Facilitating Scientific Collaborations by Delegating Identity Management

Reducing Barriers and Roadmap for Incremental Implementation

Robert Cowles, Craig Jackson, Von Welch (PI)

May 5th, 2015

2

The XSIM Team

Robert Cowles – BrightLite Information Security, former CISO of SLAC.

Craig Jackson – CACR Policy Analyst, former practicing attorney.

Von Welch – CACR Director, long time distributed science security researcher.

3

Our talk…

• Context – scientific collaboration, resource providers and identity.

• Barriers and potential mitigation

• Our VO Identity Model

4

The “Good Old Days”

Scientists were employees or students – physically co-located.

Image credit: Wikipedia

4

5

Then remote access…

Scientists start being remote from the computers.

But still affiliated with computing centers.

Image credit: All About Apple Museum Creative Commons Attribution-Share Alike 2.5 Italy

5

6

Growth of the scientific collaborationNumber of scientists, institutions, resources.

Large, expensive, rare/unique instruments.

Increasing amounts of data.

Image credit: Ian Bird/CERN

6

7

VO Identity Management

A number of approaches have been tried:

VOMS, Glide-ins, Science gateways,COManage, Community/group

accounts, etc.

We now have 15 years of applied experimentation in VO IdM.

8

Extreme Scale Identity Management for Science (XSIM)• Research and develop a VO-IdM model to

express the trust relationships between resource providers (RPs) and collaboratories

• Validate the model and determine the motivations that lead to the different choices

• Develop guidance to collaboratories and RPs in architecting their IdM and trust choices

9

Interviewees

Collaboratories•Atlas•BaBar •Belle-II•CMS•Darkside•Engage•Earth System Grid•Fermi Space Telescope•LIGO•LSST/DESC

Resource Providers•Atlas Great Lakes T2•FermiGrid•GRIF•U. Nebraska (CMS)•LCLS•RAL•GRIF/LAL•LLNL•NERSC•Blue Waters

10

Seemingly Contradictory Demands

• Current Processes and Policies• Strong identification, authentication, and

authorization of user communities

• User communities• Large scale with dynamic membership• Span multiple resource providers• Desire ease-of-use (e.g. single sign-on)• Self management

Barriers and Mitigations

12

Identified Barriers

• Historical Inertial• Risk Aversion• Compliance and Assurance

Requirements• Technology Limitations

13

Deemed Export

• “ … the release of controlled technology to a foreign person … “

• An export license is required, EXCEPT:• Research involving public information• Fundamental research• Suppliers of grid or cloud computing

• Can eliminate requirement for identity proofing (needs legal review)

14

Unclassified Foreign Visits

• DOE O 142.3A (2010)• Policy for access to computing resources

responsibility of DOE CIO; no policy exists

• Access to scientific information and commercially available technology is not within scope of the order

• Can eliminate requirement for identity proofing (needs legal review)

15

Inertia and Risk

• Significant policy and cultural investment in current risk profile for cyber security

• DOE recognized need to shift to risk-based security with O 205.1B in 2011

• Cyber program can be flexible if risks are documented and residual risks accepted

• Transitive trust may significantly reduce costs with little increase in residual risk

16

Traceability

• Throughout history of LHC grid, this has been a requirement by the RPs

• With transitive trust, RP has no ability to contact individuals

• OSG Traceability Project investigated and found that, except in improbable circumstances, sufficient information was always available

17

Technology Limitations

• Many tools (source code systems, ssh, etc.) assume traditional authentication

• Technology advances are coming rapidly• Virtualization• Grid and cloud computing

• Increased ability to share resources within a group and increase isolation and security from other groups

XSIM VO IdM Model

19

Roadmap for Incremental Implementation

• Delegation of IdM is not all-or-nothing• Partial delegation – certain functions –

can create a simpler workflow (for RPs and users)

• Trusting the VO and accepting the risk can significantly decrease administrative costs

20

Transitive TrustClassically RPs produced and consumed all IdM data.

Brokered trust relationships entail VOs & TTPs generating user data, to be consumed by RPs.

Transitive trust relationships forego all user data consumption by RP.

21

Virtual Organization (VO)

• Created to manage scientific community• Role in Transitive Trust IdM model

• Resource Providers (RPs) trust the VO to manage its community

• Little or no individual user information is transferred from the VO to the RP

• Central participant in Incident Response

VO IdM Model: Data-centricProduction & Consumption

Identity data is produced to provide functionality to other workflows when needed.

Identity data is consumed to perform these functions.

Functionalityauthentication authorization

allocation/schedulingaccounting

auditinguser support

incident responseModel IdM Data

(1)User identifier(2)User contact info(3)VO membership/role

Examples of IdM Delegation

24

Identity Data Flow in the “Classic Model”

Au

thn

Au

thz

Au

dit

Acco

unting

Inciden

t R

espo

nse

Use

r Su

ppo

rt

User Ids &

Contact info

RP produces and consumes all IdM information.

RP

25

NERSC Scientific Gateway

• Defined “collaboration account” to enable a team of researchers shared access to resources in a secure, scalable manner

• NERSC delegates only authorization for access to the collaboration account

• The VO determines user privileges and resource access while NERSC controls authentication, auditing, and accounting

26

NERSC Collaboration Account

RP

Au

thn

Au

thz

Allocations /

Scheduling

Inciden

t R

espo

nse

Use

r Su

ppo

rt

MembershipAnd role

VO

User Ids &

Contact info

Au

dit

27

XSEDE Science Gateway

• Defn: Integrated set of tools customized for a specific community

• Initially developed idea of “community accounts” identifying projects, not users

• It was found that some identity needed to be transmitted for purposes of accounting

• More recently, virtualization and cloud computing have moved accounting responsibility to the VO

28

XSEDE Science Gateway Model

User Ids

RP

Au

thn

Au

thz

Allocations /

Scheduling

Inciden

t R

espo

nse

Use

r Su

ppo

rt

Contact info

ScienceGatewa

y

GW Id

Au

dit

29

ATLAS use of PanDA

• PanDA – distributed job submission and execution in a grid environment

• Uses a pilot job to allow VO control over scheduling and can optionally run job under submitting user’s identity

• All USATLAS sites (including DOE Labs) do NOT use the identity changing option

• Complete delegation – RP’s depend on ATLAS VO for user contact

30

Identity Data Flow in Multi-user Pilot Jobs

User Identity

PKI

RP

Au

thn

Au

thz

Allocations /

Scheduling

Inciden

t R

espo

nse

Use

r Su

ppo

rt

VO Membership

User contact

info

VO Au

dit

31

Reference

Robert Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation

http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf

Will be presented at CLHS 15 in June 2015

32

Conclusion

Virtual Organizations have become essential for scientific computing and XSIM has developed a model for describing VO IdM based on IdM data production and consumption.

Existing policies allow for delegation of IdM functions within context of acceptable risk

Strategies exist for incremental increase in trust and delegation of IdM functions

33

Thank you. Questions?

Von Welch (vwelch@iu.edu)

http://cacr.iu.edu/collab-idm

We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for

funding this effort.

The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the

sponsors or any organization.

34

Extra Slides

35

Research

Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013

https://iopscience.iop.org/1742-6596/513/3/032022

36

Develop Model and ValidateRobert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013

http://www.computer.org/csdl/proceedings/escience/2013/5083/00/5083a278-abs.html

Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014

http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf

37

Develop GuidanceVon Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014

http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199

Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers and Roadmap for Incremental Implementation.  March, 2015.

http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf