standardization of grid security policies for e-science infrastructures
Post on 15-Jan-2016
32 Views
Preview:
DESCRIPTION
TRANSCRIPT
Standardization of Grid Security Policies
for e-Science Infrastructures
David Groep
EUGridPMA
Physics Data Processing group NIKHEF
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 2
Outline
• The grid– Introduction to grid ‘AA’
and the separation of Authentication and Authorisation
• Building the global authentication fabric– federation origins– a global authentication trust fabric– authentication profiles and minimum requirements– levels of assurance
• Auditing as a tool for trust establishment
• Towards integrated AA Infrastructures– leveraging home organisation attributes– towards a multi-authority world in a single decision point
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 3
Grid from 10 000 feet
The GRID: networked data processing centres and ”middleware” software as the “glue” of resources.
Researchers perform their activities regardless geographical location, interact with colleagues, share and access data
Scientific instruments, libraries and experiments provide huge amounts of data
graphic from: Federico.Carminati@cern.ch
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 4
Virtual Organisation
What is a Virtual Organisation?
A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.
graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke
• Users are usually a member of more than one VO• Any “large” VO will have an internal structure,
with groups, subgroups, and various roles
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 5
Virtual organisation structure
Lots of overlapping groups and communities
graphic: OGSA Architecture 1.0, OGF GFD-I.030
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 6
Virtual vs. Organic structure
• Virtual communities (“virtual organisations”) are many• An individual will typically be part of many communities
– has different roles in different VOs (distinct from organisational role)– all at the same time, at the same set of resources– but will require single sign-on across all these communities
graphic: OGSA Architecture 1.0, OGF GFD-I.030
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 7
Trust relationships
• For the VO model to work, parties need a trust relationship– the alternative: every user needs to register at every resource– we need to provide a ‘sign-on’ for the user that works across VOs
Org. Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
GSI
Org. CertificationAuthority
Sub-Domain B1
Authority
AuthZFederationService
VirtualOrganization
Domain
FederatedCertificationAuthorities
graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance
AuthenticationThe IGTF and international coordination
solving ‘stable’ issues first
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 9
History of International AuthN Coordination
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 10
History
Why a CA Federation?2000: Urgent need for providing cross-national trust for
the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects
‘National’ PKI• 1999/93/EC• uptake very slow
even today• but incorporation
was a primary goal
‘Grass Roots’ CAs• too project-specific• no documented policies• not suitable for a production infrastructure
‘Commercial’ CAs• main focus on
web server certs• many of them
(Thawte, Verisign,SwissSign, …)
• too expensive!• not user-oriented• hard to make
technicallycompatible
• needed for ‘pop-up’free web pages!
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 11
The first grid authentication infrastructures
• Establishing an Academic Grid PKI
– started off with pre-existing CAs, and some new ones, late 2000– ‘reasonable’ assurance level based on ‘acceptable’ procedures– a single assurance level inspired by grid-relying party** requirements– using a threshold model: minimum requirements
• Focus on current need to solve cross-national authentication issues– separation of AuthN and AuthZ allowed progress– minimum requirements convinced enough resource providers
to trust the AuthN assertions
– individuals were (and are) all over Europe and the world – started with 6 authorities (NL, CZ, FR, UK, IT, CERN)History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 12
Federation Model for Grid Authentication
• A Federation of many independent CAs– common minimum requirements (in various flavours)– trust domain as required by users and relying parties
where relying party is (an assembly of) resource providers– defined and peer-reviewed acceptance process
• No strict hierarchy with a single top– spread of reliability, and failure containment (resilience)– maximum leverage of national efforts and complementarities
CA 1CA 2
CA 3
CA n
authenticationprofiles
distribution
acceptanceprocess
relying party 1
relying party n
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 13
‘Reasonable procedure … acceptable methods’
• 2001: Requirements and Best Practices for an “acceptable and trustworthy” Grid CA
Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.
Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person
Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:
a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network
minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...
