usable security for science challenges and next steps jens jensen science and technology facilities...
TRANSCRIPT
![Page 1: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/1.jpg)
Usable Security for Science
Challenges and Next StepsJens Jensen <j.jensen @ rl ac uk>Science and Technology Facilities
CouncilTrust and Security 2nd Workshop
Oxford 8-9 May 2008
![Page 2: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/2.jpg)
This Talk…
• Is about security – practical security• Mainly from the service provider’s view• Broader view rather than narrow tech• Mostly about AAA in line with
workshop’s theme• Tried to be provocative now and then
![Page 3: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/3.jpg)
Large scale sciencefacilities with users
across the world
All Images © STFC
![Page 4: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/4.jpg)
all areas of scienceBiology andmedicine
Space
Earth
Materials
Physics
Arts andhumanities
Environmentand energy
…
Technology
Chemistry
![Page 5: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/5.jpg)
Why Security?
• Protect our infrastructure (and users’ data)
• Enforce allocations• Accounting for resource use• Track resource misuse• Peering – across UK, Europe, World
![Page 6: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/6.jpg)
Practical AspectsMost technology is experimental
Standard
Java LibraryImplementation
C/C++ LibraryImplementation
… thirdimplementation
![Page 7: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/7.jpg)
Practical Aspects• A spec alone is useless...(without
implementations)• Java (alone) is useless• C can be linked into everything
(almost)– Perl, python, …
• Need >2 independent implementations– Interoperating !!
• Usable licence
![Page 8: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/8.jpg)
Practical Aspects
Standards arevery important
Sometimesthere aretoo many
![Page 9: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/9.jpg)
Practical Aspects
like traffic(sort of)
Technology, Grids,it’s experimental
Never ever justtrust the standard
![Page 10: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/10.jpg)
What we have for AuC
• Site security – physical (people, doors, access cards, keys)
• Site computing – Active Directory• e-Science CA (IGTF/X.509)• Shibboleth• Credential conversion (later in talk)
![Page 11: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/11.jpg)
Whose
• Developer• Service provider• Sysadmin• Supporter• Accounting
• Facility provider• User office• Granting body• PI• End user
![Page 12: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/12.jpg)
Dimensions
• Time (user’s)• Time (ours)• Space (geo)• Financial/
resources• Ease of use
• Assurance• Trust• End to end (user
to system)
![Page 13: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/13.jpg)
Interest in
proposal
Registration
Authorisation
Users’ timeline
Science!
Termination
(or not?)
Weak AUC
Stronger AUC
STATE of AUC?
![Page 14: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/14.jpg)
Organisation Timeline
Preserving data, curation
Technology migration
Lower costs…
![Page 15: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/15.jpg)
User Offices HR
Integrated AccountManagement
STAFFVISITORAGENCY STAFF External
Diamond?Other STFC sitesPPARC/CCLRC
![Page 16: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/16.jpg)
Usability for users
Should be like a duck
Who moves across the pond
Paddling of feet unseen
![Page 17: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/17.jpg)
Usability for service provider
Let the good guys in
Keep the bad guys out
Minimal supportrequirements
![Page 18: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/18.jpg)
How we achieve (some of) it
Credential Conversion
Scientist wishes to do work
Logs in Uses resource
![Page 19: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/19.jpg)
Account mgmt and AuZ
• Site single sign on databases (connected)
• fedId, DN, resource username• Granting access to resources (AuZ)• Single account management
– Also holds customers – e.g. beamline scientists
• Adding more resources
![Page 20: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/20.jpg)
Example Resource
• SCARF cluster• External users use certificates• All staff have a default SSO account
– Temporary limited recyclable accounts• Staff can apply for permanent acct• License management for all users
– Commercial libraries
![Page 21: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/21.jpg)
MyProxy for CC
http://grid.ncsa.uiuc.edu/myproxy/
Grids (NGS,gLite/GridPP,SRB)
Kerberosor
Active Directory
Users do not see the certificate – it's all managed behind the scenes (duck paddling)
![Page 22: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/22.jpg)
Applications integrated security
• We adapt science applications to use the Grid
• End to end• Interfaces to security infrastructure• Often security is added only as
necessary?– Imposed by Grid infrastructure
![Page 23: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/23.jpg)
Shib for CC
Password Shibboleth
Resource access
![Page 24: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/24.jpg)
NGS
• Deploy production services for Grids• SARoNGS – Jan 07 – Jan 08 for NGS
– Integrate ShibGrid and SHEBANGS– Shibboleth access with VO attrs from
VOMS
![Page 25: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/25.jpg)
NGS
• e-Science CA: accepted internationally• High assurance level• Works because everybody in the world
is on the same level• Robots for automated services (or
portals)• Not necessarily needed for normal
users?
![Page 26: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/26.jpg)
Why does it work?
Interoperable Standards
based
Tested!
![Page 27: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/27.jpg)
Er, what was the question again?
How important is usability for my users?• Very• More for some than for others
– Health workers seem to have particular difficulties
– Physicists are more hardy folk
![Page 28: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/28.jpg)
…Usability?
Security…
…a necessary evil?
![Page 29: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/29.jpg)
ExperiencesUsable security
…satisfying user and site requirements…
…makes happy(er) andproductive users
![Page 30: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/30.jpg)
…And the second question?
Usability and interoperability?• Interoperability improves
reusability• Reusable means more versatile• Improves usability
![Page 31: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/31.jpg)
…And the final question?
What we learn from other communities?• Pick usable components for reuse• Build on experiences• Deploy services for
other communities– Try to adapt what they
already have
![Page 32: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/32.jpg)
Don’t reinvent the
But did they want this?
or this? or this?
![Page 33: Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649ec15503460f94bccee1/html5/thumbnails/33.jpg)
Final words (promise)
• Aim to meet user and site requirements• Build on stuff that works (or build stuff
that works…)• Users don’t always know what they want• Don’t forget, it’s an experimental
science – across all dimensions