430 likes | 555 Vues
Standardization of Grid Security Policies for e-Science Infrastructures. David Groep EUGridPMA Physics Data Processing group NIKHEF. Outline. The grid Introduction to grid ‘AA’ and the separation of Authentication and Authorisation Building the global authentication fabric
E N D
Standardization of Grid Security Policies for e-Science Infrastructures David Groep EUGridPMA Physics Data Processing group NIKHEF
Outline • The grid • Introduction to grid ‘AA’ and the separation of Authentication and Authorisation • Building the global authentication fabric • federation origins • a global authentication trust fabric • authentication profiles and minimum requirements • levels of assurance • Auditing as a tool for trust establishment • Towards integrated AA Infrastructures • leveraging home organisation attributes • towards a multi-authority world in a single decision point NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Researchers perform their activities regardless geographical location, interact with colleagues, share and access data Grid from 10 000 feet Scientific instruments, libraries and experiments provide huge amounts of data The GRID: networked data processing centres and ”middleware” software as the “glue” of resources. graphic from: Federico.Carminati@cern.ch NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Virtual Organisation What is a Virtual Organisation? A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions. • Users are usually a member of more than one VO • Any “large” VO will have an internal structure, with groups, subgroups, and various roles graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Virtual organisation structure Lots of overlapping groups and communities graphic: OGSA Architecture 1.0, OGF GFD-I.030 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Virtual vs. Organic structure • Virtual communities (“virtual organisations”) are many • An individual will typically be part of many communities • has different roles in different VOs (distinct from organisational role) • all at the same time, at the same set of resources • but will require single sign-on across all these communities graphic: OGSA Architecture 1.0, OGF GFD-I.030 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Org. Certification FederatedCertificationAuthorities Org. Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain A AuthZFederation Service Domain B Task GSI Virtual Organization Domain Server X Server Y Trust relationships • For the VO model to work, parties need a trust relationship • the alternative: every user needs to register at every resource • we need to provide a ‘sign-on’ for the user that works across VOs graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
AuthenticationThe IGTF and international coordination solving ‘stable’ issues first
History of International AuthN Coordination NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Why a CA Federation? 2000: Urgent need for providing cross-national trust for the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects • ‘Commercial’ CAs • main focus on web server certs • many of them (Thawte, Verisign, SwissSign, …) • too expensive! • not user-oriented • hard to make technically compatible • needed for ‘pop-up’ free web pages! • ‘National’ PKI • 1999/93/EC • uptake very slow even today • but incorporation was a primary goal History • ‘Grass Roots’ CAs • too project-specific • no documented policies • not suitable for a production infrastructure NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
The first grid authentication infrastructures • Establishing an Academic Grid PKI • started off with pre-existing CAs, and some new ones, late 2000 • ‘reasonable’ assurance level based on ‘acceptable’ procedures • a single assurance level inspired by grid-relying party** requirements • using a threshold model: minimum requirements • Focus on current need to solve cross-national authentication issues • separation of AuthN and AuthZ allowed progress • minimum requirements convinced enough resource providers to trust the AuthN assertions • individuals were (and are) all over Europe and the world • started with 6 authorities (NL, CZ, FR, UK, IT, CERN) History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
authenticationprofiles distribution acceptance process Federation Model for Grid Authentication • A Federation of many independent CAs • common minimum requirements (in various flavours) • trust domain as required by users and relying partieswhere relying party is (an assembly of) resource providers • defined and peer-reviewed acceptance process • No strict hierarchy with a single top • spread of reliability, and failure containment (resilience) • maximum leverage of national efforts and complementarities CA 2 CA 1 relying party n CA n CA 3 relying party 1 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ... ‘Reasonable procedure … acceptable methods’ • 2001: Requirements and Best Practices for an “acceptable and trustworthy” Grid CA History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Grid Relying Parties & resource providers • In Europe • Enabling Grid for E-sciencE (EGEE) (~ 200 sites) • Distr. Eur. Infrastructure for Supercomputer Apps (DEISA) (~15 sites) • South Eastern Europe: SEE-GRID (10 countries) • many national projects (NL BiG Grid, UK e-Science, Grid.IT, …) • In the Americas • EELA: E-infrastructure Europe and Latin America (24 partners) • WestGrid (6 sites), GridCanada, … • Open Science Grid (OSG) (~ 60 sites) • TeraGrid (~ 9 sites + many users) • In the Asia-Pacific • AP Grid (~10 countries and regions participating) • Pacific Rim Applications and Grid Middleware Assembly (~15 sites) data as per mid 2006 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Building the federation • Trust providers (‘CAs’) and relying parties (‘sites’) together shape the common requirements • Several profiles for different identity management models • Authorities demonstrate compliance with profile guidelines • Peer-review process within the federation to (re-) evaluate members on entry & periodically • reduces effort on the relying parties • single document to review and assess for all CAs under a profile • reduces cost for the authorities • but participation does come at a cost of involved participation … • Ultimate trust decision always remains with the RP • An authority is not necessarily limited to just ‘grid’ use NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Relying Party issues to be addressed Common Relying Party requests on the Authorities • standard accreditation profiles sufficient to assure approximate parityeffectively, a single level of assurance sufficed then for relying parties– is changing today, as more diverse resources are being incorporated • monitor [] signing namespaces for name overlaps • a forum[to] participate and raise issues • [operation of] a secure collection point for information about CAs which you accredit • common practices where possible • reasonable likeness for a subject’s name* • a subject’s name should be forever persistent* list courtesy of the Open Science Grid (* and wLCG and EGEE draft policy) NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Founded on April 2nd, 2004 • The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body • to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. • The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. The EUGridPMA NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
