Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford."— Presentation transcript:

1 Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford Appleton Laboratory

2 contrail-project.eu Clouds have “normal” security issues Protect infrastructure against abuse Provider’s reputation User’s data, software, computations Users’ credentials: loss, level of assurance Fabric security Open source vs closed source issues 2

3 contrail-project.eu …and new security issues (Often) unknown resource location Multitenancy: protect against other users VM Image security: Stale images Maliciously modified images (or apps) Install/patch window 3

4 contrail-project.eu …and more new security issues Over-allocation of dynamic resources Intentional – scheduling DoS attack (with stolen account) Unintentional – runaway jobs 4

5 contrail-project.eu Cloud security vs Grid security? In some sense, cloud = grid+elasticity Elasticity poses security issues: dynamically created services But grids have been there: eg WSRF Web Services Resource Framework 5

6 contrail-project.eu What is the Federation Group of service providers Providing “e-infrastructure” Coordinated deployment (maybe) Agreeing to common policies Support framework Internal and user-facing 6

7 contrail-project.eu What is the Federation: user Central account Single sign-on (in some sense: single login) Central accounting of all services Enable collaborations Traceability of user id Intelligent resource selection/scheduling 7

8 contrail-project.eu Accounting Resource used Billing Make use of user’s own account with commercial providers (alternative: hold user’s credit card) 8

9 contrail-project.eu Federation specific issues Policies needed for establishing and maintaining trust in federations Higher LoA in authentication? Multiple jurisdictions for AAA, support, billing … “solved” by the Grids non-trivial a process, not a single solution (like all sec.) 9

10 contrail-project.eu Providers: Prepared Protection Prevents Pricy Problems Set the bar high enough to keep the bad guys out Some bad guys are more resourceful and determined than others Ensure legitimate users can still use the service (the bear/bin problem) LoA – higher across national boundaries Usually a single (high) LoA in grids 10

11 contrail-project.eu Practical Problems: the Practitioner Principle “Normal” users just want to get their work done (High) security gets in the way? Well-known “usability vs security” (Highlight (rare?) wins: increase both, eg SSO) Multiple providers, heterogeneous security Multitenancy – ensure service availability 11

12 contrail-project.eu How it works today e-Infrastructure Grid and e-Science infrastructures for authentication: IGTF PKI, Shib + superShib, … X.509/RFC3280/GFD.125, SAML, OpenID Delegation: RFC3820, SAML, Oauth Authorisation: attribute authorities RFC3281, SAML, (+VOMS) Accounting: RUS Support: helpdesks: top  national  inst.  person Scalability + resilience (up to a point) 12

13 contrail-project.eu Cloud world Passwords, shared secrets Vendor support Easier security for small users? Usability: we can bring grid portals to the cloud Grids have mature federations; cloud feds being developed Should clouds target only small users? (how should large users be handled?) 13

14 contrail-project.eu Gaps Reuse grid federation infrastructure for federating clouds Without losing being lightweight Interoperation, of cloud services, with grids Do IaaS and SaaS and PaaS have different security requirements? Is the Grid LoA sufficient? Too high for some cases – maybe too low for others 14

15 contrail-project.eu Authentication into federation AuC X509K5LDAPOpenID 15 Base login on existing infrastructures (when this makes sense)

16 contrail-project.eu Accounting Fed acct AmazonRackspaceAzure OpenNebula resource Grid? 16

17 contrail-project.eu The CONTRAIL project Federated cloud access SLAs, QoS, QoP Fully secured IaaS and PaaS Using formal methods in some cases EU funded (11 MEUR, a dozen partners or so) Oct 2010-Sep 2013

18 contrail-project.eu CONTRAIL Federated Cloud access: single account, with metering, billing, etc. Access multiple IaaS and PaaS providers: cloudbursting built in Dynamic SLA negotiation, QoS and QoP. Security as funded activity Case studies have different requirements: Media, geographic data, real-time scientific processing, genomics 18

19 contrail-project.eu Contrail Issues Federate, making use of existing infrastructures Eg for authentication: IGTF PKI, Terena Shibboleth super-federation, site SSO? Challenge: Work and ∫ with other projects How to do delegation on multiple backend AuC Support access to multiple service providers Need for consistent information from SPs 19

20 contrail-project.eu Conclusion We need cloud federation We have grid federation These are not the same, but there are overlaps Align with other projects, interoperate Standardise whenever possible 20

Download ppt "Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford."

Similar presentations

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.

(Re)using existing AAI experiences and future --- AAI Soapbox --- Jens Jensen, STFC-RAL Terena VAMP, 0-1 Oct 2013.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
CONTRAIL Security Open Computing Infrastructures for Elastic Services Call FP7-ICT-2009-5 Proposal Number FP7-257438 Dr Jens Jensen jens.jensen.at.stfc.ac.uk.

CONTRAIL Security Open Computing Infrastructures for Elastic Services Call FP7-ICT Proposal Number FP Dr Jens Jensen jens.jensen.at.stfc.ac.uk.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EInfrastructure policies 15-16 April 2004, Dublin Next steps and conclusions Brian Coghlan Patrick Aerts Kyriakos Baxevanidis.

EInfrastructure policies April 2004, Dublin Next steps and conclusions Brian Coghlan Patrick Aerts Kyriakos Baxevanidis.
CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.

CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Cloud Computing Cloud Security– an overview Keke Chen.

Cloud Computing Cloud Security– an overview Keke Chen.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

Similar presentations

Ads by Google