1 / 23

Interoperable Policies in Identity Management for Grid Security

This article discusses the roadmap towards developing interoperable policies in identity management for grid security. It covers topics such as authentication federation, the role of EUGridPMA and IGTF, the e-IRG roadmap, and integrated authentication and authorization essentials in grid security.

dread
Download Presentation

Interoperable Policies in Identity Management for Grid Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EUGridPMA and the e-IRG security roadmaptowards interoperable policies in identity managementGGF16 Production Grids Enterprise and Research WorkshopDavid L. Groep, EUGridPMA, 2006-02-15

  2. Outline • A few words on the Grid Security Model Towards inter-working identity management • Policies for Authentication Federation • EUGridPMA • IGTF • e-IRG roadmap • Towards integrated Authentication and Authorization

  3. Essentials on Grid Security • Access to shared services • cross-domain authentication, authorization, accounting, billing • common generic protocols for collective services • Support multi-user collaboration • may contain individuals acting alone – their home organization administration need not necessarily know about all activities • organized in ‘Virtual Organisations’ • Enable ‘easy’ single sign-on for the user • the best security is hidden from the user as much as possible • And leave the resource owner always in control

  4. V i r t u a l C o m m u n i t y C P e r s o n E ( R e s e a r c h e r ) P e r s o n B F i l e s e r v e r F 1 ( A d m i n i s t r a t o r ) ( d i s k A ) C o m p u t e S e r v e r C 1 ' P e r s o n A P e r s o n D ( P r i n c i p a l I n v e s t i g a t o r ) ( R e s e a r c h e r ) P e r s o n B P e r s o n E ( S t a f f ) F i l e s e r v e r F 1 P e r s o n D ( F a c u l t y ) ( d i s k s A a n d B ) C o m p u t e S e r v e r C 2 C o m p u t e S e r v e r C 1 ( S t a f f ) P e r s o n A P e r s o n F ( F a c u l t y ) ( F a c u l t y ) P e r s o n C C o m p u t e S e r v e r C 3 ( S t u d e n t ) O r g a n i z a t i o n A O r g a n i z a t i o n B Virtual vs. Organic structure • Virtual communities (“virtual organisations”) are many • An individual will typically be part of many communities • but will require single sign-on across all these communities Graphic: GGF OGSA Working Group

  5. Stakeholders in Grid Security Current grid security is largely user centric • different roles for the same person in the organic unit and in the VO • There is no a priori trust relationship between members or member organisations • Virtual Organisation lifetime can vary from hours to decades • VO not necessarily persistent (both long- and short-lived) • people and resources are members of many VOs • … but a relationship is required • as a basis for authorising access • for traceability and liability, incident handling, and accounting

  6. Separating Authentication and Authorization • Single Authentication token (“passport”) • issued by a party trusted by all (“CA”), • recognised by many resource providers, users, and VOs • satisfy traceability and persistency requirement • in itself does not grant any access, but provides a unique binding between an identifier and the subject • Per-VO Authorisations (“visa”) • granted to a person/service via a virtual organisation • based on the ‘passport’ name • acknowledged by the resource owners • providers can obtain lists of authorised users per VO,but can still ban individual users

  7. Authentication … academia, industry, and … Possible sources of authentication and identity • National PKI • in general uptake of 1999/93/EC and e-Identification is slow • where available, a national PKI can be leveraged • Several commercial providers • main commercial drive today: secure e-commerce based on SSL • thus primary market is server authentication, not end-user identities • are implicitly trusted by many • because web browsers pre-install the roots of trust • WebTrust “seal of approval” scope limited to a single Authority • Academic Grid PKI today • Provide end-user identities for secure mail and grid use • generally provided by the NREN or national e-science project

  8. charter guidelines acceptance process A Federation Model for Grid Authentication • A Federation of many independent CAs • Policy coordination based on common minimum requirements(not ‘policy harmonisation’) • Acceptable for major relying parties in Grid Infrastructures • No strict hierarchy with a single top • spread liability and enable failure containment (better resilience) • maximum leverage of national efforts and subsidiarity CA 2 CA 1 relying party n CA n CA 3 relying party 1

  9. Building the federation • Providers and Relying Parties together shape the common minimum requirements • Several profiles for different identity management models • different technologies • Authorities testify to compliance with profile guidelines • Peer-review process within the federation to (re) evaluate members on entry & periodically • Reduce effort on the relying parties • single document to review and assess for all Authorities • collective acceptance of all accredited authorities • Reduce cost on the authorities • but participation in the federation comes with a price • … the ultimate decision always remains with the RP