History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 14
Grid Relying Parties & resource providers
• In Europe– Enabling Grid for E-sciencE (EGEE) (~ 200 sites)– Distr. Eur. Infrastructure for Supercomputer Apps (DEISA) (~15 sites)– South Eastern Europe: SEE-GRID (10 countries)– many national projects (NL BiG Grid, UK e-Science, Grid.IT, …)
• In the Americas– EELA: E-infrastructure Europe and Latin America (24 partners)– WestGrid (6 sites), GridCanada, …– Open Science Grid (OSG) (~ 60 sites)– TeraGrid (~ 9 sites + many users)
• In the Asia-Pacific– AP Grid (~10 countries and regions participating)– Pacific Rim Applications and Grid Middleware Assembly (~15 sites)
data as per mid 2006
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 15
Building the federation
• Trust providers (‘CAs’) and relying parties (‘sites’) together shape the common requirements– Several profiles for different identity management models
– Authorities demonstrate compliance with profile guidelines– Peer-review process within the federation
to (re-) evaluate members on entry & periodically
– reduces effort on the relying parties• single document to review and assess for all CAs under a profile
– reduces cost for the authorities• but participation does come at a cost of involved participation …
• Ultimate trust decision always remains with the RP• An authority is not necessarily limited to just ‘grid’ use
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 16
Relying Party issues to be addressed
Common Relying Party requests on the Authorities
1. standard accreditation profiles sufficient to assure approximate parity
effectively, a single level of assurance sufficed then for relying parties– is changing today, as more diverse resources are being incorporated
2. monitor [] signing namespaces for name overlaps3. a forum [to] participate and raise issues4. [operation of] a secure collection point for information
about CAs which you accredit5. common practices where possible
6. reasonable likeness for a subject’s name*7. a subject’s name should be forever persistent*
list courtesy of the Open Science Grid (* and wLCG and EGEE draft policy)
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 17
Founded on April 2nd, 2004
The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body
• to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources.
The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.
The EUGridPMA
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 18
EUGridPMA Membership
EUGridPMA membership for Authorities
(the European specific policy to maintain a manageable trust fabric)
• single Authority per– country, – large region (e.g. the Nordic Countries), or – international treaty organization
• ‘serve largest possible community with small number of stable authorities’
• ‘operated as a long-term commitment’– many CAs are operated by the (national) NREN
(CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … )
– or by the e-Science programme or science foundation(UK eScience, VL-e, CNRS, … )
Other ‘RP’ members: DEISA, EGEE, SEE-GRID projects, OSG, LCG, TERENA.
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 19
Geographical coverage of the EUGridPMA
Green: EMEA countries with an Accredited Authority 23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR, “SEE-catch-all”
Other EUGridPMA Accredited Authorities: DoEGrids (.us) GridCanada (.ca) CERN
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 20
Constituency
The e-Science constituency is defined in broad terms
• academic community• independent research organisations• pre-competitive industrial/commercial research
‘Catch-all’ CAs for countries/constituencies without national CA
• CNRS Grid-FR CA• SEE-GRID CA• LAC Grid CA• ASGCC CA• DoEGrids LCG RA
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 21
Global Effort, Regional Progress
• EU, Middle East, Africa and Canada– Expansion of the EU Information Society Technologies Grid projects leads to
expansion of the DataGrid CA Coordination Group
– New projects and countries, ware of duplicating effort, join the group (CrossGrid, many national e-Science projects)
• Asia Pacific– Fostered by projects like APGrid and PRAGMA,
a set of country and project CAs forged a permanent coordinating effort
• USA– large number of test bed efforts (Globus, NASA IPG, NCSA Alliance)
– lacking the coordination for “sustainable production infrastructure”the coordination effort was limited, and many of these early CAs have been forgotten
– only the DoEScienceGrids CA, mainly used in collaborations with the European CERN organisation, becomes a ‘production’ service (‘DoEGrids’)History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 22
The Tokyo Accord
Need for coordination of a basic trust fabric is ‘obvious’– common security is the only strong requirement for interoperation
as all other services can be used ‘in parallel’
• 2001: Grid-CP working group in GGF– Mike Helm, Peter Geitz, and various CA representatives
from all over the world– GGF could not host coordination activity at the time
• During the Tokyo GGF, March 2003:
CA and PMA representatives from over the world agreed to coordinate and work towards a grid PMA
History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 23
The Tokyo Accord
First meeting March 2003 at GGF 7 in Tokyo• Will co-locate and convene at GGF conferences• Will work on forming the Grid Policy Management Authority
GRIDPMA.org– Develop Minimum operational requirements - based on EDG work
– Develop a Grid Policy Management Authority Charter
• Representatives from all major Grid PMAs– European Data Grid & Cross Grid PMA: then 16 countries, 19 organizations
– NCSA Alliance
– Grid Canada
– DOEGrids PMA
– NASA Information Power Grid
– TERENA
– Asian Pacific PMA• AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore;
Kasetsart Univ., Thailand; CAS, China History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 24
International Grid Trust Federation
Federation of 3 Regional “PMAs”, that define common guidelines and accredit credential-issuing authorities
TAGPMA EUGridPMA APGridPMA
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 25
Growth of the European Grid trust fabric
0
10
20
30
40
Mar
-01
Sep-0
1
Mar
-02
Sep-0
2
Mar
-03
Sep-0
3
Mar
-04
Sep-0
4
Mar
-05
Sep-0
5
Mar
-06
Sep-0
6
acc
red
ited
CA
sFoundation of the IGTF
allows migration of CAs to proper Regional PMA
History
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 26
Realising the roadmap
[The e-IRG] encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions.
