Identity Management for Virtual Organizations: A Model Von Welch, Bob Cowles, Craig Jackson OWASP Bloomington February 24 th , 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Identity Management for Virtual Organizations:
A Model
Von Welch, Bob Cowles, Craig Jackson
OWASP Bloomington February 24th, 2015
2
The XSIM Team Bob Cowles – BrightLight Information Security, former CISO of SLAC. Craig Jackson – CACR Policy Analyst, former practicing attorney. Von Welch – CACR Deputy Director, long time distributed science security researcher.
3
Identity Management (IdM) From Wikipedia: “Identity management describes the management of individual identifiers, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.”
4
The “Good Old Days” Scientists were employees or students of the resource provider.
Image credit: Wikipedia
Image credit: Lawrence Livermore National Laboratory (via Wikipedia)
5
Then remote access… Scientists were no longer necessarily affiliated with resource provider. IdM for remote scientists became common. Still managed directly. Image credit: All About Apple Museum
Creative Commons Attribution-Share Alike 2.5 Italy
6
Growth of the scientific collaboration Number of scientists, institutions, resources. Large, expensive, rare/unique instruments. Increasing amounts of data.
The model of resource provider managing all their users eroded. Image credit: Ian Bird/CERN
7
Enter the Virtual Organization The virtual organization has proven itself as the key way of allowing large-scale, multi-organization science collaborations.
ATLAS: 3,000+ members, 177 institutions, 38 countries. CMS: 3000+ members, 172 institutions, 40 countries. ALICE: 1200+ members, 132 institutions, 36 countries. XSEDE: 10000+ users, 16 resources. LIGO: 800+ scientists, 56 institutions, 13 countries. Etc.
8
VO Identity Management
A number of approaches have been tried: VOMS, Glide-ins, Science gateways, COManage, Community/group accounts, etc.
We now have 15 years of applied experimentation in VO IdM.
9
Identity matters to Science… They just don’t call it that.
Scott Koranda/LIGO - Oct’11
10
Our Vision Have identity management for
collaboratories and virtual organizations well understood.
And Mission
Develop a model that expresses the different collaboratory identity architectures
and and provides guidance to a collaboratory in the selection.
11
Research and develop a VO-IdM model to express the trust relationships between resource providers (RPs) and collaboratories.
Validate the model and determine the motivations that lead to different choices. Develop guidance to collaboratories and resource providers in architecting their IdM and trust choices.
Extreme Scale Identity Management for Science (XSIM)
12
Interviewees Collaboratories • Atlas • BaBar • Belle-II • CMS • Darkside • Engage • Earth System Grid • Fermi Space Telescope • LIGO • LSST/DESC
Resource Providers • Atlas Great Lakes T2 • FermiGrid • GRIF • U. Nebraska (CMS) • LCLS • RAL • GRIF/LAL • LLNL • NERSC • Blue Waters
VO IdM Model: Data-‐centric Produc'on & Consump'on
Iden&ty data is produced to provide func&onality to other workflows when needed.
Iden&ty data is consumed to perform these func&ons.
Func,onality authen&ca&on authoriza&on
alloca&on/scheduling accoun&ng audi&ng
user support incident response
Model IdM Data (1) User iden,fier (2) User contact info (3) VO membership/role
14
Identity Data Flow in the “Classic Model”
Authn
Authz
Audit
Accounting
Incident R
esponse
User S
upport
User Ids &
Contact info
RP produces and consumes all IdM informa,on.
RP
15
Identity Data Flow in Multi-user Pilot Jobs
User Identity
PKI
RP
Authn
Authz
Allocations /
Scheduling
Incident R
esponse
User S
upport
VO Membership
User contact
info
VO
16
Pros of RP Delegation of IdM • Complexity of
Roles • Scale and
Dynamicity • VO-wide
collaboration services
• Alignment with RP’s mission
• Established Trust Relationships
• VO Expertise and Available Effort
• Traceability Mechanisms
17
Barriers • Historical Inertial • Risk Aversion • Compliance and Assurance
Requirements • Technology Limitations
18
Guidance in implementation • Bob Cowles, Craig Jackson and Von
Welch. XSIM OSG IDM Guidance. 2014. http://www.vonwelch.com/pubs/XSIMOSGIDM
• Bob Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation. • In draft, contact if interested.
19
Conclusion Virtual Organizations have become essential for scientific computing.
XSIM vision is to improve scientific computing by better understanding how to do identity management for VOs.
Based on 18+ interviews, we have developed a model for describing VO IdM based on IdM data production and consumption.
20
Thank you. Questions?
Von Welch ([email protected])
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the
sponsors or any organization.
Related Documents