  10. EUGridPMA founded April 2004, as a successor to the CACG • The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. • As its main activity the EUGridPMA • coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. • The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. EUGridPMA: the Federation in Europe

  11. EUGridPMA Membership EUGridPMA membership for Authorities • a single Authority per • country, large region or international treaty organization • ‘serve the largest possible community with a small number of stable CAs’ • ‘operated as a long-term commitment’ Relying Parties: major e-Infrastructures or partner organisations • DEISA, EGEE, SEE-GRID, TERENA, …

  12. Coverage of the EUGridPMA Green: Countries with an accredited CA • The EU member states (except LU, MT) • + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs: • DoEGrids (.us) • GridCanada (.ca) • CERN • ASGCC (.tw)* • IHEP (.cn)* * Migrated to APGridPMA per Oct 5th, 2005

  13. Growth of the EDG CACG and EUGridPMA History

  14. Five years of growth December 2000: First CA coordination meeting for the FP5 DataGrid project March 2003:Tokyo Accord (GGF7) April 2004:Foundation of the EUGridPMA June 2004:Foundation of the APGridPMA June 2005:Foundation of TAGPMA (GGF14) 5 October 2005:Establishment of the International Grid Trust Federation IGTF …

  15. APGridPMA TAGPMA 2005: Extending Trust – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA

  16. APGridPMA • 13 members from the Asia-Pacific Region, • Launched June 1st, 2004, chaired by Yoshio Tanaka • Minimum Requirements taken from EUGridPMA • First face-to-face meeting on Nov 29th, 2005 • Today 6 ‘production-quality’ authorities in operation • AIST (.jp) • APAC (.au) • BMG (.sg) • CMSD (.in) • HKU CS SRG (.hk) • KISTI (.kr) • NCHC (.tw) • NPACI (.us) • Osaka U. (.jp) • SDG (.cn) • USM (.my) • IHEP Beijing (.cn) • ASGCC (.tw) See subsequent presentation byYoshio TanakaAPGridPMA and AIST

  17. TAGPMA • To cover all of the Americas • 8 members to date • Launched June 28th, 2005chaired by Darcy Quesnel, CANARIE • SDSC (.us) • FNAL (.us) • Dartmouth (.us) • Brazil (pending) • Canarie (.ca) • OSG (.us) • TERAGRID (.us) • Texas H.E. Grid (.us) • DOEGrids (.us) See subsequent presentation byDarcy QuesnelTAGPMA and CANARIE

  18. APGridPMA • CA A1 • … • EUGridPMA • CA E1 • CA E2 • … • TAGPMA • CA T1 • … IGTF Federation Common Policy IGTF Federation Document trustrelations SubjectNamespaceAssignment DistributionNaming Conventions Common Authentication Profiles Classic(EUGridPMA) SLCS(TAGPMA) worldwide relying parties see a uniform IGTF “mesh”

  19. e-Infrastructure Reflection Group e-IRG (www.e-irg.org) • Recommends best practices for European grid efforts • Policy coordination for the European Research Area • Resource sharing policies • Registry of resources (economy of scale advantages) • Synergies between Europe and other regions • e-Infrastructure Roadmap and FP7+ • Support and encourage pan-European interoperability • Such as EUGridPMA, TACAR • Cotswolds Initiative & TERENA REFeds

  20. Along the e-IRG Roadmap e-Infrastructure Reflection Group White Paper on Authentication and Authorization • commitment to the federated approach • vision of an integrated AA infrastructure for eEurope Towards an integrated AAI for academia in Europe and beyond • The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004) • The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions.(The Hague, 2005)

  21. Grid Authorization today Leverages authentication provided by the PKI • Identity management decoupled from access control • Creation of short-lived ‘tokens’ (‘proxy’ certificates) for single sign-on based on these identities Status today • Variety of mechanisms • Variety of sources of authority • Integration and interoperability needs significant effort …

  22. Convergence initiatives in AAI • from the PMA side • Extending PMA and the IGTF to more countries and regions, • and to more mechanisms and audiences • from TERENA • NRENs-GRID workshop series • TF-EMC2 / TF-Mobility • REFEDS – Research and Education Federations • broad AAI scope: IGTF, eduroam, A-Select, PAPI, SWITCH-AAI, InCommon, HAKA, FEIDE/Moria • Seehttp://www.terena.nl/tech/refeds/ • in GGF • … With the current technical and policy momentum, a coordinated AAI is now both timely and within reach!

  23. EUGridPMA – http://www.eugridpma.org/IGTF – http://www.gridpma.org/e-IRG – http://www.e-irg.org/

More Related