Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
MyProxy: A Multi-Purpose Grid Authentication Service
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,
Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Security Bob Cowles
OSG PKI Transition Mine Altunay OSG Security Officer
Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WLCG Update Hannah Short, CERN Computer Security.
CAS and Web Single Sign-on at UConn
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab

Grid Security in a nutshell -Identity management: authN -Access control: authZ -Operational security  Monitoring/detecting suspicious behavior  Incident response 2

Identity Management -Who are you? -Currently PKI and X.509  Public-private key pairs  Users still not used to certificate management  Renewing, requesting, moving certs around. -Is X.509 the only answer  Of course not -Federation-based identity management springs up -Proprietary tools: Microsoft infocards, IBM Higgins, etc 3

Federation-Based Identity Management: Shibboleth 4 Web browser Service Provider Where are you from? (WAYF) Identity Provider credentials Login Username: Password:

How Shibboleth would work in Grid 5 #1 I want to be a member #2 Go to this URL advisor VO University VOMS admin #5 My cert DN is here, I want this FQAN please register me #8 Is this role OK Yes/no DN FQAN CA Web Portal … redirects to uni access portal …. Access successful Issue a short- lived cert Uni Access Portal Log onto your uni account #3 #4 #5 #6 #7

Shib-CAs -Federation-based CAs -Identity vetting up to federation member institutions -IGTF accredited -Short lived certs (1 week) 6

What about Open-ID? 7 AuthN DB uname password PKI Client MyProxy Online-CA AuthN Svc OpenID IdP Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts IdP

Diversity -Diversity in identity mgmt will continue -Will increase -NSF and NIH joined Shibboleth -TG started a Shib test bed -ESG uses OpenID -….. -The goal is to get diverse systems to talk to one another 8

Interoperability: 9 Can OSG users use web-based ESG services ? Right now no. if OSG user has another IdP that ESG can work with, or OSG can build and operate an IdP for OSG users Can ESG users use OSG services ? Yes. ESG users have certs. OSG would recognize the CA and authenticate ESG users Can OSG users use non-web ESG services ? Yes. ESG should recognize the same CA OSG uses

Authorization -Standards have not emerged as in authentication -It will happen -Messaging layer has been worked on -Diverse, home-grown tools used by grids -Does not get a lot of attention but…. -Will be affected by changes in authN mechanisms 10

Operational Security -Cares about authN/authZ -Traceability, accountability, containment are dependent on authN/authZ -Who did it? Can we suspend him/her? Can we re- instate his/her access after an incident? -Inter-operation during incident response  Grids are connected via bridges, gateways  Incidents spread  EGEE-TG-OSG shares incident data for cross-incidents  Incident sharing community for HEP institutions 11

Operational Security -Hard to teach and execute  NSF Large Facility CyberSecurity Workshop  NSF Small Facility Workshop to help small sites -Hard to research and implement -DOE Labs town-hall meetings on Security R&D  Incident response and intrusion detection  data provenance  Quantifying risk  Report sent to DOE 12