Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Environments and Incident Response: The Worst of Both Worlds

Published byRaktima Dayal Modified over 5 years ago

Similar presentations

Presentation on theme: "Federated Environments and Incident Response: The Worst of Both Worlds"— Presentation transcript:

1 Federated Environments and Incident Response: The Worst of Both Worlds
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under Grant No Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

2 (7500+ registered users from 450+ organizations)
What is the TeraGrid? NSF-funded facility to offer high end compute, data and visualization resources to the nation’s academic researchers (7500+ registered users from 450+ organizations)

3 TeraGrid Federations TeraGrid Core Services
TeraGrid Central Database (TGCDB) Manages accounts / allocations across resources / sites Centralized resource usage accounting X.509 Public Key Infrastructure (PKI) International Grid Trust Federation (IGTF) (gridpma.org) Includes Certificate Authorities operating outside of TeraGrid Single sign-on across TeraGrid systems TeraGrid membership in Shibboleth InCommon Federation (planned) Campus login to TeraGrid resources by researchers and students TeraGrid Science Gateways Program Self-managed scientific communities Gateway acts as identity provider and resource broker

4 TeraGrid Risks of Primary Concern
Service disruption Account compromise interrupts access for account holder System compromise interrupts access for all account holders Being the source of attacks on other systems High performance computers and networks used by attackers Spread of compromise via stolen credentials Corruption / loss of scientific data Delay or invalidation of scientific results

5 TeraGrid Incident Response
Single point of contact 24/7/365 response Cross-site coordination for incident response Centralized ticket tracking system Emergency contact directory Secure teleconference lines Secure lists

6 Secure Email List Service (SELS)
Being evaluated by TeraGrid Incident Response Team Provides message-level security for s exchanged on mailing lists Confidentiality, Integrity, and Authentication Minimally trusted List Server List Server does not get access to plaintext Proxy encryption techniques enable transformation of ciphertext Developed with COTS and open-source components Integrated with GnuPG on subscriber side; no extra software to install Integrated with Mailman on server side with easy installation Lists can be hosted by NCSA sels.ncsa.uiuc.edu

7 Federated Identity & Incident Response
Network attacks across administrative boundaries Not a new problem but still a challenge! Coordination across organizational CSIRTs CERT/CC, US-CERT, REN-ISAC, FIRST New challenge: Compromise of federated identity React Disable access Revoke credentials Notify other service providers Contact identity provider Contact identity holder Recover Re-credential identity holder Coordinate with identity provider Coordinate with service providers Restore accounts/systems Re-enable access Compromise can spill outside the federation

8 TG Requirements for Federated Identity
Ability to contact the Identity Provider Phone number address Public key (PGP, S/MIME) Ability to block unwanted user behavior Persistent user identifier Ability to directly contact the user address and/or phone number Taken from requirements gathering process for TG Science Gateway program.

9 TeraGrid Science Gateways
Use SAML assertion to convey user identifier and address gridshib.globus.org

10 Proposed Discussion Topics
Support from identity providers for incident response Preparation Timely and secure communication Prompt credential revocation Confirmation of credential reset / re-issuance Assistance with incident investigation Audit records and system logs Effective communication and coordination Should incident responders contact users directly? Can the identity provider help to coordinate? Value for incident response of a persistent user identifier Facilitates blacklisting eduPersonPrincipalName? eduPersonTargetedID?

Download ppt "Federated Environments and Incident Response: The Worst of Both Worlds"

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Understanding Active Directory

Understanding Active Directory
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Network, Operations and Security Area Tony Rimovsky NOS Area Director

Network, Operations and Security Area Tony Rimovsky NOS Area Director
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney
NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.

NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Similar presentations

Ads by Google