1 / 15

Security in Research Computing

Security in Research Computing. John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing. So, we have this application…. caBIG. How do we know who to trust in this federated environment?. Ideally….

rowa
Download Presentation

Security in Research Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing

  2. So, we have this application… caBIG How do we know who to trust in this federated environment?

  3. Ideally… • Identity – We must document in person identity verification (NIST “Level 2”) • Authentication – Systems must trust each other to authenticate users without sharing passwords (using SAML & certificates) • Authorization – Relationships must be built to support meaningful authorization to resources owned by independent organizations (trusted attributes) Federated systems solve on-campus collaboration problems and build a technology and trust fabric capable of crossing many institutions.

  4. Source: www.cagrid.org caGrid Infrastructure & Tooling:

  5. Lesson 6: Focusing on the Grid caGrid Security is Standards-Based • caGrid uses several packages to provide security services: • Dorian allows institutions to locally authenticate their users onto caGrid. • GridGrouper group memberships and resource access rights are to be managed. • Trust Relationships specify which institutions trust each other’s authentication. • GAARDS was developed on top of the Globus Toolkit and extends the Grid Security Infrastructure (GSI) to provide enterprise services and administrative tools for: • Identity federation • Grid user management • Trust management • Group/VO management • Access control policy management and enforcement • Integration between existing security domains and the grid security domain

  6. Lesson 6: Focusing on the Grid caGrid GAARDS Security

  7. GAARDS In Action To access secure Grid resources, a user needs to obtain a Grid credential

  8. GAARDS In Action

  9. GAARDS In Action Authenticate with local institution and obtain proof of authentication (SAML Assertion)

  10. GAARDS In Action Obtain Grid credential from Dorian using SAML Assertion

  11. GAARDS In Action Invoke Secure Grid Service using credential provided by Dorian

  12. GAARDS In Action Validate that the credential provided by the user is issued by a trusted provider

  13. GAARDS In Action Determine if user is authorized to access requested resources.

  14. Lesson 6: Focusing on the Grid caGrid Security Flows

  15. UAB is Well-Positioned • UAB IT’s Research Computing group has extensive background in federated systems (integrated systems that span many organizations): • UABgrid: A pilot federated system supporting trusted transactions for high performance computing (HPC) • SURAgrid, Open Science Grid (OSG), TeraGrid: Engaged participant in regional and national cyberinfrastructure development • Demonstrated scalability: Migrated Section on Statistical Genetics (SSG) workflow to OSG using 1000 CPU-hours in 4 hours of wall clock time: a 5-fold increase • Trusted networks: Building secure environments to share data and compute power • UAB IT Research Computing: Named Oct 1, 2009; formerly High Performance Computing Services (HPCS) • Collaboration between Research Computing and CCC on caBIG’s Getting Connected grant exposed the need to add new services for authorization and data sharing (caGrid) to this campus platform. • SoM sponsored CCC Brain SPORE tissue bank is exploring caBIG tool adoption. • Data Access and Sharing Initiative (DASI) is implementing expanded grid data services framework to share data within UAB.

More Related