e-IRG RecommendationDutch EU Presidency 2004
Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged.
The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces.
e-IRG RecommendationAustrian EU Presidency 2006
The Inner Workings of the Federation
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 28
Guidelines: common elements in the IGTF
• Coordinated namespace– Subject names refer to a unique entity (person, host)– Usable as a basis for authorization decisions– This name uniqueness is essential for all authentication profiles!
• Common Naming– Coordinated distribution for all trust anchors in the federation– Trusted, redundant, sources for download, verifiable via TACAR
• Concerns and ‘incident’ handling– Guaranteed point of contact– Forum to raise issues and concerns
• Requirement for documentation of processes– Detailed policy and practice statement– Auditing by federation peers
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 29
Guidelines: secured X.509 CAs
Aimed at long-lived identity assertions, the ‘traditional PKI’ world
• Identity vetting procedures– Based on (national) photo ID’s– Face-to-face verification of applicants
via a network of distributed Registration Authorities– Periodic renewal (once every year)– revocation and CRL issuing required
and we have all RPs actually downloading the CRLs several times a day– subject naming must be a reasonable representation of the entity name
• Secure operation– off-line signing key or HSM-backed on-line secured systems
• Audit requirements– data retention and audit trail requirements, traceability of certified entities
• Technical implementation– need to limit the number of issuing authorities for technical reasons
(most software and browsers cannot support O(1000) issuers)– certificate profile and interoperability
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 30
Short-lived or member integrated services
Aimed at short-lived ‘translations’, that are organisation/federation bound
• Identity vetting procedures– based on an existing ID Management system of sufficient quality– Original identity vetting must be of sufficient quality to trace the individual for
as long as name is in active use– If documented traceability is lost, the subject name can never be re-used– revocation and CRL issuing not required for assertion lifetimes << 1 Ms– subject naming must be a reasonable representation of the entity name
• Secure operation– HSM-backed on-line secured systems
• Audit requirements– data retention and audit trail requirements, traceability of certified entities
• Technical implementation– scaling of this model still needs to be demonstrated, and needs higher-level
coordination – most software and browsers cannot support O(1000) issuers– and a peer-review based trust fabric cannot do that either …– certificate profile and interoperability
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 31
MICS ID management system requirements
Documentation of how the IdM is populated, maintained and cleaned MUST be documented and agreed to by the PMA. Two modes
By example:The IdM used by the CA should be a system that is also used to protect access to critical resources, e.g. payroll systems, for use in financial transactions, granting access to highly-valuable resources, and be regularly maintained.
By review:Alternatively, equivalent security mechanisms must be provided, described in detail and presented to the PMA and are subject to PMA agreement.
and again the data for those entities in the IdM that qualify for ‘MICS’ assertions must be of a quality that allows unique tracing, name uniqueness and persistency – and a mechanism to clean ‘stale’ entries must be defined.Example: the UvAmsterdam does not trust its own system even for grading!
tries to ‘catch’ the quality of the system without having to report to formal audits
Identity vetting requirementsconvincing the world that you’re OK
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 32
MICS/SLCS Federated Deployment Model
• Grid AuthN interface based on national federations– use of MICS AP by pushing ‘down’ the requirements onto its members
– maximum leverage of national efforts
– in line with the complementarity principle
– needed for scalability of the PMA itself!
