Supporting Secure and Scalable GAN Collaborations

1
Supporting Secure and Scalable GAN Collaborations

• Deb Agarwal (DAAgarwal_at_lbl.gov)
• Marcia Perry and Mary Thompson
• Collaboration Technologies Group
• Lawrence Berkeley National Laboratory

2
Grid

• Integrated distributed computing middleware
• Public key-based security
• Security infrastructure
• Proxy certificates
• Directory services
• Resource scheduling
• Web services (Open grid services architecture)
• Secure file transfer
• Uniform compute job submission
• Job tracking
• DOE Science Grid
• Global Grid Forum

3
Typical Security Requirements

• Limit participation to authorized people
• Specify and enforce participant access
  capabilities
• Single sign-on into environment
• Create and enforce authorization policy for
  dynamic components
• Dynamically change authorization policy
• Identify participant actions (particularly for
  auditing and logging)

4
Security Terminology/Mechanisms

• Authentication identify users
• PKI Certificates
• Attribute certificates
• Username/password
• Authorization figure out what users are allowed
  to do
• Access Control Lists
• Authorization servers
• policy
• capability certificates
• Privacy
• Private Network (virtual or actual)
• Encryption
• Data integrity
• Message Authentication Codes (hash)

5
Grid Security Infrastructure (GSI)

• X.509 Public Key Infrastructure (PKI)-based
  identity certificates
• Contains the public key issued and signed by a
  certificate authority
• Used with the private key to provide
  authentication of users (SSL/TLS)
• A defined set of certificate authorities are
  trusted to issue identity certificates
• Focuses on control of static resources accessed
  by a well defined set of users
• Authorization policy is controlled, administered,
  and enforced at the local resources
• Grid-mapfile is used to map from identities to
  local authorization entities
• Designed to control access to computers

6
GSI - Proxy Certificates

• Motivation
• Processes need to be able to act on the users
  behalf
• Do not want to hand out the users private key
• Want to support single sign-on
• Proxy certificates derived from the users
  identity certificate
• New credential
• Stored locally unencrypted (no pass phrase)
• Short-lived (12-24hrs)
• Created by calling grid-proxy-init
• Used by processes to act on the users behalf

7
Some Existing and Planned Tools

• Grid Security Infrastructure (GSI and OGSI)
• myProxy
• Authorization servers
• Akenti
• Community Authorization Service (CAS)
• Secure Group Communication
• Existing technologies
• Kerberos
• SSL/TLS
• Simple Authentication Security Layer
• PGP

8
Pervasive Collaborative Computing Environment
(PCCE) Goals

• Collaboratory centered around a shared
  computational workflow
• Support continuous collaboration
• Target daily tasks and base connectivity
• Web-based interface available for ease of
  use/installation
• Collaborative workflow tools
• Leverage off of existing components when possible
• Leverage off the Grid services
• security
• directory services
• job submission and tracking
• Standards-based components

9
(No Transcript)
10
Remote Instrument Access

• Advanced Light Source LBNL
• Remotely controllable cameras/videoconferencing
  at the beamline
• Transmission of machine parameters and settings
  to all participants
• Control handoff via a token
• Collaboration communication infrastructure
  integrated into existing control system

11
Collaborative Collaboration Tools

• Security authentication and authorization
• single point of login
• group and individual authorization
• Communication
• communicate easily between components
• scalable to large groups
• flexible delivery models (e.g. reliability and
  order)
• Logging ability to record all that occurred in
  a session
• Events notifications between tools
• Search capabilities
• Collaboration context awareness
• Presence information