Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation Federation in GENI Draft proposal – Comments invited GEC11 – Denver, Colorado Aaron Falk 26 July 2011.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

SWITCHaai Team Federated Identity Management.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS

The InCommon Federation The U.S. Access and Identity Management Federation

Sponsored by the National Science Foundation PlanetLab and PLFED Spiral 2 Year-end Project Review Princeton University PI: Larry Peterson Staff: Andy Bavier,

Digital Object Architecture

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.

Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.

Sponsored by the National Science Foundation Programmable Networks and GENI Marshall Brinn, GPO GEC October 25, 2012.

Sponsored by the National Science Foundation GENI Meta-Operations Center Spiral 2 Year-end Project Review GlobalNOC at Indiana University PI: Jon-Paul.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.

D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.

Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.

The GENI Meta-Operations Center (GMOC) If it’s research, why do we care about operations?

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Sponsored by the National Science Foundation GENI Spiral 4 Architecture Plan Marshall Brinn, GPO

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney

Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23,

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

CSE 543 Computer Security: Risks of PKI - Josh Schiffman & Archana Viswanath Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen.

Sponsored by the National Science Foundation Cluster D Working Meetings GENI Engineering Conference 5 Seattle, WA July ,

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.

D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.

Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Sponsored by the National Science Foundation Stitching Slices GEC7 Control Framework WG Aaron Falk GENI Project Office.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Server to Server Group Requirements Simplifying key management between multiple vendor implementations.

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: I&M Service Types, Arrangements, Assembling Goals Architecture Overview.

Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

Clearing house for all GENI news and documents GENI Architecture Concepts Global Environment for Network Innovations The GENI Project Office.

Designing a Federated Testbed as a Distributed System Robert Ricci, Jonathon Duerig, Gary Wong, Leigh Stoller, Srikanth Chikkulapelly, Woojin Seok 1.

Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.

Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

Sponsored by the National Science Foundation GENI Terminology Sarah Edwards, GENI Project Office Violet Syrotiuk, Arizona State University.

OGF PGI – EDGI Security Use Case and Requirements

InCommon Steward Program: Community Review

Laws for Secure Credentialing

Health Ingenuity Exchange - HingX

Cash Collection and Deposit Training

Appropriate Access InCommon Identity Assurance Profiles

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 2 Setting Some Definitions First Aggregate Authority is responsible for the management of an aggregate, but can delegate selected functions to other actors. The aggregate authority is the only one who can enter into agreements for the aggregate Identity Portal is a trusted (i.e., one that has signed an agreement with the clearinghouse) system that issues GENI credentials for experimenters. Identity Provider is a service providing authentication of potential GENI actors Slice Authority is a system that issues credentials for slices. INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 3 More Definitions Clearinghouse is both an entity and a system consisting of software, operations, and policy to broker trust between federation partners. GENI Project is a grouping of experimenters and slices working on a common effort. It may have multiple slices concurrently and over time. Project Leader is the actor who is ultimately responsible for the behaviors of a GENI project. GENI Oversight Group is the proposed group responsible for ensuring that meta-operations and the clearinghouse operations groups fulfill their responsibilities. It is also the governance body for the GENI federation, responsible for guiding project direction and resolving disputes between other actors. INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 4 Why should we have project leaders? Responsibility: A “grown-up”, e.g. PI –What if there are IRB issues? –Want someone with some permanence who is easy to contact and find. –Want to know delegation is done responsibly. We really don’t know all the experimenters –Not always technically possibly to determine most directly responsible party –We can determine a project leader, slice creator and anyone else who has changed the slice. –We don’t know who logged in via SSH to hosts in the slice and ran experiments though INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 5 What does the Clearinghouse do? First, it is a “legal” entity and trusted root. –Minimize the # of pairwise agreements –Set a common level of expectations in federation through a set of policies and agreements with CH –Asserts who has entered agreements and is in good standing (mechanism TBD) Primary Services –Register project leaders and projects & bind them CH.ProjLead(i)  Bob –Bind slices to projects verifying all actors in federation in good standing before “endorsing” a slice If delegated ability to SAs, maybe SA_1.GENIProj(i)  Slice_X –Identify “official” aggregates (ABAC or registry or both) CH.Endorse  Agg_X INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 6 Secondary or Optional CH Services A Component Registry –Resource Discovery –Attest to who has signed agreements An Identity Portal –Backed by InCommon, issues GENI identity credentials A Slice Authority Slice Tracker (Is that standard nomenclature?) –Verify 3 kinds of resource allocation policy (From NSF, project size is accurate, or with federated partners) –Could be delegated to issuing SAs except for policies about aggregate GENI usage INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 7 Projects Sizes & Approval Process Do 3 sizes make sense? Do we even need them? –Small: less than 28 days, 1 slice at a time –Medium: semester (5 mo.), multiple slices –Large: Long term or more than 20% of a resource Should committee approval be required for the large projects? What kind of turn-around for approval is appropriate? –Small = real time –Medium = 2 business days –Large = 1 week INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 8 Info to collect at project registration When a Project Leader creates a new project, what should they enter? –How many simultaneous slices they expect –How long-lived the experiment will be –Co-project leaders? –Purpose of experiment(s) –Size of experiment’s load on shared resources like backbone links –other? INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 9 Where to check federation level policies? Type 1: NetSC Council makes general rule –Example: grad student slivers can get X hosts / slice –Are all of these things based on attributes that could be proven elsewhere, or do some need global view of ALL slices? Type 2: Is project X still acting like it has size N? –This should be delegable to SAs to check Type 3: Rule about GENI aggregate usage w/ another federation –Example: GENI can only use X% of link A to FIRE –Could be determined by the CH or their AM, but not any one SA. Is that always true? INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 10 Do we need federation level policies? Cost isn’t high if we are doing post-hoc verification and not inserting CH into every resource request –Need to have API to report back to “slice tracker” at CH –Or could report back to SAs maybe We don’t want to discourage other federations from linking with us We don’t want to discourage NSF from funding us –Though unclear whether they will ever make such global policies (They may care more about their own aggregates, e.g. GENI racks or backbones) Do we need to decide this now? INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 11 GENI Oversight Group (GOG) Who should make up representatives of such a group? Should we create a federation charter to establish it? –A lot of the CH policy doc content could move there GOG Responsibilities –Directing Clearinghouse, GMOC and Security Ops. –Resolve disputes between federation actors –Decide if someone is kicked out or let back in, hear appeals. INSERT PROJECT REVIEW DATE

Sponsored by the National Science Foundation 12 Certificate Authority Policy Do we need formal CA policies for anyone issuing credentials? –How do we protect key material –How is revocation handled –How long do credentials live –Who are approved Identity Portals & Providers? –What is are vetting requirements? NIST LOA ? –Etc May have a small enough number of actors issuing principal credentials that we can avoid this for a while, right? INSERT PROJECT REVIEW DATE