Presentation is loading. Please wait.

Presentation is loading. Please wait.

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Published byAlexander Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group."— Presentation transcript:

1 Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group

2 18 May 2004Cross-RC Conference, NeSC2 Outline Scope of the problem The changing context of Grid middleware The Grid Security Task Force Current issues Ways forward

3 18 May 2004Cross-RC Conference, NeSC3 Aspects of security Managing access within a generally approved community Registration; authentication; authorisation (plus logging/accounting) Defence against completely unauthorised intrusion Asset valuation; risk/threat analysis; countermeasures

4 18 May 2004Cross-RC Conference, NeSC4 Grid middleware In a state of transition Globus Toolkit 2: in fairly widespread use but now obsolescent OGSI/Globus Toolkit 3: first steps towards industry web services (but now deprecated) WSRF/Globus Toolkit 4: full move to web services (but not there yet) Open Middleware Infrastructure Institute (OMII) using basic interoperable web services for the time being

5 18 May 2004Cross-RC Conference, NeSC5 Securing web services WS-Security white paper by IBM and Microsoft, April 2002 Lower level services based on existing standards (TLS, XML-DSig, XML-Encryption) Extensions to SOAP to define security for SOAP messages Complex higher layer architecture

6 18 May 2004Cross-RC Conference, NeSC6 WS-Security architecture © IBM Corporation, Microsoft Corporation (2002)

7 18 May 2004Cross-RC Conference, NeSC7 WS-Security: progress Being standardised by OASIS, see http://www.oasis-open.org http://www.oasis-open.org Basic WS-Security layer profiles now stable (for X.509 tokens) Work on other tokens in the pipeline Still a long way to go on higher level services...

8 18 May 2004Cross-RC Conference, NeSC8 Authentication In a sense a solved problem All generations of Grid middleware use X.509 identity certificates as security tokens –Including initial implementations of WS- Security In the UK, certificates issued by Grid Support Centre's certificate authority Works well within its design goals, but –Some issues with usability (of certificates in general): can these be circumvented? –Likely future issues with scalability

9 18 May 2004Cross-RC Conference, NeSC9 Authorisation Dealing with virtual organisations Across boundaries of real organisations In a real sense the key problem in Grid security Initial Globus mechanism (mapfile) very crude Labour-intensive for sysadmins, doesn't scale well Many other schemes proposed VOM, VOMS, CAS, Akenti, Permis...

10 18 May 2004Cross-RC Conference, NeSC10 GGF authorisation API GGF working group to design a standard authorisation API Wide range of experts JISC funded UK involvement Allows plug-in replacement of any scheme conforming to this API Written and due to be tested for GT3 But reusable in a web services context?

11 18 May 2004Cross-RC Conference, NeSC11 Defending against attacks Credential theft How serious a problem is this? Usability problems with certificates don't make for good user behaviour General security vulnerabilities Something of a worry with research- grade code Earlier Globus versions caused many problems with institutional firewalls Web services avoids this; but pushes the problem elsewhere

12 18 May 2004Cross-RC Conference, NeSC12 Grid Security Task Force Part of the e-Science core programme support structure Reports to Technical Advisory Group Membership from the academic/research community and from industry Contains both practitioners and security researchers Specifically includes a human factors expert

13 18 May 2004Cross-RC Conference, NeSC13 What has STF done? Developed a security policy for the e-Science programme(s) Research Councils, DTI etc. have all signed up to this Formulating a policy highlighted new operational needs for the programme Incident management function (cf. CERT) Advice to projects (possibly also audit) Grid Operations Centre will include both

14 18 May 2004Cross-RC Conference, NeSC14 Other STF work Technical road map and gap analysis Has informed JISC call for security work in early 2004, also EPSRC and OMII calls for new work in this area Initial scoping/drafting work on two further papers Advice to proposal writers and PIs Human factors (“socio-technical”) gap analysis

15 18 May 2004Cross-RC Conference, NeSC15 Main issues today The transitional state of Grid middleware How much do we need to worry about GT2 and OGSI? Slow progress of WS-Security upper layers Stick to simple WS-Security scenarios and make sure we get these right Usability/scalability issues with certificates?

16 18 May 2004Cross-RC Conference, NeSC16 Federating identities It may be preferable for the user to authenticate in his/her own institutional environment Then spawn a short-lived Grid credential E.g. KX509, which does this for Kerberos Alternatively could use Shibboleth-type model where identity and attributes are asserted by institution to service provider Would this work in a Grid world? And would it provide adequate security?

17 Supporting education and research Questions?

Download ppt "Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group."

Similar presentations

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.

Supporting further and higher education Grid Security: Present and Future Alan Robiette, JISC Development Group.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING 2008 8-11 September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
The UK OMII Context, Vision and Agenda An Institute of the University of Southampton.

The UK OMII Context, Vision and Agenda An Institute of the University of Southampton.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.

GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Www.gridminer.org… Intelligent Grid Solutions 1 / 18 Convergence of Grid and Web technologies Alexander Wöhrer und Peter Brezany Institute for Software.

Intelligent Grid Solutions 1 / 18 Convergence of Grid and Web technologies Alexander Wöhrer und Peter Brezany Institute for Software.
FREMA: e-Learning Framework Reference Model for Assessment David Millard Yvonne Howard IAM, DSSE, LTG University of Southampton, UK.

FREMA: e-Learning Framework Reference Model for Assessment David Millard Yvonne Howard IAM, DSSE, LTG University of Southampton, UK.
The OMII Position At the University of Southampton.

The OMII Position At the University of Southampton.
DAME Collaborative Workflow & Access Control Duncan Russell University of Leeds.

DAME Collaborative Workflow & Access Control Duncan Russell University of Leeds.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.

Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
The OMII Perspective on Grid and Web Services At the University of Southampton.

The OMII Perspective on Grid and Web Services At the University of Southampton.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Similar presentations

Ads by Google