![Page 1: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/1.jpg)
Extreme-scale Identity Management for Scientific Collaborations
Von Welch (PI), Bob Cowles, Craig Jackson
2015 DOE NGNS PI Meeting
September 17, 2015
![Page 2: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/2.jpg)
Our Context, Mission, Approach...
The virtual organization (VO)/collaboratory has emerged as key enabler of science. VOs have been incorporated into traditional user-to-resource provider identity management (IdM) in numerous ways.
Atlas, CMS, KBase, NFC, ESGF, etc.
Our mission is to develop a VO-IdM model that (a) expresses and explains observed variations in collaboratory identity architectures and (b) can be leveraged for implementation heuristics.
Approach: Semi-structured interviews with 20+ VO-RP relationships, analysis, publication, and feedback.
![Page 3: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/3.jpg)
Some core findings….
1. The VO nearly always alters the traditional direct trust relationship between users and resource providers (RPs).
2. That alteration manifests itself as the RP-to-VO delegation of IdM tasks based on trust.
E.g. LSST, LCLS, FST, LIGO
Classic DOE Lab
![Page 4: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/4.jpg)
Some core findings….
3. There are a number of factors motivating and demotivating that delegation.
4. Trend is toward transitive trust, utilizing the VO’s capacity to represent its members.
5. Identity Management can be represented as data flows.
● Scaling and Dynamicity of VO● Complex VO roles and policies● VO-run collaboration services● VO using multiple RPs
E.g. OSG
![Page 5: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/5.jpg)
Project Outputs: cacr.iu.edu/collab-idm
Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013. http://www.vonwelch.com/pubs/CHEP2013
Robert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013. http://doi.ieeecomputersociety.org/10.1109/eScience.2013.47
Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014. http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf
Von Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014. http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199
Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation, CLHS '15 Proceedings of the 2015 Workshop on Changing Landscapes in HPC Security, 2015. http://hdl.handle.net/2022/20357
![Page 6: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/6.jpg)
Lessons learned...
I assume everyone had plenty of time to study our poster last night.
![Page 7: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/7.jpg)
Team Composition
Brilliant luck on my part.
An ex-DOE Lab CISO.
An ex-practicing lawyer.
Three very different perspectives - plus a ton of great DOE Lab connections.
![Page 8: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/8.jpg)
Knowledge Rather than Code
No technical product - model and heuristics.
We need more broad retrospection outside of our silos.
Learning needs to be captured, disseminated, and absorbed.
![Page 9: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/9.jpg)
Comprehensive andComprehensible Model
“Essentially, all models are wrong,
but some are useful.”-Box, G. E. P., and Draper, N. R., (1987), Empirical Model Building and Response Surfaces, John Wiley & Sons, New York, NY
Comprehensive enough to support a dialog between different communities and capture breadth of DOE science.
Simple enough to be understood and used.Aim to abide by 7±2 rule.
![Page 10: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/10.jpg)
Evidence-based research
Not based on speculation or theory, but real-world experiences.
Challenge to arrange interviews, gather data, develop model.
Studying other models useful.
Getting feedback critical.
![Page 11: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/11.jpg)
Collaboration Engagement at the Right Time
Validation in practice is hard - Projects only have a narrow window when they design!
Too soon and they are writing proposal. Too late and no one wants to revisit.
In retrospect, start finding first user on day one, long before first use.
![Page 12: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/12.jpg)
Reaching the target audience
Target audience is implementors of science collaboratories.
No natural, cross-project gathering place. Closest is IT folks.
Encourage gathering of collaboratories and NGNS PIs at scales greater than 1-to-1?
![Page 13: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/13.jpg)
Areas for Future Research
Work with collaboration from start-to-finish to validate model and heuristics.
Methods to enhance trust of collaboratories?
Scientific data taxonomy for trust and risk?
![Page 14: Extreme-scale Identity Management for Scientific Collaborations](https://reader031.vdocuments.site/reader031/viewer/2022030318/5a6d09407f8b9a16428b4a85/html5/thumbnails/14.jpg)
Thank you
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsors or any organization.