Security in Research ComputingSecurity in Research Computing
John SandefurJohn SandefurUAB Comprehensive Cancer CenterUAB Comprehensive Cancer Center
John-Paul RobinsonJohn-Paul RobinsonUAB Research ComputingUAB Research Computing
So, we have this application…So, we have this application…
How do we know who to How do we know who to trust in this federated trust in this federated environment?environment?
caBIG
Identity – We must document in person identity verification (NIST “Level 2”)
Authentication – Systems must trust each other to authenticate users without sharing passwords (using SAML & certificates)
Authorization – Relationships must be built to support meaningful authorization to resources owned by independent organizations (trusted attributes)
Federated systems solve on-campus collaboration problems and build a technology and trust fabric capable of crossing many institutions.
Ideally…Ideally…
caGrid Infrastructure & Tooling:caGrid Infrastructure & Tooling:
Source: www.cagrid.org
caGrid uses several packages to provide security services:
Dorian allows institutions to locally authenticate their users onto caGrid. GridGrouper group memberships and resource access rights are to be
managed. Trust Relationships specify which institutions trust each other’s
authentication.
GAARDS was developed on top of the Globus Toolkit and extends the Grid Security Infrastructure (GSI) to provide enterprise services and administrative tools for:
Identity federation Grid user management Trust management Group/VO management Access control policy management and enforcement Integration between existing security domains and the grid security domain
caGrid Security is Standards-BasedcaGrid Security is Standards-BasedLesson 6: Focusing on the Grid
caGrid GAARDS SecuritycaGrid GAARDS SecurityLesson 6: Focusing on the Grid
GAARDS In ActionGAARDS In Action
To access secure Grid resources, a user needs to obtain a
Grid credential
To access secure Grid resources, a user needs to obtain a
Grid credential
GAARDS In ActionGAARDS In Action
GAARDS In ActionGAARDS In Action
Authenticate with local institution and
obtain proof of authentication (SAML
Assertion)
Authenticate with local institution and
obtain proof of authentication (SAML
Assertion)
GAARDS In ActionGAARDS In Action
Obtain Grid credential from
Dorian using SAML Assertion
Obtain Grid credential from
Dorian using SAML Assertion
GAARDS In ActionGAARDS In Action
Invoke SecureGrid Service
using credential provided by Dorian
Invoke SecureGrid Service
using credential provided by Dorian
GAARDS In ActionGAARDS In Action
Validate that thecredential provided by the user is issued
bya trusted provider
Validate that thecredential provided by the user is issued
bya trusted provider
GAARDS In ActionGAARDS In Action
Determine if user is authorized to access requested resources.
Determine if user is authorized to access requested resources.
caGrid Security FlowscaGrid Security FlowsLesson 6: Focusing on the Grid
UAB IT’s Research Computing group has extensive background in federated systems (integrated systems that span many organizations):
UABgrid: A pilot federated system supporting trusted transactions for high performance computing (HPC)
SURAgrid, Open Science Grid (OSG), TeraGrid: Engaged participant in regional and national cyberinfrastructure development
Demonstrated scalability: Migrated Section on Statistical Genetics (SSG) workflow to OSG using 1000 CPU-hours in 4 hours of wall clock time: a 5-fold increase
Trusted networks: Building secure environments to share data and compute power UAB IT Research Computing: Named Oct 1, 2009; formerly High Performance Computing
Services (HPCS)
Collaboration between Research Computing and CCC on caBIG’s Getting Connected grant exposed the need to add new services for authorization and data sharing (caGrid) to this campus platform.
SoM sponsored CCC Brain SPORE tissue bank is exploring caBIG tool adoption.
Data Access and Sharing Initiative (DASI) is implementing expanded grid data services framework to share data within UAB.
UAB is Well-PositionedUAB is Well-Positioned