EUGridPMA Membership EUGridPMA membership for Authorities(the European specific policy to maintain a manageable trust fabric) • single Authority per • country, • large region (e.g. the Nordic Countries), or • international treaty organization • ‘serve largest possible community with small number of stable authorities’ • ‘operated as a long-term commitment’ • many CAs are operated by the (national) NREN(CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … ) • or by the e-Science programme or science foundation(UK eScience, VL-e, CNRS, … ) Other ‘RP’ members: DEISA, EGEE, SEE-GRID projects, OSG, LCG, TERENA. NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Geographical coverage of the EUGridPMA Green: EMEA countries with an Accredited Authority • 23 of 25 EU member states (all except LU, MT) • + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR, “SEE-catch-all” Other EUGridPMA Accredited Authorities: • DoEGrids (.us) • GridCanada (.ca) • CERN NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Constituency The e-Science constituency is defined in broad terms • academic community • independent research organisations • pre-competitive industrial/commercial research ‘Catch-all’ CAs for countries/constituencies without national CA • CNRS Grid-FR CA • SEE-GRID CA • LAC Grid CA • ASGCC CA • DoEGrids LCG RA NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Global Effort, Regional Progress • EU, Middle East, Africa and Canada • Expansion of the EU Information Society Technologies Grid projects leads to expansion of the DataGrid CA Coordination Group • New projects and countries, ware of duplicating effort, join the group (CrossGrid, many national e-Science projects) • Asia Pacific • Fostered by projects like APGrid and PRAGMA, a set of country and project CAs forged a permanent coordinating effort • USA • large number of test bed efforts (Globus, NASA IPG, NCSA Alliance) • lacking the coordination for “sustainable production infrastructure”the coordination effort was limited, and many of these early CAs have been forgotten • only the DoEScienceGrids CA, mainly used in collaborations with the European CERN organisation, becomes a ‘production’ service (‘DoEGrids’) History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
The Tokyo Accord Need for coordination of a basic trust fabric is ‘obvious’ • common security is the only strong requirement for interoperationas all other services can be used ‘in parallel’ • 2001: Grid-CP working group in GGF • Mike Helm, Peter Geitz, and various CA representatives from all over the world • GGF could not host coordination activity at the time • During the Tokyo GGF, March 2003: CA and PMA representatives from over the world agreed to coordinate and work towards a grid PMA History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
The Tokyo Accord First meeting March 2003 at GGF 7 in Tokyo • Will co-locate and convene at GGF conferences • Will work on forming the Grid Policy Management AuthorityGRIDPMA.org • Develop Minimum operational requirements - based on EDG work • Develop a Grid Policy Management Authority Charter • Representatives from all major Grid PMAs • European Data Grid & Cross Grid PMA: then 16 countries, 19 organizations • NCSA Alliance • Grid Canada • DOEGrids PMA • NASA Information Power Grid • TERENA • Asian Pacific PMA • AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, China History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
International Grid Trust Federation Federation of 3 Regional “PMAs”, that define common guidelines and accredit credential-issuing authorities TAGPMA EUGridPMA APGridPMA NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Foundation of the IGTFallows migration of CAs to proper Regional PMA Growth of the European Grid trust fabric History NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Realising the roadmap [The e-IRG] encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. e-IRG RecommendationDutch EU Presidency 2004 Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged. The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces. e-IRG RecommendationAustrian EU Presidency 2006 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Guidelines: common elements in the IGTF • Coordinated namespace • Subject names refer to a unique entity (person, host) • Usable as a basis for authorization decisions • This name uniqueness is essential for all authentication profiles! • Common Naming • Coordinated distribution for all trust anchors in the federation • Trusted, redundant, sources for download, verifiable via TACAR • Concerns and ‘incident’ handling • Guaranteed point of contact • Forum to raise issues and concerns • Requirement for documentation of processes • Detailed policy and practice statement • Auditing by federation peers NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Guidelines: secured X.509 CAs Aimed at long-lived identity assertions, the ‘traditional PKI’ world • Identity vetting procedures • Based on (national) photo ID’s • Face-to-face verification of applicants via a network of distributed Registration Authorities • Periodic renewal (once every year) • revocation and CRL issuing requiredand we have all RPs actually downloading the CRLs several times a day • subject naming must be a reasonable representation of the entity name • Secure operation • off-line signing key or HSM-backed on-line secured systems • Audit requirements • data retention and audit trail requirements, traceability of certified entities • Technical implementation • need to limit the number of issuing authorities for technical reasons (most software and browsers cannot support O(1000) issuers) • certificate profile