Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

1 & 2 3 & 4

advertisement 
1&2
3&4
UCISA-NeSC Managers Forum
How do I Grid-enable my University?
The challenges posed by e-Science and the Grid paradigm
Security and Grids: A contradiction in terms?
Security
“So, you want me to take the highest performing compute
clusters, the biggest fastest datastores, connected together using
the best available networks, and make them available to anyone
who is connected to any Grid client?”
Well, not quite.
Andrew Martin
Oxford e-Science Centre
Grids
coordinated resource sharing and problem solving in dynamic,
multi-institutional virtual organisations.
Contents
• Security and Grids: A contradiction in terms?
• Grid Security Distinctives
• Three Specifics
• The Future
Grids without Acronyms
— direct access to
computers, software, data, and other resources
— required by a range of collaborative problem-solving and resource
brokering strategies emerging in
industry, science, and engineering
— necessarily highly controlled with resource providers and consumers
defining clearly and carefully just
what is shared, who is allowed to share, and the conditions under
which sharing occurs.
[Foster, Kesselman, Tueke]
5&6
7&8
A real challenge
The scale of the problem is significant:
• a complex socio-technical system
Grid Security Distinctives
• trust is a slippery subject; multiple trust domains
• valuable resources; valuable data
• mobile code; mobile data; mobile users.
• Virtual Organisations
• Separation of Authorization and Authentication
• Need for delegation
• Conceptually, the network becomes one big computer
— compare with decades of operating system research
• Distributed trust in a dynamic network
• Concerns chase down to classical notions of confidentiality, integrity,
availability.
Virtual Organisations (VOs)
A wider movement
• new patterns of work and interaction; dynamic behaviour
VOs are one of the most-promoted features of Grid computing:
bring together a group of people and resources for a short- or
medium-term task, and disband later.
• growing scale and scope
• single sign-on
But most of our approaches to accounting and user management assume
that people and machines move around relatively little.
• pervasive technologies (mobility, handheld, wireless)
• When the VO suffers an incident, whom do we contact?
• developing threat landscape
• When it goes badly wrong, whom do I sue?
Virtual organisations aren’t real. . .
9 & 10
11 & 12
Authorization and Authentication
Part of the solution is to manage these two elements separately.
Authentication: who are you? can you prove it? Establish a single
accepted way to do this, and use it widely.
Authorization: permission to do things based on authenticated identity,
project membership, present location, time/date . . .
Three Specifics
• Public Key Infrastructure (PKI)
• Firewall interaction
• Organisational Politics
Authorization is complicated considerably by the desire to permit
delegation.
Public Key Infrastructure (PKI)
Trust
• means of achieving a single identity (and single-sign on) across
disparate resources
Trust-at-a-distance is one of the central problems in distributed computing.
• implies need for roots of trust (Certificate Authorities, CAs)
• Should I trust the users? [no!]
• Should the users trust the sysadmins?
• for an individual, the basis of any authorisation decision is an identity
certificate
• Why should the users entrust their data/software to my system?
• requires key management by individuals: a new kind of self-discipline
Dynamic VOs make this problem very much worse.
• e-Science programme presently has a single CA, with Registration
Authorities (RAs) in each institution
• this is probably the pattern for the future, too, but ask JISC!
13 & 14
15 & 16
Firewall Interaction
The Future
• Firewalls challenge diversity and throughput.
• We have a conceptual problem with security perimeters.
• US TeraGrid partitions Grid facilities from the rest of the Internet.
• Present UK designs: trusted host database, dynamic firewall.
• Web services (Grid services) necessitate a re-evaluation.
Now:
Next:
• ‘level two’ testbed
• production Grids
• applications-led
• Grid services
• very heterogeneous
• persistent capabilities
• e-Science CA at CCLRC
• emergency response
• user regulations
• Move towards firewall as part of Grid infrastructure.
References
Organisational Politics
Security Task Force, e-Science Core Programme
• The biggest present challenges for Grid computing are social ones.
• Security challenges are real, but are also subject of paranoia, fear,
uncertainty, doubt.
• The trust question has both technical and social dimensions/
http://www.nesc.ac.uk/teams/stf
Security Roadmap looking at open problems, forthcoming
Rough Guide to Grid Security, Mike Surridge
http://www.nesc.ac.uk/technical papers
• Grids need to build community for various reasons
— one is for a shared appreciation of security needs.
Grid Engineering Task Force, Security Working Group
• Much effort has been expended in harmonisation of policies and
procedures; no doubt more is needed.
A critical survey of Grid security requirements and technologies,
Philippa Broadfoot and Andrew Martin.
http://www.grid-support.ac.uk/etf/security
http://web.comlab.ox.ac.uk/oucl/publications/tr/rr-03-15.html
17 & 18
Summary
• Security and Grids: A contradiction in terms?
• Grid Security Distinctives
• Three Specifics
• The Future
Related documents
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
National e-Science Centre Induction to Grid Computing and the National Grid
National e-Science Centre Induction to Grid Computing and the National Grid
Download
advertisement