Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.

Slides:

Advertisements

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Advertisements

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

Sponsored by the National Science Foundation Strategies for Cyber-Infrastructure Integration Marshall Brinn, GPO Brecht Vermeulen, iMinds GEC22: March.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

OASIS Reference Model for Service Oriented Architecture 1.0

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Validity Management in SPKI 24 April 2002 (author) (presentation)

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS

The InCommon Federation The U.S. Access and Identity Management Federation

Identity Management Report By Jean Carreon and Marlon Gonzales.

Digital Object Architecture

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 4 “Access Control”.

Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Sponsored by the National Science Foundation GENI Software Marshall Brinn, GPO Architect January 7, 2013.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.

D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.

Sponsored by the National Science Foundation GENI Spiral 4 Architecture Plan Marshall Brinn, GPO

Access Control for Federation of Emulab-based Network Testbeds Ted Faber, John Wroclawski 28 July 2008

Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23,

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Sponsored by the National Science Foundation GENI Security Architecture What’s Up Next? GENI Engineering Conference 7 Durham, NC Stephen Schwab SPARTA/Cobham.

D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

CSIIR Workshop March 14-15, Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth.

Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.

D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.

Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.

12/13/20151 Computer Security Security Policies...

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Sponsored by the National Science Foundation Stitching Slices GEC7 Control Framework WG Aaron Falk GENI Project Office.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.

Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.

Newcastle uopn Tyne, September 2002 V. Ghini, G. Lodi, N. Mezzetti, F. Panzieri Department of Computer Science University of Bologna.

Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.

OGF 43, Washington 26 March FELIX background information Authorization NSI Proposed solution Summary.

Designing a Federated Testbed as a Distributed System Robert Ricci, Jonathon Duerig, Gary Wong, Leigh Stoller, Srikanth Chikkulapelly, Woojin Seok 1.

Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Sponsored by the National Science Foundation GEC17 Plenary Session: Architecture Marshall Brinn, GPO July 22, 2013.

Alternative Governance Models for PKI

Identity Federations - Overview

GENI Terminology Sponsored by the National Science Foundation.

NAAS 2.0 Features and Enhancements

Krister Lindén and Ville Oksanen FINCLARIN / University of Helsinki

Computer Security Security Policies

Presentation transcript:

Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014

Sponsored by the National Science Foundation2 Introduction There is an opportunity for a market here. But enabling such a market requires fundamental mutual trust between the parties along these dimensions: –Authentication: Certainty of identity of who is requesting resources –Authorization: Establishment of rules on who may access services and resources –Accountability: Ability to determine who took what actions (for forensics, debugging) The act of federation entails: –Sharing trust roots (e.g. certificates) –Agreeing on policies –Establishing and trusting the enforcement mechanisms on these policies Federations are a group of resource owners and resource consumers who agree to share resources under certain conditions

Sponsored by the National Science Foundation3 Establishing a Federation Resources (A) Users (A) Authority(B) Users (B) Trust Roots (A) Trust Roots (B) PEP Authority(A) Resources (B) PEP Policies Our fundamental unit is a set of resources/aggregates, authority/CH and authorized users. An exchange of trust roots: I accept credentials signed by your authority. A set of AuthN/AuthZ policies is agreed on by the members of each federating party. These policies are codified and enforced in all accesses to the resources or authority services. Users of both groups can now access resources and services of either group subject to policy restrictions.

Sponsored by the National Science Foundation4 GENI Experiences GENI is essentially a federation of federations: –Federating among resources from GPO, Emulab and PlanetLab, each with their own credentials, users, policies –Plus a number of “pop-up” federations with EU, Japan, Brazil, Korea X509 Certificates has been the basis of identity Using SFA credentials for fundamental authorization of resource actions –ABAC has been used as a common language for expressing more detailed authorization policy at Federation services (SA, MA) and Resource services (AM)

Sponsored by the National Science Foundation5 GENI Experiences [2] X509 certificates are reliable and universal but require some work to support renewal, expiration, CRL’s SFA authorization is a fine standard, but limited in its expressivity (in GENI even more so) ABAC has been a good prototype for FOL-based policy statements/ provers –Proof-based, externalized (and exchange-able) –ABAC statements are signed by entities whose credentials are signed by a particular authority. The scope of “damage” any entity can do is thus limited to objects maintained by that authority. –Not the most intuitive syntax, limited in expressive power We have successfully limited actions taken by users at federation-level or resource-level based on properties that are: Static (e.g. user’s attributes, authority, role) or Dynamic (e.g. quotas and current allocations)

Sponsored by the National Science Foundation6 Challenges How can we best reflect these trust relationships and agreements in our software transactions? What software attributes can help make it easier to establish human/inter-organizational trust? How can we arrive at common mechanisms for –Exchanging identity –Expressing policy –Satisfying requirements for forensics and monitoring How do we approach ‘loose’ federation in which –Federations and aggregates may have different policies that need to be reconciled –Aggregates belong to a number of federations at once These are among the topics I hope we discuss at this week’s workshop. Trust and federation are essentially human activities. Policies codify trust relationships that already exist between people and organizations. Policy cannot create that trust, but can reinforce/sustain it.