Towards Cloud Federations:

what we have; what we want

OGF 31, TaipeiCloud security session

Jens JensenScience and Technology Facilities Council

Rutherford Appleton Laboratory

contrail-project.eu

Clouds have “normal” security issues

•Protect infrastructure against abuse

•Provider’s reputation

•User’s data, software, computations

•Users’ credentials: loss, level of assurance

•Fabric security

•Open source vs closed source issues

2

contrail-project.eu

…and new security issues•(Often) unknown resource location

•Multitenancy: protect against other users

•VM Image security:

•Stale images

•Maliciously modified images (or apps)

•Install/patch window

3

contrail-project.eu

…and more new security issues

•Over-allocation of dynamic resources

•Intentional – scheduling DoS attack (with stolen account)

•Unintentional – runaway jobs

4

contrail-project.eu

Cloud security vs Grid security?

•In some sense, cloud = grid+elasticity

•Elasticity poses security issues: dynamically created services

•But grids have been there: eg WSRF

•Web Services Resource Framework

5

contrail-project.eu

What is the Federation•Group of service providers

•Providing “e-infrastructure”

•Coordinated deployment (maybe)

•Agreeing to common policies

•Support framework

•Internal and user-facing

6

contrail-project.eu

What is the Federation: user

•Central account

•Single sign-on (in some sense: single login)

•Central accounting of all services

•Enable collaborations

•Traceability of user id

•Intelligent resource selection/scheduling

7

contrail-project.eu

Accounting•Resource used

•Billing

•Make use of user’s own account with commercial providers (alternative: hold user’s credit card)

8

contrail-project.eu

Federation specific issues•Policies needed for establishing and maintaining

trust in federations

•Higher LoA in authentication?

•Multiple jurisdictions for AAA, support, billing

•… “solved” by the Grids

•non-trivial

•a process, not a single solution (like all sec.)

9

contrail-project.eu

Providers: Prepared Protection Prevents Pricy Problems•Set the bar high enough to keep the bad guys

out

•Some bad guys are more resourceful and determined than others

•Ensure legitimate users can still use the service (the bear/bin problem)

•LoA – higher across national boundaries

•Usually a single (high) LoA in grids

10

contrail-project.eu

Practical Problems: the Practitioner Principle

•“Normal” users just want to get their work done

•(High) security gets in the way?

•Well-known “usability vs security”

•(Highlight (rare?) wins: increase both, eg SSO)

•Multiple providers, heterogeneous security

•Multitenancy – ensure service availability

11

contrail-project.eu

How it works todaye-Infrastructure

•Grid and e-Science infrastructures for authentication: IGTF PKI, Shib + superShib, …

•X.509/RFC3280/GFD.125, SAML, OpenID

•Delegation: RFC3820, SAML, Oauth

•Authorisation: attribute authorities

•RFC3281, SAML, (+VOMS)

•Accounting: RUS

•Support: helpdesks: topnationalinst.person

•Scalability + resilience (up to a point)

12

contrail-project.eu

Cloud world•Passwords, shared secrets

•Vendor support

•Easier security for small users?

•Usability: we can bring grid portals to the cloud

•Grids have mature federations; cloud feds being developed

•Should clouds target only small users? (how should large users be handled?)

13

contrail-project.eu

Gaps•Reuse grid federation infrastructure for federating

clouds

•Without losing being lightweight

•Interoperation, of cloud services, with grids

•Do IaaS and SaaS and PaaS have different security requirements?

•Is the Grid LoA sufficient? Too high for some cases – maybe too low for others

14

contrail-project.eu

Authentication into federation

AuC

X509

K5

LDAP

OpenID

15

Base login on existing infrastructures (when this makes sense)

contrail-project.eu

Accounting

Fed acct

Amazon

Rackspace

Azure

OpenNebula resource

Grid?

16

contrail-project.eu

The CONTRAIL project•Federated cloud access

•SLAs, QoS, QoP

•Fully secured IaaS and PaaS

•Using formal methods in some cases

•EU funded (11 MEUR, a dozen partners or so)

•Oct 2010-Sep 2013

contrail-project.eu

CONTRAIL•Federated Cloud access: single account, with

metering, billing, etc.

•Access multiple IaaS and PaaS providers: cloudbursting built in

•Dynamic SLA negotiation, QoS and QoP. Security as funded activity

•Case studies have different requirements: Media, geographic data, real-time scientific processing, genomics

18

contrail-project.eu

Contrail Issues•Federate, making use of existing

infrastructures

•Eg for authentication: IGTF PKI, Terena Shibboleth super-federation, site SSO?

•Challenge: Work and ∫ with other projects

•How to do delegation on multiple backend AuC

•Support access to multiple service providers

•Need for consistent information from SPs19

contrail-project.eu

Conclusion•We need cloud federation

•We have grid federation

•These are not the same, but there are overlaps

•Align with other projects, interoperate

•Standardise whenever possible

20