JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Contrail and Federated Identity Management

System Center 2012 R2 Overview

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Cloud Computing Special Interest Group Cloud Computing for the UK Research Community Workshop December 2013 Philip Kershaw, STFC Rutherford Appleton.

INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 6 2/13/2015.

CLOUD COMPUTING AN OVERVIEW & QUALITY OF SERVICE Hamzeh Khazaei University of Manitoba Department of Computer Science Jan 28, 2010.

VO Sandpit, November 2009 NERC Big Data And what’s in it for NCEO? June 2014 Victoria Bennett CEDA (Centre for Environmental Data Archival)

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

CONTRAIL Security Open Computing Infrastructures for Elastic Services Call FP7-ICT Proposal Number FP Dr Jens Jensen jens.jensen.at.stfc.ac.uk.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

H The MashMyData Project MashMyData [1] is a NERC (Natural Environment Research Council) funded Technology Proof of Concept project whose aim is to enable.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Modelling and Data Centre Requirements: CEDA ESGF UV-CDAT Conference December 2014 Philip Kershaw, Centre for Environmental Data Archival, RAL Space,

Constellation Technologies Providing a support service to commercial users of gLite Nick Trigg.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Cloud Computing Cloud Security– an overview Keke Chen.

Clouds on IT horizon Faculty of Maritime Studies University of Rijeka Sanja Mohorovičić INFuture 2009, Zagreb, 5 November 2009.

Introduction to Cloud Computing

Steven Newhouse, Head of Technical Services European Bioinformatics Institute: ICT Challenges.

Open Source Grid Computing in the Finance Industry Alex Efimov STFC Kite Club Knowledge Exchange Advisor UK CERN Technology Transfer Officer

EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.

CEMS: The Facility for Climate and Environmental Monitoring from Space Victoria Bennett, ISIC/CEDA/NCEO RAL Space.

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

VO Sandpit, November 2009 e-Infrastructure to enable EO and Climate Science Dr Victoria Bennett Centre for Environmental Data Archival (CEDA)

Grids, Clouds and the Community. Cloud Technology and the NGS Steve Thorn Edinburgh University Matteo Turilli, Oxford University Presented by David Fergusson.

A Flexible Component based Access Control Architecture for OPeNDAP Services Philip Kershaw STFC Rutherford Appleton Laboratory.

Introduction The network is the computer By Waseem Anwar Chaudhri.

The Helix Nebula Marketplace HNX The European cloud marketplace for scientists, researchers, developers & public organisations Marc-Elian Bégin, CEO, Co-founder,

Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations.

Virtualisation & Cloud Computing at RAL Ian Collier- RAL Tier 1 HEPiX Prague 25 April 2012.

VO Sandpit, November 2009 e-Infrastructure for Climate and Atmospheric Science Research Dr Matt Pritchard Centre for Environmental Data Archival (CEDA)

CLOUD COMPUTING

1 Accomplishments. 2 Overview of Accomplishments  Sustaining the Production Earth System Grid Serving the current needs of the climate modeling community.

MidVision Enables Clients to Rent IBM WebSphere for Development, Test, and Peak Production Workloads in the Cloud on Microsoft Azure MICROSOFT AZURE ISV.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

The National Grid Service Mike Mineter.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Servizi di brokering Valerio Venturi CCR Giornata di formazione dedicata al Cloud Computing 6 Febbraio 2013.

Using a Simple Knowledge Organization System to facilitate Catalogue and Search for the ESA CCI Open Data Portal EGU, 21 April 2016 Antony Wilson, Victoria.

Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv.

STFC in INDIGO DataCloud WP3 INDIGO DataCloud Kickoff Meeting Bologna April 2015 Ian Collier

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.

Frascati, 2-3 July 2008 Slide 1 HMA User Management in G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Fabrice Brito, Terradue Srl

Jordi Farres HMA-WG Meeting ESRIN, 23 Jan 2013

Organizations Are Embracing New Opportunities

Workshop on the Future of Big Data Management June 2013 Philip Kershaw

AAI for a Collaborative Data Infrastructure

Cloud Security– an overview Keke Chen

StratusLab Final Periodic Review

StratusLab Final Periodic Review

Federated IdM Across Heterogeneous Clouding Environment

Federated Identity Management for Researchers (FIM4R)

Cloud Computing Kelley Raines.

JASMIN Success Stories

Chapter 21: Cloud Computing and Related Security Issues

Chapter 22: Cloud Computing Technology and Security

Cloud Computing Cloud computing refers to “a model of computing that provides access to a shared pool of computing resources (computers, storage, applications,

Fundamental Concepts and Models

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival RAL Space, STFC Rutherford Appleton Laboratory

Introduction JASMIN and CEMS background – Current phase 1 deployment – Plans for phase 2 Security Requirements Access Control and Federated Identity Management Cloud and Confidentiality Cloud and SLAs LST plot for the UK [John Remedios and Darren Ghent, University of Leicester].

