Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Slides:

Advertisements

Similar presentations

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Advertisements

Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

The UK OMII Context, Vision and Agenda An Institute of the University of Southampton.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Intelligent Grid Solutions 1 / 18 Convergence of Grid and Web technologies Alexander Wöhrer und Peter Brezany Institute for Software.

FREMA: e-Learning Framework Reference Model for Assessment David Millard Yvonne Howard IAM, DSSE, LTG University of Southampton, UK.

The OMII Position At the University of Southampton.

DAME Collaborative Workflow & Access Control Duncan Russell University of Leeds.

WebFTS as a first WLCG/HEP FIM pilot

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.

Web Service Standards, Security & Management Chris Peiris

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

The OMII Perspective on Grid and Web Services At the University of Southampton.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

E-Science Projects and Security M. Angela Sasse & Mike Surridge.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Supporting education and research JISC Strategy for Support of eResearch Nicole Harris JISC Programme Manager.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Grid Authorization Landscape and Futures Von Welch NCSA

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Welcome Grids and Applied Language Theory Dave Berry Research Manager 16 th October 2003.

Web Services Security Mike Shaw Architectural Engineer.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

UK Grid Operations Support Centre All slides stolen by P.Clarke from a talk given by: Dr Neil Geddes CCLRC Head of e-Science Director of the UK Grid Operations.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

Grid Computing Security Mechanisms: the state-of-the-art

OGSA-WG Basic Profile Session #1 Security

Shibboleth Roadmap

University of Virginia, USA GGF9, Chicago, Illinois, US

Supporting Institutions Towards a Shibbolized Infrastructure

The JISC Core Middleware Call

Presentation transcript:

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group

18 May 2004Cross-RC Conference, NeSC2 Outline Scope of the problem The changing context of Grid middleware The Grid Security Task Force Current issues Ways forward

18 May 2004Cross-RC Conference, NeSC3 Aspects of security Managing access within a generally approved community Registration; authentication; authorisation (plus logging/accounting) Defence against completely unauthorised intrusion Asset valuation; risk/threat analysis; countermeasures

18 May 2004Cross-RC Conference, NeSC4 Grid middleware In a state of transition Globus Toolkit 2: in fairly widespread use but now obsolescent OGSI/Globus Toolkit 3: first steps towards industry web services (but now deprecated) WSRF/Globus Toolkit 4: full move to web services (but not there yet) Open Middleware Infrastructure Institute (OMII) using basic interoperable web services for the time being

18 May 2004Cross-RC Conference, NeSC5 Securing web services WS-Security white paper by IBM and Microsoft, April 2002 Lower level services based on existing standards (TLS, XML-DSig, XML-Encryption) Extensions to SOAP to define security for SOAP messages Complex higher layer architecture

18 May 2004Cross-RC Conference, NeSC6 WS-Security architecture © IBM Corporation, Microsoft Corporation (2002)

18 May 2004Cross-RC Conference, NeSC7 WS-Security: progress Being standardised by OASIS, see Basic WS-Security layer profiles now stable (for X.509 tokens) Work on other tokens in the pipeline Still a long way to go on higher level services...

18 May 2004Cross-RC Conference, NeSC8 Authentication In a sense a solved problem All generations of Grid middleware use X.509 identity certificates as security tokens –Including initial implementations of WS- Security In the UK, certificates issued by Grid Support Centre's certificate authority Works well within its design goals, but –Some issues with usability (of certificates in general): can these be circumvented? –Likely future issues with scalability

18 May 2004Cross-RC Conference, NeSC9 Authorisation Dealing with virtual organisations Across boundaries of real organisations In a real sense the key problem in Grid security Initial Globus mechanism (mapfile) very crude Labour-intensive for sysadmins, doesn't scale well Many other schemes proposed VOM, VOMS, CAS, Akenti, Permis...

18 May 2004Cross-RC Conference, NeSC10 GGF authorisation API GGF working group to design a standard authorisation API Wide range of experts JISC funded UK involvement Allows plug-in replacement of any scheme conforming to this API Written and due to be tested for GT3 But reusable in a web services context?

18 May 2004Cross-RC Conference, NeSC11 Defending against attacks Credential theft How serious a problem is this? Usability problems with certificates don't make for good user behaviour General security vulnerabilities Something of a worry with research- grade code Earlier Globus versions caused many problems with institutional firewalls Web services avoids this; but pushes the problem elsewhere

18 May 2004Cross-RC Conference, NeSC12 Grid Security Task Force Part of the e-Science core programme support structure Reports to Technical Advisory Group Membership from the academic/research community and from industry Contains both practitioners and security researchers Specifically includes a human factors expert

18 May 2004Cross-RC Conference, NeSC13 What has STF done? Developed a security policy for the e-Science programme(s) Research Councils, DTI etc. have all signed up to this Formulating a policy highlighted new operational needs for the programme Incident management function (cf. CERT) Advice to projects (possibly also audit) Grid Operations Centre will include both

18 May 2004Cross-RC Conference, NeSC14 Other STF work Technical road map and gap analysis Has informed JISC call for security work in early 2004, also EPSRC and OMII calls for new work in this area Initial scoping/drafting work on two further papers Advice to proposal writers and PIs Human factors (“socio-technical”) gap analysis

18 May 2004Cross-RC Conference, NeSC15 Main issues today The transitional state of Grid middleware How much do we need to worry about GT2 and OGSI? Slow progress of WS-Security upper layers Stick to simple WS-Security scenarios and make sure we get these right Usability/scalability issues with certificates?

18 May 2004Cross-RC Conference, NeSC16 Federating identities It may be preferable for the user to authenticate in his/her own institutional environment Then spawn a short-lived Grid credential E.g. KX509, which does this for Kerberos Alternatively could use Shibboleth-type model where identity and attributes are asserted by institution to service provider Would this work in a Grid world? And would it provide adequate security?

Supporting education and research Questions?