and interoperability NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Short-lived or member integrated services Aimed at short-lived ‘translations’, that are organisation/federation bound • Identity vetting procedures • based on an existing ID Management system of sufficient quality • Original identity vetting must be of sufficient quality to trace the individual for as long as name is in active use • If documented traceability is lost, the subject name can never be re-used • revocation and CRL issuing not required for assertion lifetimes << 1 Ms • subject naming must be a reasonable representation of the entity name • Secure operation • HSM-backed on-line secured systems • Audit requirements • data retention and audit trail requirements, traceability of certified entities • Technical implementation • scaling of this model still needs to be demonstrated, and needs higher-level coordination • most software and browsers cannot support O(1000) issuers • and a peer-review based trust fabric cannot do that either … • certificate profile and interoperability NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
MICS ID management system requirements Identity vetting requirementsconvincing the world that you’re OK Documentation of how the IdM is populated, maintained and cleaned MUST be documented and agreed to by the PMA. Two modes By example: The IdM used by the CA should be a system that is also used to protect access to critical resources, e.g. payroll systems, for use in financial transactions, granting access to highly-valuable resources, and be regularly maintained. By review: Alternatively, equivalent security mechanisms must be provided, described in detail and presented to the PMA and are subject to PMA agreement. and again the data for those entities in the IdM that qualify for ‘MICS’ assertions must be of a quality that allows unique tracing, name uniqueness and persistency – and a mechanism to clean ‘stale’ entries must be defined. Example: the UvAmsterdam does not trust its own system even for grading! tries to ‘catch’ the quality of the system without having to report to formal audits NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
MICS/SLCS Federated Deployment Model • Grid AuthN interface based on national federations • use of MICS AP by pushing ‘down’ the requirements onto its members • maximum leverage of national efforts • in line with the complementarity principle • needed for scalability of the PMA itself! • Example: SWITCH-aai • from entire existing federation with a single ‘SLCS’ front-end • introduce concept of ‘entitlement’ so only appropriately vetted users can us the translation service • issue grid compatible credentials automatically • with life time ~ few days • similar efforts in NL, UK/NGS graphic courtesy Christoph Witzig, NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Profile matrix: where we stand Multiple Authentication Profiles: where the IGTF stands today Although ‘Single Trust Level’ is a good message, trend is towards more diverse LoAs • diversity of resource types is increasing • alternate grid use models need for wider range of LoAs NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Common Trust Anchor Distribution The IGTF is a policy bridge architecture, thus … • has a large set of ‘trust anchors’ (CA certificates) • single, common distribution across all of the IGTF • with ‘trusted committers’ in each PMA • Dedicated authoritative secure source…enabled by NEDO • mirrored by each PMA • source host “dist.eugridpma.info” • https with browser-recognised cert • protected, with specific VMs and monitoring NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Auditing Auditing foundation laid by Yoshio Tanaka from 2005 • Derived from • the Classic AP guidelines • WebTrust Seal of Approval criteria • Subsequently refined • applying it to all new CAs in the AP region • cross-reviews by the NAREGI project • review in the IGTF, and via the OGF CAOPS Working Group • Thorough implementation in the APGridPMA allowed for rapid convergence and building experience for assessing compliance and severity of the auditing criteria NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
CAOPS-WG Auditing (draft) • CAOPS-WG Auditing • list of essential items • selected guidance NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Expanding Auditing Audit process developed by the NEDO project is now introduced as a basis for harmonizing international CA coordination • EUGridPMA formally adopted the Continuous Audit Process • uses the Review Criteria document established by Yoshio Tanaka • With an implementation process that will ensure bi-annual auditing of all CAs in the EUGridPMA • In due course will become de-facto standard across all of the IGTF NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
EUGridPMA Examples • Grid-Ireland CA • DutchGrid CA NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Interoperation ‘The Grid Cannot Be Switched Off’ • maintaining interoperation between all international grid projects is now essential to be successful for e-science and, even more, for industrial applications – continuity of service is a must • This necessarily limits radical changes, certainly in the AuthN and AuthZ area, where any change in standard interfaces would hurt the most • Fortunately, the AuthN (and most of the AuthZ) components use existing accepted standards that provide the required functionality • new features can be gradually introduced within the current framework, i.e. in the X.509, X.509 AC and RFC3820 framework • SAML/XACML are already geared towards X.509 interoperation NEDO - Standardization of Grid Security Policies for e-Science Infrastructure
Outlook • Confederation is coming for grids and science • the user scenarios require it, as the user community is international • national federations, leveraging home organisation identity vetting or eGov IDs, are a ‘must’ for scalability • e-Infrastructure needs the campus–and your researchers need e-Infra … • with a need for defined and verifiable LoAs (at high and low levels) • the ’homeless’ will be a permanent feature • IGTF today provides an international trust fabric for AuthN • a source for ‘trusted’ identifiers • definition of multiple LoAs is starting, and we want to reach out and co-leverage other efforts as much as possible • by structure, we are geared towards catering for the ‘homeless’ • we continue to have pressing urgent needs for federation today • but we are a long way from the O(10M+) users mark NEDO - Standardization of Grid Security Policies for e-Science Infrastructure