egee security “pitch”
DESCRIPTION
EGEE security “pitch”. Olle Mulmo EGEE Chief Security Architect KTH, Sweden. Project PR. EGEE. EGEE is the largest Grid infrastructure project in the World ? : 70 leading institutions in 27 countries, federated in regional Grids Leveraging national and regional grid activities - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/1.jpg)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE security “pitch”
Olle MulmoEGEE Chief Security ArchitectKTH, Sweden
![Page 2: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/2.jpg)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Project PR
![Page 3: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/3.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE
EGEE is the largest Grid infrastructureproject in the World?:
• 70 leading institutions in 27 countries, federated in regional Grids
• Leveraging national and regional grid activities
• ~32 M Euros EU funding for initially 2 years starting 1st April 2004
• EU review, February 2005 successful
• Preparing 2nd phase of the project – proposal to 3rd EU Grid call September 2005
![Page 4: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/4.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE Activities
• 48 % service activities (Grid Operations, Support and Management, Network Resource Provision)
• 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development)
• 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation)
EGEE emphasis is on production grid operations
and end-user support
![Page 5: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/5.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
gLite
• First major release of gLite announced on April 5 – Focus on providing users early access to prototype
– Reusing existing components
– Addressing current shortcomings
• Interoperability & Co-existence with deployed infrastructure• (Cautious) service oriented approach
– Follow WSRF standardisation
• Site autonomy
Globus 2 based Web services based
gLite-2LCG-2
gLite-1LCG-1
![Page 6: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/6.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Deployment of applications
Pilot New
• Pilot applications– High Energy Physics– Biomed applications
• Generic applications –Deployment under way– Computational Chemistry– Earth science research – EGEODE: first industrial application– Astrophysics
• With interest from – Hydrology– Seismology – Grid search engines – Stock market simulators– Digital video etc.– Industry (provider, user, supplier)
![Page 7: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/7.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Country providing resourcesCountry anticipating joining EGEE/LCG
In EGEE-0 (LCG-2): >100 sites >10,000 CPUs >5 PB storage
Computing Resources – Feb. 2005
![Page 8: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/8.jpg)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
What I came here for
The EGEE view on Security
- some philosophy and baseline assumptions
![Page 9: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/9.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Baseline assumptions
• Be Modular and Agnostic– Allow for new functionality to be included as an afterthought– Don’t settle on particular technologies needlessly
• Be Standard– Interoperate– Don’t roll our own, to the extent possible
• Be Distributed and Scalable– Avoid central services if possible– Always retain local control
![Page 10: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/10.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Baseline assumptions
• VOs self-govern the resources made available to them– Yet try to minimize VO management!– Use AuthN to tie policy to individuals/resources
• An open-ended system– No central point of control– Can’t tell where the Grid ends
![Page 11: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/11.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
We can’t do anything too fancy
Requirements on functionality
AuthenticationAccess control
Credential mgmtDelegation
Privacy…
Existing capabilities
GridPMAsWS-Security
MyProxyShibboleth
VOMSGlobus
…
ParadigmShift
(SOA)
Other workalready
underway(LCG, OGSA,…)
![Page 12: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/12.jpg)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Architecture
Technologies and more details
![Page 13: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/13.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Authentication
• IGF: Federation of PMAs
• Better revocation technologies
• Managed and Active credential storage– i.e., where access policy can be enforced– Smart cards, MyProxy, …– Organizationally rooted trust (KCA, SIPS)– User-held password-scrambled files
should go away
![Page 14: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/14.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorization
• Flexible framework to support for multiple authorities and mechanisms
• VOMS, banlist, grid-mapfile, SAML, …• Frank covered this in detail
![Page 15: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/15.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorization model
• Decentralized– Predominantly role-based push model– Out-of-the-box support for VOMS– Semantic-free role and group attributes
• Pros– Scalability– Site autonomity– Multi-scenario support, VO self-governance
• Cons– Fine-grained access control (?)– VO management still heavyweight– VOMS is proprietary
![Page 16: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/16.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
VO management
• VOMS for now– modularity keeps it open for others
• Allow for lightweight VO deployment– Proposed solution: VO policy service– Brainchild
![Page 17: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/17.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
“Anonymity”
• Pseudonymity as an selective additional step to the SSO process
“Issue Joe’sprivileges to Zyx”
“The Grid”“The Grid”
Joe
PseudonymityService
CredentialStorage
1.2.
3.
4.
Obtain Grid credsfor Joe
“Joe → Zyx”
“User=Zyx Issuer=Pseudo CA”
AttributeAuthority
![Page 18: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/18.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Data “privacy”
• Data always encrypted except in RAM• Simple solution that ignores all the hard problems
– (we have to as the system is open-ended)
![Page 19: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/19.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Accounting
• Several solutions– and none of them are deployed at an EGEE level…
• Increasingly important
![Page 20: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/20.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Audit
• Not solved at a Grid level– Scalability and information release issues
• Good tracking at the individual resource level for now
![Page 21: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/21.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Integration and Development
• Middleware Security Group– Cross-activity group– Operations, Applications, Developers, OSG– Mailing list, phone conferences, face-to-face meetings
![Page 22: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/22.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
Operational Management
• Joint Security Policy Group– OSG, LCG participation
• EUGridPMA
• TERENA TF-CSIRT (incident response)– NREN CERTs start to show interest
![Page 23: EGEE security “pitch”](https://reader035.vdocuments.site/reader035/viewer/2022062408/568139f7550346895da1b92a/html5/thumbnails/23.jpg)
Enabling Grids for E-sciencE
INFSO-RI-508833
More information
• EGEE Websitehttp://www.eu-egee.org
• DJRA3.1: Global Security Architecture (1st rev.)– https://edms.cern.ch/document/487004/
• DJRA3.2: Site Access Control (1st rev.)– https://edms.cern.ch/document/523948