Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

Published byMitchell McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab."— Presentation transcript:

1 Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab

2 Grid Security in a nutshell -Identity management: authN -Access control: authZ -Operational security  Monitoring/detecting suspicious behavior  Incident response 2

3 Identity Management -Who are you? -Currently PKI and X.509  Public-private key pairs  Users still not used to certificate management  Renewing, requesting, moving certs around. -Is X.509 the only answer  Of course not -Federation-based identity management springs up -Proprietary tools: Microsoft infocards, IBM Higgins, etc 3

4 Federation-Based Identity Management: Shibboleth 4 Web browser Service Provider Where are you from? (WAYF) Identity Provider 1 2 3 4 5 6 7 credentials Login Username: Password:

5 How Shibboleth would work in Grid 5 #1 I want to be a member #2 Go to this URL advisor VO University VOMS admin #5 My cert DN is here, I want this FQAN please register me #8 Is this role OK Yes/no DN FQAN CA Web Portal … redirects to uni access portal …. Access successful Issue a short- lived cert Uni Access Portal Log onto your uni account #3 #4 #5 #6 #7

6 Shib-CAs -Federation-based CAs -Identity vetting up to federation member institutions -IGTF accredited -Short lived certs (1 week) 6

7 What about Open-ID? 7 AuthN DB uname password PKI Client MyProxy Online-CA AuthN Svc OpenID IdP Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts IdP

8 Diversity -Diversity in identity mgmt will continue -Will increase -NSF and NIH joined Shibboleth -TG started a Shib test bed -ESG uses OpenID -….. -The goal is to get diverse systems to talk to one another 8

9 Interoperability: 9 Can OSG users use web-based ESG services ? Right now no. if OSG user has another IdP that ESG can work with, or OSG can build and operate an IdP for OSG users Can ESG users use OSG services ? Yes. ESG users have certs. OSG would recognize the CA and authenticate ESG users Can OSG users use non-web ESG services ? Yes. ESG should recognize the same CA OSG uses

10 Authorization -Standards have not emerged as in authentication -It will happen -Messaging layer has been worked on -Diverse, home-grown tools used by grids -Does not get a lot of attention but…. -Will be affected by changes in authN mechanisms 10

11 Operational Security -Cares about authN/authZ -Traceability, accountability, containment are dependent on authN/authZ -Who did it? Can we suspend him/her? Can we re- instate his/her access after an incident? -Inter-operation during incident response  Grids are connected via bridges, gateways  Incidents spread  EGEE-TG-OSG shares incident data for cross-incidents  Incident sharing community for HEP institutions 11

12 Operational Security -Hard to teach and execute  NSF Large Facility CyberSecurity Workshop  NSF Small Facility Workshop to help small sites -Hard to research and implement -DOE Labs town-hall meetings on Security R&D  Incident response and intrusion detection  data provenance  Quantifying risk  Report sent to DOE 12

Download ppt "Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Similar presentations

Ads by Google