Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Facilitating Scientific Collaborations by Delegating Identity Management


Published on

Presentation at PNNL May 5th, 2015

Published in: Internet
  • Be the first to comment

Facilitating Scientific Collaborations by Delegating Identity Management

  1. 1. Facilitating Scientific Collaborations by Delegating Identity Management Reducing Barriers and Roadmap for Incremental Implementation Robert Cowles, Craig Jackson, Von Welch (PI) May 5th, 2015
  2. 2. 2 The XSIM Team Robert Cowles – BrightLite Information Security, former CISO of SLAC. Craig Jackson – CACR Policy Analyst, former practicing attorney. Von Welch – CACR Director, long time distributed science security researcher.
  3. 3. 3 Our talk… • Context – scientific collaboration, resource providers and identity. • Barriers and potential mitigation • Our VO Identity Model
  4. 4. 4 The “Good Old Days” Scientists were employees or students – physically co-located. Image credit: Wikipedia 4
  5. 5. 5 Then remote access… Scientists start being remote from the computers. But still affiliated with computing centers. Image credit: All About Apple Museum Creative Commons Attribution-Share Alike 2.5 Italy 5
  6. 6. 6 Growth of the scientific collaboration Number of scientists, institutions, resources. Large, expensive, rare/unique instruments. Increasing amounts of data. Image credit: Ian Bird/CERN 6
  7. 7. 7 VO Identity Management A number of approaches have been tried: VOMS, Glide-ins, Science gateways, COManage, Community/group accounts, etc. We now have 15 years of applied experimentation in VO IdM.
  8. 8. 8 Extreme Scale Identity Management for Science (XSIM) • Research and develop a VO-IdM model to express the trust relationships between resource providers (RPs) and collaboratories • Validate the model and determine the motivations that lead to the different choices • Develop guidance to collaboratories and RPs in architecting their IdM and trust choices
  9. 9. 9 Interviewees Collaboratories •Atlas •BaBar •Belle-II •CMS •Darkside •Engage •Earth System Grid •Fermi Space Telescope •LIGO •LSST/DESC Resource Providers •Atlas Great Lakes T2 •FermiGrid •GRIF •U. Nebraska (CMS) •LCLS •RAL •GRIF/LAL •LLNL •NERSC •Blue Waters
  10. 10. 10 Seemingly Contradictory Demands • Current Processes and Policies • Strong identification, authentication, and authorization of user communities • User communities • Large scale with dynamic membership • Span multiple resource providers • Desire ease-of-use (e.g. single sign-on) • Self management
  11. 11. Barriers and Mitigations
  12. 12. 12 Identified Barriers • Historical Inertial • Risk Aversion • Compliance and Assurance Requirements • Technology Limitations
  13. 13. 13 Deemed Export • “ … the release of controlled technology to a foreign person … “ • An export license is required, EXCEPT: • Research involving public information • Fundamental research • Suppliers of grid or cloud computing • Can eliminate requirement for identity proofing (needs legal review)
  14. 14. 14 Unclassified Foreign Visits • DOE O 142.3A (2010) • Policy for access to computing resources responsibility of DOE CIO; no policy exists • Access to scientific information and commercially available technology is not within scope of the order • Can eliminate requirement for identity proofing (needs legal review)
  15. 15. 15 Inertia and Risk • Significant policy and cultural investment in current risk profile for cyber security • DOE recognized need to shift to risk- based security with O 205.1B in 2011 • Cyber program can be flexible if risks are documented and residual risks accepted • Transitive trust may significantly reduce costs with little increase in residual risk
  16. 16. 16 Traceability • Throughout history of LHC grid, this has been a requirement by the RPs • With transitive trust, RP has no ability to contact individuals • OSG Traceability Project investigated and found that, except in improbable circumstances, sufficient information was always available
  17. 17. 17 Technology Limitations • Many tools (source code systems, ssh, etc.) assume traditional authentication • Technology advances are coming rapidly • Virtualization • Grid and cloud computing • Increased ability to share resources within a group and increase isolation and security from other groups
  18. 18. XSIM VO IdM Model
  19. 19. 19 Roadmap for Incremental Implementation • Delegation of IdM is not all-or-nothing • Partial delegation – certain functions – can create a simpler workflow (for RPs and users) • Trusting the VO and accepting the risk can significantly decrease administrative costs
  20. 20. 20 Transitive Trust Classically RPs produced and consumed all IdM data. Brokered trust relationships entail VOs & TTPs generating user data, to be consumed by RPs. Transitive trust relationships forego all user data consumption by RP.
  21. 21. 21 Virtual Organization (VO) • Created to manage scientific community • Role in Transitive Trust IdM model • Resource Providers (RPs) trust the VO to manage its community • Little or no individual user information is transferred from the VO to the RP • Central participant in Incident Response
  22. 22. VO IdM Model: Data-centric Production & Consumption Identity data is produced to provide functionality to other workflows when needed. Identity data is consumed to perform these functions. Functionality authentication authorization allocation/scheduling accounting auditing user support incident response Model IdM Data (1)User identifier (2)User contact info (3)VO membership/role
  23. 23. Examples of IdM Delegation
  24. 24. 24 Identity Data Flow in the “Classic Model” Authn Authz Audit Accounting Incident Response UserSupport User Ids & Contact info RP produces and consumes all IdM information. RP
  25. 25. 25 NERSC Scientific Gateway • Defined “collaboration account” to enable a team of researchers shared access to resources in a secure, scalable manner • NERSC delegates only authorization for access to the collaboration account • The VO determines user privileges and resource access while NERSC controls authentication, auditing, and accounting
  26. 26. 26 NERSC Collaboration Account RP Authn Authz Allocations/ Scheduling Incident Response UserSupport Membership And role VO User Ids & Contact infoAudit
  27. 27. 27 XSEDE Science Gateway • Defn: Integrated set of tools customized for a specific community • Initially developed idea of “community accounts” identifying projects, not users • It was found that some identity needed to be transmitted for purposes of accounting • More recently, virtualization and cloud computing have moved accounting responsibility to the VO
  28. 28. 28 XSEDE Science Gateway Model User Ids RP Authn Authz Allocations/ Scheduling Incident Response UserSupport Contact info Science Gatewa y GW Id Audit
  29. 29. 29 ATLAS use of PanDA • PanDA – distributed job submission and execution in a grid environment • Uses a pilot job to allow VO control over scheduling and can optionally run job under submitting user’s identity • All USATLAS sites (including DOE Labs) do NOT use the identity changing option • Complete delegation – RP’s depend on ATLAS VO for user contact
  30. 30. 30 Identity Data Flow in Multi-user Pilot Jobs User Identity PKI RP Authn Authz Allocations/ Scheduling Incident Response UserSupport VO Membership User contact info VO Audit
  31. 31. 31 Reference Robert Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation Will be presented at CLHS 15 in June 2015
  32. 32. 32 Conclusion Virtual Organizations have become essential for scientific computing and XSIM has developed a model for describing VO IdM based on IdM data production and consumption. Existing policies allow for delegation of IdM functions within context of acceptable risk Strategies exist for incremental increase in trust and delegation of IdM functions
  33. 33. 33 Thank you. Questions? Von Welch ( We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for funding this effort. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsors or any organization.
  34. 34. 34 Extra Slides
  35. 35. 35 Research Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013
  36. 36. 36 Develop Model and Validate Robert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013 Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014
  37. 37. 37 Develop Guidance Von Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014 Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers and Roadmap for Incremental Implementation. March, 2015.