JASMIN Phase 1 e-Infrastructure investment (NERC and UKSA) 6PB fast disk (Panasas) via low latency networks Distributed: RAL, Leeds, Bristol, Reading for Climate Science and Earth Observation (CEMS) communities Compute cluster, virtualisation (VMware) and private cloud (vCloud)

External Cloud Provider s JASMIN 2 and 3 Virtualisation Cloud Federation API Internal Private Cloud JASMIN / CEMS Academic [R89 Building STFC Rutherford Appleton Laboratory] Direct access to the data archive - Hosted processing and analysis environments NERC Environmental Big Data investment (2 internal phases) JASMIN for use by entire NERC community Expand to 12PB fast disk s cores Provided a range of service models Batch compute Virtualisation Cloud Private Cloud with capability to federate with public clouds Private cloud will be a host for virtual platforms Dynamically configured infrastructure to enable switching of storage and compute between private cloud and archive Isolated part of the network Cloud burst as demand requires Panasas Storage Bare Metal Compute Data Archive and compute

Evolving Security Requirements CEDA changing from a data provider to a data provider and hosting service Communities – JASMIN 1 + CEMS: Data for the Atmospheric Science and Earth Observation research communities – JASMIN 2 private cloud will serve wider NERC community Requirements 1.Enforcement of licence agreements, terms of use, embargo periods or limited distributions 2.User privacy – Data Protection Act 3.Protection of computing resources is the critical consideration Increasing importance with the provision of user hosting environments To prevent, – Loss of service of for extended period – Detrimental impact on science – Knock-on effect of reputational loss

Interfaces Interfaces – critical consideration as they mark out security boundaries Interfaces changing and evolving with new service models: virtualisation, cloud, …

Interfaces and Usage Patterns vs. Hosting Solutions High performance file system Hosted Processing Hosted Infrastructure PaaS – Hosted Analysis Environments Increasing virtualisation => Cloud platform Direct Access to the File System Sandboxed environments Service Offered Cloud Federation / Brokering Virtualisation and networking Virtual Storage Application Hosting Bare metal SOA Isolated network Increased set-up time, but longer usage Lower level of trust in user => <= Increased level of trust in user Users and usage More dynamic and autonomous usage patterns Great security risk usage patterns Shared Scientific Analysis hosts Virtual Infrastructures for other organisations

Access Control and Federated Identity Management RBAC (Role-Based Access Control) in place for many years FIM required for international collaborations

Earth System Grid Federation Security ESGF, a globally distributed federation of nodes initially deployed in support of CMIP5 Requirements: – Access control for enforcement of licence agreements and terms of use – Single sign-on (SSO) – Authorisation overseen by PCMDI, lead organisation Solution: – SSO: OpenID for browser-based access, SLCS (Short-Lived Credential Service - X.509) for command line wget and other clients (NetCDF) and GridFTP – SAML for attribute query and authorisation interfaces – RBAC with virtual Organisation(s) to managing access roles – RESTful authorisation policy Also adopted for CEDA’s infrastructure

Access Control and FIM for Clouds Build on work for ESGF – But ESGF designed for federated access to datasets – Low LoA required (Level of Assurance) for credentials New work with Contrail project to address some challenging use cases...

Contrail Project Goals EC FP7 Project, led by INRIA, 36 month+, completes Jan 2014 Federation of cloud providers Federation with external IdPs Elastic CAs for dynamically created services Autonomous SLA management IaaS and PaaS integration Reuse of existing open standards: –OVF, OCCI, CDMI –WS-Security, models...

Contrail – Delegation with OAuth 12 Cloud Providers Federation CLI Browser Federation Web Portal Federation core Online CA Service Federation Identity Provider  REST API  Multiple delegation hops Cloud credential mapping OAuth Contrail Federation Layer OAuth Authz Server External IdPs – Shib, OpenID

Confidentiality Homomorphic encryption – Homomorphic Encryption: Theory & Application, Jaydip Sen, Department of Computer Science, National Institute of Science & Technology Odisha, INDIA Divide data into chunks and distribute across multiple providers Only the owner can re-assemble the data No single provider can re-assemble the data Computationally expensive ESA Project DCGO (Data Chunks to Go) exploring this technology Other commercial solutions

SLAs and Security Lack of standardisation and relative immaturity are problems Contrail project Extends work of project – Support for expressing SLAs at the level of individual resources by linking to OVF (Open Virtualisation Format) descriptors Federated negotiation with multiple providers and the selection of the optimum SLA offer according to user criteria Quality of Protection (QoP) terms, such as data locality, protection, replication, …

External Cloud Provider s Security, Cloud and Network Isolation Virtualisation Cloud Federation API Internal Private Cloud JASMIN / CEMS Academic [R89 Building STFC Rutherford Appleton Laboratory] Direct access to the data archive - Hosted processing and analysis environments 3 interfaces Private archive Private cloud Public cloud (via broker) Private archive and private cloud in independent networks but co-located key interfaces link between the two e.g. data download OPeNDAP Dynamically configured infrastructure to enable switching of storage and compute between private cloud and archive Isolated part of the network Cloud burst as demand requires Panasas Storage Bare Metal Compute Data Archive and compute

Conclusions Existing climate science and earth observation security requirements understood Strong foundation of access control and FIM to build on – Need to consider LoA for new use cases New user communities within NERC to consider New challenges with requirements to protect computing resources, new interfaces (attack vectors!) Confidentiality and SLAs – Areas where much more work is needed Network isolation baseline for private cloud Clarity and clear demarcation needed for hybrid cloud (cloud federation)