• Example: SWITCH-aai– from entire existing federation with a single ‘SLCS’ front-end
– introduce concept of ‘entitlement’ so only appropriately vetted users can us the translation service
– issue grid compatible credentials automatically
– with life time ~ few days
– similar efforts in NL, UK/NGS
graphic courtesy Christoph Witzig,
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 33
Profile matrix: where we stand
Identity vetting With govt photo-ID
Only by in-person F2F meeting of RA
With govt photo-IDWith proven documented traceability to individual at any time (no definite F2F requirement)
…
Subject: soft-tokens allowed
Issuer: off-line or online HSM 140.2-3
Classic APnear-inline Id vetting
Subject: soft-tokens allowed
Issuer: online HSM 140.2-3MICStime-shifted Id vetting
SLCStime-shifted Id vetting
…
Multiple Authentication Profiles: where the IGTF stands today
Although ‘Single Trust Level’ is a good message,
trend is towards more diverse LoAs• diversity of resource types is increasing• alternate grid use models need for wider range of LoAs
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 34
Common Trust Anchor Distribution
The IGTF is a policy bridge architecture, thus …
• has a large set of ‘trust anchors’ (CA certificates)• single, common distribution across all of the IGTF• with ‘trusted committers’ in each PMA
• Dedicated authoritative secure source…enabled by NEDO– mirrored by each PMA – source host “dist.eugridpma.info”– https with browser-recognised cert– protected, with specific VMs
and monitoring
Auditing
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 36
Auditing
Auditing foundation laid by Yoshio Tanaka from 2005
• Derived from – the Classic AP guidelines– WebTrust Seal of Approval criteria
• Subsequently refined – applying it to all new CAs in the AP region– cross-reviews by the NAREGI project– review in the IGTF, and via the OGF CAOPS Working Group
• Thorough implementation in the APGridPMA allowed for rapid convergence and building experience for assessing compliance and severity of the auditing criteria
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 37
CAOPS-WG Auditing (draft)
CAOPS-WG Auditing
• list of essential items
• selected guidance
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 38
Expanding Auditing
Audit process developed by the NEDO project is now introduced as a basis for harmonizing international CA coordination
– EUGridPMA formally adopted the Continuous Audit Process– uses the Review Criteria document established by Yoshio Tanaka
– With an implementation process that will ensure bi-annual auditing of all CAs in the EUGridPMA
– In due course will become de-facto standard across all of the IGTF
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 39
EUGridPMA Examples
• Grid-Ireland CA
• DutchGrid CA
Where to go from here?
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 41
Interoperation
‘The Grid Cannot Be Switched Off’
• maintaining interoperation between all international grid projects is now essential to be successful for e-science and, even more, for industrial applications – continuity of service is a must
• This necessarily limits radical changes, certainly in the AuthN and AuthZ area, where any change in standard interfaces would hurt the most
• Fortunately, the AuthN (and most of the AuthZ) components use existing accepted standards that provide the required functionality– new features can be gradually introduced within the current framework, i.e. in
the X.509, X.509 AC and RFC3820 framework
– SAML/XACML are already geared towards X.509 interoperation
2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 42
Outlook
• Confederation is coming for grids and science– the user scenarios require it, as the user community is international– national federations, leveraging home organisation identity vetting
or eGov IDs, are a ‘must’ for scalability• e-Infrastructure needs the campus–and your researchers need e-Infra …
– with a need for defined and verifiable LoAs (at high and low levels)– the ’homeless’ will be a permanent feature
• IGTF today provides an international trust fabric for AuthN– a source for ‘trusted’ identifiers– definition of multiple LoAs is starting, and we want to reach out and
co-leverage other efforts as much as possible– by structure, we are geared towards catering for the ‘homeless’– we continue to have pressing urgent needs for federation today– but we are a long way from the O(10M+) users mark
In Collaboration With & Supported By
top related