facilitating scientific collaborations by delegating identity management
TRANSCRIPT
Facilitating Scientific Collaborations by Delegating Identity Management
Reducing Barriers and Roadmap for Incremental Implementation
Robert Cowles, Craig Jackson, Von Welch (PI)
May 5th, 2015
2
The XSIM Team
Robert Cowles – BrightLite Information Security, former CISO of SLAC.
Craig Jackson – CACR Policy Analyst, former practicing attorney.
Von Welch – CACR Director, long time distributed science security researcher.
3
Our talk…
• Context – scientific collaboration, resource providers and identity.
• Barriers and potential mitigation
• Our VO Identity Model
4
The “Good Old Days”
Scientists were employees or students – physically co-located.
Image credit: Wikipedia
4
5
Then remote access…
Scientists start being remote from the computers.
But still affiliated with computing centers.
Image credit: All About Apple Museum Creative Commons Attribution-Share Alike 2.5 Italy
5
6
Growth of the scientific collaborationNumber of scientists, institutions, resources.
Large, expensive, rare/unique instruments.
Increasing amounts of data.
Image credit: Ian Bird/CERN
6
7
VO Identity Management
A number of approaches have been tried:
VOMS, Glide-ins, Science gateways,COManage, Community/group
accounts, etc.
We now have 15 years of applied experimentation in VO IdM.
8
Extreme Scale Identity Management for Science (XSIM)• Research and develop a VO-IdM model to
express the trust relationships between resource providers (RPs) and collaboratories
• Validate the model and determine the motivations that lead to the different choices
• Develop guidance to collaboratories and RPs in architecting their IdM and trust choices
9
Interviewees
Collaboratories•Atlas•BaBar •Belle-II•CMS•Darkside•Engage•Earth System Grid•Fermi Space Telescope•LIGO•LSST/DESC
Resource Providers•Atlas Great Lakes T2•FermiGrid•GRIF•U. Nebraska (CMS)•LCLS•RAL•GRIF/LAL•LLNL•NERSC•Blue Waters
10
Seemingly Contradictory Demands
• Current Processes and Policies• Strong identification, authentication, and
authorization of user communities
• User communities• Large scale with dynamic membership• Span multiple resource providers• Desire ease-of-use (e.g. single sign-on)• Self management
12
Identified Barriers
• Historical Inertial• Risk Aversion• Compliance and Assurance
Requirements• Technology Limitations
13
Deemed Export
• “ … the release of controlled technology to a foreign person … “
• An export license is required, EXCEPT:• Research involving public information• Fundamental research• Suppliers of grid or cloud computing
• Can eliminate requirement for identity proofing (needs legal review)
14
Unclassified Foreign Visits
• DOE O 142.3A (2010)• Policy for access to computing resources
responsibility of DOE CIO; no policy exists
• Access to scientific information and commercially available technology is not within scope of the order
• Can eliminate requirement for identity proofing (needs legal review)
15
Inertia and Risk
• Significant policy and cultural investment in current risk profile for cyber security
• DOE recognized need to shift to risk-based security with O 205.1B in 2011
• Cyber program can be flexible if risks are documented and residual risks accepted
• Transitive trust may significantly reduce costs with little increase in residual risk
16
Traceability
• Throughout history of LHC grid, this has been a requirement by the RPs
• With transitive trust, RP has no ability to contact individuals
• OSG Traceability Project investigated and found that, except in improbable circumstances, sufficient information was always available
17
Technology Limitations
• Many tools (source code systems, ssh, etc.) assume traditional authentication
• Technology advances are coming rapidly• Virtualization• Grid and cloud computing
• Increased ability to share resources within a group and increase isolation and security from other groups
19
Roadmap for Incremental Implementation
• Delegation of IdM is not all-or-nothing• Partial delegation – certain functions –
can create a simpler workflow (for RPs and users)
• Trusting the VO and accepting the risk can significantly decrease administrative costs
20
Transitive TrustClassically RPs produced and consumed all IdM data.
Brokered trust relationships entail VOs & TTPs generating user data, to be consumed by RPs.
Transitive trust relationships forego all user data consumption by RP.
21
Virtual Organization (VO)
• Created to manage scientific community• Role in Transitive Trust IdM model
• Resource Providers (RPs) trust the VO to manage its community
• Little or no individual user information is transferred from the VO to the RP
• Central participant in Incident Response
VO IdM Model: Data-centricProduction & Consumption
Identity data is produced to provide functionality to other workflows when needed.
Identity data is consumed to perform these functions.
Functionalityauthentication authorization
allocation/schedulingaccounting
auditinguser support
incident responseModel IdM Data
(1)User identifier(2)User contact info(3)VO membership/role
24
Identity Data Flow in the “Classic Model”
Au
thn
Au
thz
Au
dit
Acco
unting
Inciden
t R
espo
nse
Use
r Su
ppo
rt
User Ids &
Contact info
RP produces and consumes all IdM information.
RP
25
NERSC Scientific Gateway
• Defined “collaboration account” to enable a team of researchers shared access to resources in a secure, scalable manner
• NERSC delegates only authorization for access to the collaboration account
• The VO determines user privileges and resource access while NERSC controls authentication, auditing, and accounting
26
NERSC Collaboration Account
RP
Au
thn
Au
thz
Allocations /
Scheduling
Inciden
t R
espo
nse
Use
r Su
ppo
rt
MembershipAnd role
VO
User Ids &
Contact info
Au
dit
27
XSEDE Science Gateway
• Defn: Integrated set of tools customized for a specific community
• Initially developed idea of “community accounts” identifying projects, not users
• It was found that some identity needed to be transmitted for purposes of accounting
• More recently, virtualization and cloud computing have moved accounting responsibility to the VO
28
XSEDE Science Gateway Model
User Ids
RP
Au
thn
Au
thz
Allocations /
Scheduling
Inciden
t R
espo
nse
Use
r Su
ppo
rt
Contact info
ScienceGatewa
y
GW Id
Au
dit
29
ATLAS use of PanDA
• PanDA – distributed job submission and execution in a grid environment
• Uses a pilot job to allow VO control over scheduling and can optionally run job under submitting user’s identity
• All USATLAS sites (including DOE Labs) do NOT use the identity changing option
• Complete delegation – RP’s depend on ATLAS VO for user contact
30
Identity Data Flow in Multi-user Pilot Jobs
User Identity
PKI
RP
Au
thn
Au
thz
Allocations /
Scheduling
Inciden
t R
espo
nse
Use
r Su
ppo
rt
VO Membership
User contact
info
VO Au
dit
31
Reference
Robert Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation
http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf
Will be presented at CLHS 15 in June 2015
32
Conclusion
Virtual Organizations have become essential for scientific computing and XSIM has developed a model for describing VO IdM based on IdM data production and consumption.
Existing policies allow for delegation of IdM functions within context of acceptable risk
Strategies exist for incremental increase in trust and delegation of IdM functions
33
Thank you. Questions?
Von Welch ([email protected])
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the
sponsors or any organization.
35
Research
Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013
https://iopscience.iop.org/1742-6596/513/3/032022
36
Develop Model and ValidateRobert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013
http://www.computer.org/csdl/proceedings/escience/2013/5083/00/5083a278-abs.html
Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014
http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf
37
Develop GuidanceVon Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014
http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199
Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers and Roadmap for Incremental Implementation. March, 2015.
http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf