Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations
description
Transcript of Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations
![Page 1: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/1.jpg)
Trust Model for eXtreme Scale Identity Management (XSIM) in
Scientific Collaborations
Bob Cowles, Craig Jackson, Von Welch (PI)
VAMP 201330 September 2013
![Page 2: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/2.jpg)
BackgroundThe collaboratory (VO) has proven itself as the key way of allowing large-scale, multi-organization science collaborations.
ESG/F, NFC, OSG, ATLAS, CMS, XSEDE, LIGO, GENI, etc.
We now have 15 years of applied research in how the collaboratory should interact with users and resource providers.
Glide-ins, science gateways, community accounts, etc.
![Page 3: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/3.jpg)
Identity ManagementFrom Wikipedia: Identity management describes the management of individual identifiers, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
![Page 4: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/4.jpg)
XSIM Goal
Enable the next generation of trustworthy extreme-scale scientific collaborations by understanding and formalizing a model of identity management (IdM) that includes the collaboratory.
![Page 5: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/5.jpg)
Trust RelationshipsNeed a clear definition of trust for XSIM to clarify our thinking.
Large body of research on trust exists, in computer security, CS, and more broadly.
![Page 6: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/6.jpg)
Our Definition of Trust
Trust is a disposition willingly to accept the risk of reliance on a person, entity, or system to act in ways that benefit, protect,
or respect one’s interests in a given domain.
Based on Nickel & Vaesen, Sabine Roeser, Rafaela Hillerbrand, Martin Peterson & Per Sandin (eds.), Handbook of Risk Theory. Springer (2012)
![Page 7: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/7.jpg)
XSIM MethodUnderstand the core elements of the trust relationship between scientific collaborations, resource providers and users.
Understand how those trust relationships are (or desirably would be) expressed in IdM systems.
Develop and validate a VO-IdM model to advance the state of IdM research and practice.
![Page 8: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/8.jpg)
ApproachAnalyze implementations – study literature of the different collaboratory IdM approaches and interview members of the community.
Enumerate the different relationships between collaborations and their resource providers, and the evolution and lessons learned.
Analyze the trade-offs of the different trust relationships.
![Page 9: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/9.jpg)
ApproachPropose a model for an evolutionary step in IdM that describes trust relationships between collaborations, resource providers and users.
Model must be understandable and useful to non-IdM experts, and accepted by resource providers.
Refine and extend model based on feedback and experience.
![Page 10: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/10.jpg)
InterviewsKey to understanding the “real reasons” behind implementation and lessons learned.
Results will not be disseminated in raw form so people will speak freely.
Scripted, unstructured format.
![Page 11: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/11.jpg)
Interview Goals – understand …•Who constitutes the VO, what its goals are, and who its stakeholders are.•Who the RPs are, their relationship to the VO (why are they serving it), and who their stakeholders are.•The assets and threats that are in play.•The policy and technical controls in place between the VO and the RPs.•The policy and technical controls in place between the VO and its users.•What are the lessons learned (e.g., what would be done differently if done again).•Ultimate goal: to understand the trust relationships (accepted risks) among resource providers/VO/users and how those were arrived at.
![Page 12: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/12.jpg)
Interviewees So Far …VOs•Atlas•BaBar •Belle-II•CMS•Darkside•Engage•Earth System Grid•Fermi Space Telescope•LIGO•LSST/DESC
RPs•Atlas Great Lakes T2•FermiGrid•GRIF•U. Nebraska (CMS)•LCLS•RAL•GRIF/LAL•LLNL•NERSC•Blue Waters
![Page 13: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/13.jpg)
Interview Observations so FarData volume is driving changes in computing model – greater complexity; inhibiting clean user interface design•Batch (-> hetergenous environment)
•Compute intensive, production -> cloud (e. g. simulation)•Production and initial analysis -> grid or cloud•Specialized analysis -> local clusters or grid
•Web applications -> multi-site, federated, single sign-on, portals•Interactive – local/remote IdM – little change but reduced emphasis
Mitigations & benefits so far have offset increased riskNew computing models force changing trust relationships
![Page 14: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/14.jpg)
Typical VO -> RP IdM Data Flow● Access control framework
○ Objects○ Users, groups○ Access / interaction rules
● Resource request / use / accounting○ User/group identity○ Attributes
● Incident response○ Contact information
![Page 15: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/15.jpg)
The VO IdM LifecyclePossible stages for passing identity data
● Enrollment -- when user signs up● Provisioning -- when account is allocated● Request -- when resource is requested● Usage -- when resource is used● Incident Response -- when issue exists● [Deprovisioning]
![Page 16: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/16.jpg)
Factors Affecting IdM Design● [Criticality]● Isolation● Persistence● Complexity● Scaling● Incentive● Inertia
![Page 17: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/17.jpg)
IdM Interview Results 1/3Count of When Identity Flows For Levels of
Isolation and PersistenceIsolation Enrollment Provisioning Request Usage IR/Never
Batch 5 3 4 12
WebApp 4 4 2
Shell 4 4
Persistence Enrollment Provisioning Request Usage IR/Never
None 1 1 6
Low 1 2 6
Moderate 1 1
High 8 12 2 1
![Page 18: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/18.jpg)
IdM Interview Results 2/3Count of When Identity Flows For Levels of
Complexity and ScalingComplexity Enrollment Provisioning Request Usage IR/Never
Low 3 5 2 12
Moderate 5 6 1
High 3 4 1
Scaling Enrollment Provisioning Request Usage IR/Never
High 2 2 2 3 5
Moderate 4 2 7
Low 6 7 1 1
![Page 19: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/19.jpg)
IdM Interview Results 3/3Count of When Identity Flows For Levels of
Incentive and InertiaIncentive Enrollment Provisioning Request Usage IR/Never
VOpower 1 1 1
Balanced 2 6 2 2 5
Goodwill 5 7 3 1 6
Inertia Enrollment Provisioning Request Usage IR/Never
Low 2 4 4 12
Moderate 3 5 1
High 5 6
![Page 20: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/20.jpg)
Future WorkModel validation and more inclusion
ExascaleCloudsPortalsFederated IdP
Ramifications of trust violationExtend to provide guidance by application in practice.
![Page 21: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/21.jpg)
Thank you. Questions?
Bob Cowles ([email protected])http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsors or any organization.
![Page 22: Trust Model for eXtreme Scale Identity Management (XSIM) in Scientific Collaborations](https://reader035.fdocuments.us/reader035/viewer/2022062521/56816925550346895de05e9e/html5/thumbnails/22.jpg)
PARKING LOT FOLLOWS