Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

UCISA-NeSC Managers Forum How do I Grid-enable my University?

advertisement 
UCISA-NeSC Managers Forum
How do I Grid-enable my University?
The challenges posed by e-Science and the Grid paradigm
Security
Andrew Martin
Oxford e-Science Centre
Grid Security
2
Contents
• Security and Grids: A contradiction in terms?
• Grid Security Distinctives
• Three Specifics
• The Future
Grids without Acronyms
Andrew Martin, Oxford e-Science Centre
Grid Security
3
Security and Grids: A contradiction in terms?
“So, you want me to take the highest performing compute
clusters, the biggest fastest datastores, connected together using
the best available networks, and make them available to anyone
who is connected to any Grid client?”
Well, not quite.
Andrew Martin, Oxford e-Science Centre
Grid Security
4
Grids
coordinated resource sharing and problem solving in dynamic,
multi-institutional virtual organisations.
— direct access to
computers, software, data, and other resources
— required by a range of collaborative problem-solving and resource
brokering strategies emerging in
industry, science, and engineering
— necessarily highly controlled with resource providers and consumers
defining clearly and carefully just
what is shared, who is allowed to share, and the conditions under
which sharing occurs.
[Foster, Kesselman, Tueke]
Andrew Martin, Oxford e-Science Centre
Grid Security
5
A real challenge
The scale of the problem is significant:
• a complex socio-technical system
• trust is a slippery subject; multiple trust domains
• valuable resources; valuable data
• mobile code; mobile data; mobile users.
• Conceptually, the network becomes one big computer
— compare with decades of operating system research
• Concerns chase down to classical notions of confidentiality, integrity,
availability.
Andrew Martin, Oxford e-Science Centre
Grid Security
6
A wider movement
• new patterns of work and interaction; dynamic behaviour
• growing scale and scope
• single sign-on
• pervasive technologies (mobility, handheld, wireless)
• developing threat landscape
Andrew Martin, Oxford e-Science Centre
Grid Security
7
Grid Security Distinctives
• Virtual Organisations
• Separation of Authorization and Authentication
• Need for delegation
• Distributed trust in a dynamic network
Andrew Martin, Oxford e-Science Centre
Grid Security
8
Virtual Organisations (VOs)
VOs are one of the most-promoted features of Grid computing:
bring together a group of people and resources for a short- or
medium-term task, and disband later.
But most of our approaches to accounting and user management assume
that people and machines move around relatively little.
• When the VO suffers an incident, whom do we contact?
• When it goes badly wrong, whom do I sue?
Virtual organisations aren’t real. . .
Andrew Martin, Oxford e-Science Centre
Grid Security
9
Authorization and Authentication
Part of the solution is to manage these two elements separately.
Authentication: who are you? can you prove it? Establish a single
accepted way to do this, and use it widely.
Authorization: permission to do things based on authenticated identity,
project membership, present location, time/date . . .
Authorization is complicated considerably by the desire to permit
delegation.
Andrew Martin, Oxford e-Science Centre
Grid Security
10
Trust
Trust-at-a-distance is one of the central problems in distributed computing.
• Should I trust the users? [no!]
• Should the users trust the sysadmins?
• Why should the users entrust their data/software to my system?
Dynamic VOs make this problem very much worse.
Andrew Martin, Oxford e-Science Centre
Grid Security
11
Three Specifics
• Public Key Infrastructure (PKI)
• Firewall interaction
• Organisational Politics
Andrew Martin, Oxford e-Science Centre
Grid Security
12
Public Key Infrastructure (PKI)
• means of achieving a single identity (and single-sign on) across
disparate resources
• implies need for roots of trust (Certificate Authorities, CAs)
• for an individual, the basis of any authorisation decision is an identity
certificate
• requires key management by individuals: a new kind of self-discipline
• e-Science programme presently has a single CA, with Registration
Authorities (RAs) in each institution
• this is probably the pattern for the future, too, but ask JISC!
Andrew Martin, Oxford e-Science Centre
Grid Security
13
Firewall Interaction
• Firewalls challenge diversity and throughput.
• We have a conceptual problem with security perimeters.
• US TeraGrid partitions Grid facilities from the rest of the Internet.
• Present UK designs: trusted host database, dynamic firewall.
• Web services (Grid services) necessitate a re-evaluation.
• Move towards firewall as part of Grid infrastructure.
Andrew Martin, Oxford e-Science Centre
Grid Security
14
Organisational Politics
• The biggest present challenges for Grid computing are social ones.
• Security challenges are real, but are also subject of paranoia, fear,
uncertainty, doubt.
• The trust question has both technical and social dimensions/
• Grids need to build community for various reasons
— one is for a shared appreciation of security needs.
• Much effort has been expended in harmonisation of policies and
procedures; no doubt more is needed.
Andrew Martin, Oxford e-Science Centre
Grid Security
15
The Future
Now:
Next:
• ‘level two’ testbed
• production Grids
• applications-led
• Grid services
• very heterogeneous
• persistent capabilities
• e-Science CA at CCLRC
• emergency response
• user regulations
Andrew Martin, Oxford e-Science Centre
Grid Security
16
References
Security Task Force, e-Science Core Programme
http://www.nesc.ac.uk/teams/stf
Security Roadmap looking at open problems, forthcoming
Rough Guide to Grid Security, Mike Surridge
http://www.nesc.ac.uk/technical papers
Grid Engineering Task Force, Security Working Group
http://www.grid-support.ac.uk/etf/security
A critical survey of Grid security requirements and technologies,
Philippa Broadfoot and Andrew Martin.
http://web.comlab.ox.ac.uk/oucl/publications/tr/rr-03-15.html
Andrew Martin, Oxford e-Science Centre
Grid Security
17
Summary
• Security and Grids: A contradiction in terms?
• Grid Security Distinctives
• Three Specifics
• The Future
Andrew Martin, Oxford e-Science Centre
Grid Security
18
Index
3 Security and Grids: A contradiction in terms?
4 Grids
5 A real challenge
6 A wider movement
7 Grid Security Distinctives
8 Virtual Organisations (VOs)
9 Authorization and Authentication
10 Trust
11 Three Specifics
12 Public Key Infrastructure (PKI)
Andrew Martin, Oxford e-Science Centre
Grid Security
19
13 Firewall Interaction
14 Organisational Politics
15 The Future
16 References
Andrew Martin, Oxford e-Science Centre
Related documents
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
Formal Languages for Grid and Web Services e-Science Institute 7-8 July 2003
National e-Science Centre Induction to Grid Computing and the National Grid
National e-Science Centre Induction to Grid Computing and the National Grid
Download
advertisement