual organizations (VOs) u Large, dynamic, unpredictable… l VO Resources and users are often located in distinct administrative domains u Cant assume cross-organizational trust agreements u Different mechanisms & credentials l X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains), l X.509 attribute certs vs SAML assertions

Why Grid Security is Hard… l Interactions are not just client/server, but service-to-service on behalf of the user u Requires delegation of rights by user to service u Services may be dynamically instantiated l Standardization of interfaces to allow for discovery, negotiation and use l Implementation must be broadly available & applicable u Standard, well-tested, well-understood protocols; integrated with wide variety of tools l Policy from sites, VO, users need to be combined u Varying formats l Want to hide as much as possible from applications!

The Grid Trust solution l Instead of setting up trust relationships at the organizational level (lots of overhead, possible legalities - expensive!) set up trust at the user/resource level l Virtual Organizations (VOs) for multi-user collaborations u Federate through mutually trusted services u Local policy authorities rule l Users able to set up dynamic trust domains u Personal collection of resources working together based on trust of user

Grid Solution: Use Virtual Organization as Bridge Certification Domain A GSI Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust

Effective Policy Governing Access Within A Collaboration

Use Delegation to Establish Dynamic Distributed System Compute Center VO Rights Compute Center Service

Goal is to do this with arbitrary mechanisms Compute Center VO Rights Compute Center Service Kerberos/ WS-Security X.509/SSL SAML Attribute X.509 AC SAML Attribute X.509 AC

Security of Grid Brokering Services It is expected brokers will handle resource coordination for users Each Organization enforces its own access policy User needs to delegate rights to broker which may need to delegate to services QoS/QoP Negotiation and multi-level delegation

Propagation of Requesters Rights through Job Scheduling and Submission Process Dynamically limit the Delegated Rights more as Job specifics become clear Trust parties downstream to limit rights for you… or let them come back with job specifics such that you can limit them Virtualization complicates Least Privilege Delegation of Rights

Grid Security must address… l Trust between resources without organization support l Bridging differences between mechanisms u Authentication, assertions, policy… l Allow for controlled sharing of resources u Delegation from site to VO l Allow for coordination of shared resources u Delegation from VO to users, users to resources l...all with dynamic, distributed user communities and least privilege.

Functional Capabilities Authentication service: An authentication service is concerned with verifying proof of an asserted identity. Identity mapping service: The identity mapping service provides the capability of transforming an identity that exists in one identity domain into a identity within another identity domain. Authorization service: The authorization service is concerned with resolving a policy based access control decision. Credential Conversion service: The credential conversion service provides credential conversion between one type of credential to another type or form of credential. Audit service: The audit service is responsible for producing records, which track security relevant events. Profile service: The profile service is concerned with managing service requestors preferences and data which may not be directly consumed by the authorization service. Privacy service: The privacy service is primarily concerned with the policy driven classification of personally identifiable information (PII). VO Policy service: The VO policy service is concerned with the management of policies. …

Security Components

Grid Security Services call-outs

Grid Security Services with VO

Interaction with other Grid Services l All Grid services layered on Security Services u All interactions are subject to policy enforcement l Grid Security Services leverage other Services u Use of registries/databases/QoS/discovery/migration/ meta-data-publication/fail-over/mirroring/provisioning/etc. l Security Policy derived from higher level agreements u Enforcement is means to meet business objectives l New agreements subject to governing security policy u existing access restriction override any new agreement Security Services can not be seen in isolation!

GT 4 (3.9.2) Existing Features l Authentication u GSI Secure Message l Based on earlier WS-Security draft l Support for signing and encrypting using X.509 certificates and X.509 Proxy Certificates l Per message u GSI Secure Conversation l Based on proprietary protocol (predates WS- SecureConversation) l GSSAPI u SSL + delegation + proxy cetificates u (Kerberos) l Session based

GT 4 (3.9.2) Existing Features l Authorization u Host u Self u Identity u Gridmap u Custom

GT 4 Plans-Authentication l Move to WSS4J u Web Services Security 1.0 u WS-I Basic Security Profile u Support for Username/Password l Move to WS-Trust/WS-SecureConversation u Make GSI-Secure Conversation compliant with latest drafts l (Introduce secure Username/Password session protocol (based on AuthA)) l (https – XML Security performance…)

GT 4 Plans - Delegation l Delegation Service u Using WSRF l Delegated credentials modeled as resources l Lifetime management using WS-ResourceLifetime u Allows decoupling of delegation from authentication u No problem with WS-I Basic Security Profile u Pushes delegation handling to application level l Requires modification of application protocol

GT 4 Plans - Authorization l CAS WSRF port l Integration of new authorization framework developed at KTH u XACML engine u Management interface u Chaining of authorization decisions u Per method granularity

GT 4 Plans – Authorization (cont.) l Port of SAML authorization callout u Based on work in OGSA Authz WG u Requires schema for resource id l CAS enabled grid services u Integration of SAML based CAS assertions with XACML engine u Will lead to generic SAML/XACML delegation of rights framework

GT 4 Plans - MyProxy l Inclusion of MyProxy u Non-WS to begin with

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.