AARNet Copyright 2005

advertisement
AARNet Copyright 2005
AARNet Copyright 2005
AARNet Middleware
Activities 2005
APAN 2005
James.Sankar@aarnet.edu.au
Network Engineer – Middleware
AARNet
AARNet Copyright 2005
About this talk
Background
–
–
–
–
AARNet
Why Middleware?
Overview of AARNet current middleware activities
IAM survey background
Results
– Key Findings
– Barriers
– Opportunities
3
AARNet Copyright 2005
AARNet – Core Activity
Roll out of the AARNet 3 Dark Fibre “Dense WaveDivision Multiplexing” (DWDM) providing:
– 32 wavelengths of 10Gbps capacity initially
– Supports growth to 64 or more wavelengths of 40Gbps over
life of the network
4
AARNet Copyright 2005
AARNET goals
• To complete the AARNet 3 roll out and develop outreach
programmes to extend access to rural areas.
• To participate in national and regional activities
– Engage with the community – e.g. Astronomers, Physicists etc
– Engage with research and education stakeholders to develop a
national middleware framework
• To develop applications and services for AARNet
customers
• To develop international links and actively participate in
international projects.
5
AARNet Copyright 2005
Why Middleware?
On the Internet – nobody
knows who you are!
More content and access
to scarce physical systems
requires user
authentication and
authorisation in a secure,
scalable way
6
AARNet Copyright 2005
Why Middleware?
Identity and Access
Management should support
user requests to resources
regardless of location, to do
so requires integration,
loosely coupled federations
and clever, intuitive systems
that are and able to support
general requests or ask for
authentication when required.
7
AARNet Copyright 2005
AARNet middleware
In-house developments
8
– Develop a middleware architecture framework for
development activities.
– Roll out eduroam to AARNet offices and staff.
– Gain practical experience of Shibboleth by
• Creating an AARNet Identity Provider system for
AARNet staff and join MAMS federation.
• Assessing the feasibility of shibbolising AARNet
applications and services.
– Further development AARNet’s middleware website to
generate awareness;
AARNet Copyright 2005
AARNet middleware
Joint activities
– Involvement in national middleware initiatives involving
education and research communities.
– CAUDIT Identity and Access Management survey 2005.
– Participation and assistance in eduroam Australia roll out,
development and policy.
– Participation in
• global eduroam development and policy.
• CAUDIT PKI Technical Working Group in developing a
national PKI.
• Global middleware policy.
9
AARNet Copyright 2005
What is a CAMPUS Identity & Access Management System?
“…Identity and access management isn’t really a
system that you go out and buy. It must become a
pervasive, federated infrastructure that integrates
companies internally while simultaneously allow
them to interoperate with other companies. It must
support both centralized and decentralized scenarios. It
must accommodate integration where practical, and
more loosely coupled federation models where
necessary.”
Burton Group (July 2002)
10
AARNet Copyright 2005
What is a CAMPUS Identity & Access Management System?
“…an integrated system of business processes, policies and
technologies that enable organizations to facilitate and control
their users' access to critical online applications and resources
— while protecting confidential personal and business
information from unauthorized users. It represents a category of
interrelated solutions that are employed to administer user
authentication, access rights, access restrictions, account
profiles, passwords, and other attributes supportive of users'
roles/profiles on one or more applications or systems.”
Wikipedia 2005
11
AARNet Copyright 2005
The Survey – why now?
The Survey instrument was designed to assess
progress of Identity and Access Management systems
to act on
– Any barriers to integration (same/single sign on) that need to
be removed (resourcing, technical, political, etc.)
– Any opportunities to
• Promote campus infrastructure integration best practice
• Assess the need for a federated authn infrastructure
12
• Identify authz components for services / resources.
AARNet Copyright 2005
Survey Results
Authentication
– Username/Passwords & IP based authentication.
Authorisation
– Ezproxy, proxy caches in use. Differences exist in support to
access local and remote resources.
Directory services
– LDAP preferred service
System integration
– in house developments (PERL, Visual Basic, JAVA, C++, SQL
to process data from student, HR and other databases).
13
AARNet Copyright 2005
Resources / Application support
14
AARNet Copyright 2005
Survey Results - continued
Current focus – Campus infrastructure integration
• Unify Authentication, Authorisation, Access;
– Automate the transfer of data to feed into Directories, meta
data, and so forth.
– Develop simplified user interfaces (e.g. Same/Single Sign on
portals).
• Visitor guest network access (http, https, VPN) via
– Creating temporary accounts.
– eduroam (802.1X/EAP-TTLS & RADIUS backend).
15
AARNet Copyright 2005
Identity and Access Management Today
16
AARNet Copyright 2005
Survey Results - continued
Public Key Infrastructures Use
– Limited use of digital certificates (due to No national PKI)
– 30% claim their Directory Services support PKI
Next Project developments
– Web portal & Account self service = 14/25
– Same Sign On = 4/25 & Single Sign On = 13/25
– CAUDIT /Staff/Student/Web/Service certs = 7/25
17
AARNet Copyright 2005
Survey Results – Barriers identified
• Limited resources / funds available.
• Limited key stakeholders involvement to create
integration and federation infrastructures.
• High risks/impact to develop critical IAM systems.
• Lack of coordinated middleware effort in IAM space
• Minimal dissemination of standards, policies and
technical guidelines.
• Limited Training (eduperson, same/single sign on).
18
AARNet Copyright 2005
Survey Results – Recommendations 1
(1) Develop IAM content on
– Gather and exchange recommended Authentication and
Authorisation methods/products, guidelines for use, transmission,
storage of credentials and IAM best practice
– Identify / develop ways to can leverage from same/single sign on
environments.
– Track CAUDIT PKI developments and make use of PKI to
develop secure access.
(2) Engage with service providers
19
– Identify requirements to enable users to gain access to remote
resources and agree on standards/rules to operate via a
federation.
AARNet Copyright 2005
Survey Results – Recommendations 2
(3) Develop a middleware framework
– An inclusive process for stakeholders (identity providers and
service providers) to align to in a cost effective, low risk,
secure, user-friendly way within Australia.
– Identify Australian strengths to contribute in partnership with the
global middleware effort.
– Identify international middleware activities that Australia can
make learn and develop from.
20
AARNet Copyright 2005
Useful links
• AARNet Middleware web pages http://www.aarnet.edu.au/engineering/middleware/
• Identity & Access Management Survey 2005 –
http://www.aarnet.edu.au/engineering/middleware/id_access_m
gt_survey.html
• Eduroam - www.eduroam.org
• Eduroam Australia – www.eduroam.edu.au
• Shibboleth – http://shibboleth.internet2.edu/
• MAMS - http://www.melcoe.mq.edu.au/projects/MAMS/
21
AARNet Copyright 2005
Thank You
22
Download