View
44
Download
0
Category
Preview:
DESCRIPTION
EGEE security “pitch”. Olle Mulmo EGEE Chief Security Architect KTH, Sweden. Project PR. EGEE. EGEE is the largest Grid infrastructure project in the World ? : 70 leading institutions in 27 countries, federated in regional Grids Leveraging national and regional grid activities - PowerPoint PPT Presentation
Citation preview
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE security “pitch”
Olle MulmoEGEE Chief Security ArchitectKTH, Sweden
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Project PR
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE
EGEE is the largest Grid infrastructureproject in the World?:
• 70 leading institutions in 27 countries, federated in regional Grids
• Leveraging national and regional grid activities
• ~32 M Euros EU funding for initially 2 years starting 1st April 2004
• EU review, February 2005 successful
• Preparing 2nd phase of the project – proposal to 3rd EU Grid call September 2005
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE Activities
• 48 % service activities (Grid Operations, Support and Management, Network Resource Provision)
• 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development)
• 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation)
EGEE emphasis is on production grid operations
and end-user support
Enabling Grids for E-sciencE
INFSO-RI-508833
gLite
• First major release of gLite announced on April 5 – Focus on providing users early access to prototype
– Reusing existing components
– Addressing current shortcomings
• Interoperability & Co-existence with deployed infrastructure• (Cautious) service oriented approach
– Follow WSRF standardisation
• Site autonomy
Globus 2 based Web services based
gLite-2LCG-2
gLite-1LCG-1
Enabling Grids for E-sciencE
INFSO-RI-508833
Deployment of applications
Pilot New
• Pilot applications– High Energy Physics– Biomed applications
• Generic applications –Deployment under way– Computational Chemistry– Earth science research – EGEODE: first industrial application– Astrophysics
• With interest from – Hydrology– Seismology – Grid search engines – Stock market simulators– Digital video etc.– Industry (provider, user, supplier)
Enabling Grids for E-sciencE
INFSO-RI-508833
Country providing resourcesCountry anticipating joining EGEE/LCG
In EGEE-0 (LCG-2): >100 sites >10,000 CPUs >5 PB storage
Computing Resources – Feb. 2005
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
What I came here for
The EGEE view on Security
- some philosophy and baseline assumptions
Enabling Grids for E-sciencE
INFSO-RI-508833
Baseline assumptions
• Be Modular and Agnostic– Allow for new functionality to be included as an afterthought– Don’t settle on particular technologies needlessly
• Be Standard– Interoperate– Don’t roll our own, to the extent possible
• Be Distributed and Scalable– Avoid central services if possible– Always retain local control
Enabling Grids for E-sciencE
INFSO-RI-508833
Baseline assumptions
• VOs self-govern the resources made available to them– Yet try to minimize VO management!– Use AuthN to tie policy to individuals/resources
• An open-ended system– No central point of control– Can’t tell where the Grid ends
Enabling Grids for E-sciencE
INFSO-RI-508833
We can’t do anything too fancy
Requirements on functionality
AuthenticationAccess control
Credential mgmtDelegation
Privacy…
Existing capabilities
GridPMAsWS-Security
MyProxyShibboleth
VOMSGlobus
…
ParadigmShift
(SOA)
Other workalready
underway(LCG, OGSA,…)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Architecture
Technologies and more details
Enabling Grids for E-sciencE
INFSO-RI-508833
Authentication
• IGF: Federation of PMAs
• Better revocation technologies
• Managed and Active credential storage– i.e., where access policy can be enforced– Smart cards, MyProxy, …– Organizationally rooted trust (KCA, SIPS)– User-held password-scrambled files
should go away
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorization
• Flexible framework to support for multiple authorities and mechanisms
• VOMS, banlist, grid-mapfile, SAML, …• Frank covered this in detail
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorization model
• Decentralized– Predominantly role-based push model– Out-of-the-box support for VOMS– Semantic-free role and group attributes
• Pros– Scalability– Site autonomity– Multi-scenario support, VO self-governance
• Cons– Fine-grained access control (?)– VO management still heavyweight– VOMS is proprietary
Enabling Grids for E-sciencE
INFSO-RI-508833
VO management
• VOMS for now– modularity keeps it open for others
• Allow for lightweight VO deployment– Proposed solution: VO policy service– Brainchild
Enabling Grids for E-sciencE
INFSO-RI-508833
“Anonymity”
• Pseudonymity as an selective additional step to the SSO process
“Issue Joe’sprivileges to Zyx”
“The Grid”“The Grid”
Joe
PseudonymityService
CredentialStorage
1.2.
3.
4.
Obtain Grid credsfor Joe
“Joe → Zyx”
“User=Zyx Issuer=Pseudo CA”
AttributeAuthority
Enabling Grids for E-sciencE
INFSO-RI-508833
Data “privacy”
• Data always encrypted except in RAM• Simple solution that ignores all the hard problems
– (we have to as the system is open-ended)
Enabling Grids for E-sciencE
INFSO-RI-508833
Accounting
• Several solutions– and none of them are deployed at an EGEE level…
• Increasingly important
Enabling Grids for E-sciencE
INFSO-RI-508833
Audit
• Not solved at a Grid level– Scalability and information release issues
• Good tracking at the individual resource level for now
Enabling Grids for E-sciencE
INFSO-RI-508833
Integration and Development
• Middleware Security Group– Cross-activity group– Operations, Applications, Developers, OSG– Mailing list, phone conferences, face-to-face meetings
Enabling Grids for E-sciencE
INFSO-RI-508833
Operational Management
• Joint Security Policy Group– OSG, LCG participation
• EUGridPMA
• TERENA TF-CSIRT (incident response)– NREN CERTs start to show interest
Enabling Grids for E-sciencE
INFSO-RI-508833
More information
• EGEE Websitehttp://www.eu-egee.org
• DJRA3.1: Global Security Architecture (1st rev.)– https://edms.cern.ch/document/487004/
• DJRA3.2: Site Access Control (1st rev.)– https://edms.cern.ch/document/523948
Recommended