in grid we trust
play

In Grid We Trust New authentication mechanisms and their impact on - PowerPoint PPT Presentation

Nov 02, 2022 •49 likes •309 views

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP & Grid In Grid ... where many participants have no a-priori

  1. In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP & Grid

  2. In Grid ... where many participants have no a-priori relationship David Groep Nikhef Amsterdam PDP & Grid

  3. ... we trust in identity and attributes delivered from many sources David Groep Nikhef Amsterdam PDP & Grid

  4. Trusting and trustable parties focus: - persistent unique ID - traceability assurance David Groep Nikhef Amsterdam PDP & Grid

  5. AP Structure and Elements of Trust — Identity Vetting (‘people ware’ LoA) — Operational Requirements (‘what and how LoA’) — Site security controls (‘implementation LoA’) — Publication and disclosure (‘gaining trust’) — Auditing (‘sustaining trust’) — Privacy and confidentiality (‘securing trust’) — Compromise and Disaster Recovery (‘recovering trust’) — User responsibilities David Groep Nikhef ◦ this one deserves more attention in home organisation context, Amsterdam PDP & Grid since direct & continuous contact with users can be maintained

  6. Trust Relations in Classic CAs David Groep Nikhef Amsterdam PDP & Grid

  7. Classic Authentication Profile Example: Classic Authority using Secured Infrastructure — Aimed at long-lived identity assertions — Identity vetting procedures ◦ Based on (national) photo ID’s, face-to-face verification of applicants via distributed network of Registration Authorities or ‘Trusted’ Registrars ◦ Periodic rekeying once every year, using fresh key material ◦ Appropriate representation of the person’s real name in the credential ◦ validate all rekeying against pre-existing credential identifiers — Secured operations ◦ dedicated rooms with monitored access, vault, and audit trails ◦ off-line signing key or HSM-backed on-line systems (FIPS 140.2 lvl 2) — Response to incidents David Groep Nikhef ◦ Timely (<24hrs) revocation of compromised credentials Esta Amsterdam blish PDP & Grid ◦ must issue an up-to-date list of revoked credentials ing iden — Audit log retention and periodic re-assessment tity in 7 2010-11-25 EGI https://www.eugridpma.org/guidelines/classic/

  8. Policies supporting trust — Classic AP’s ‘traditional ID vetting’ ◦ done by CA explicitly according to own practices ◦ face-to-face after or at time of making request — What does that bring? ◦ pro – easy to describe ◦ con – complicated for user and introduces delay ◦ but even then David Groep in risk analysis for the end-to-end trust chain, ID is Nikhef Amsterdam only a small element as verified in the ‘classic’ AP PDP & Grid

  9. We, the Grid, trust — Vetting in classic CAs gives ‘warm and fuzzy feeling’ ◦ is easy to describe in a stand-alone document ◦ which may be false ◦ but is certainly fuzzy — But grid is no longer alone: many others need trust ◦ many other services inside and off-campus need ‘trusted identity’ in some way ◦ relative lower value of many off-campus services previously did not require a lot of complexity in assurance level or trust David Groep Nikhef Amsterdam PDP & Grid

  10. A new wave of federated CAs — new trusted identity sources have emerged ◦ R&E federations have been established ◦ hosting more and higher-valued services ◦ broad and increasing user base we now leverage these for access to e-Infra resources David Groep Nikhef Amsterdam PDP & Grid

  11. Enabling new scenarios GridShib graphic: Jim Basney, NCSA Delegation options • ‘hidden’ federated CAs • Security Token Service • semi-explicit instant CA VASH graphic: Christoph Witzig, SWITCH David Groep IMDI Browser (delegated corpus browsing) Nikhef graphic: Mischa Salle, Nikhef Amsterdam PDP & Grid

  12. Trust Relations in a Federated CA (MICS) model David Groep Nikhef Amsterdam PDP & Grid

  13. New CA models Broader base for users brings challenges — ‘warm and fuzzy’ trust has a scaling limit — there will necessarily be some indirection — but federated IdP’s are ‘closer’ to the user ◦ more trustworthy and more close to any changes ◦ IdP’s are further away from the ‘grid’, and thus less warm and fuzzy David Groep this applies to ID attributes and other value-added Nikhef Amsterdam attributes ... and should apply to the VO as well! PDP & Grid

  14. In Grid We Trust — IGTF global trust features are not ‘default’ in many federations ◦ persistent unique naming ◦ higher-assurance level identity vetting — Responsibilities have to be defined ◦ these now rely on the IdPs – these are now ‘quality IdPs’ in well-recognised federations ◦ contract mechanisms tie down responsibility David Groep Nikhef Amsterdam ◦ how can an organisation set up a trusted IdM & IdP? PDP & Grid

  15. Basic federation policies Requirements (example from SURFfederatie) — Give accurate organisational contact details — End-user guidance document per organisation ◦ netiquette, compliance with law, no damage to third parties ◦ guidance should be ‘appropriately enforced’ — federation systems appropriately secured — data complete and up to date, set of required attributes — disclose procedures and practices on request Enforcement and sanctions David Groep Nikhef — Suspension from the federation (nothing worse) Amsterdam PDP & Grid — Indemnify other participants from damages

  16. Contract supported trust ‘We the Grid’ should now trust what the IdP says, and rely on that trust without ‘warm and fuzzy’ recourse David Groep Nikhef Amsterdam PDP & Grid graphic: after Jan Meijer, UNINETT

  17. Elements of institutional IdM Ad Hoc Focused Standard Integrated Single log-on Authorization Source systems Policies Documented processes IdP systems for federation Quality Assurance Process implementation Security / Auditing David Groep Nikhef Amsterdam Source: SURFnet Identity Management Maturity Scan http://www.surfnet.nl/ PDP & Grid IGI Group http://www.igi.nl/

  18. At a random mid-size org ... — To be trustworthy, each IdP in a federation should address the basic requirements for trusted identity and attributes — Basically, this is ◦ addressing the topics listed in the AP by the IGTF ◦ user education and validation ◦ organisational ‘culture’ David Groep Nikhef Amsterdam and a bit of policy and technical expertise ... PDP & Grid

  19. Organisational elements — ICT ◦ trustworthy IdP implies that users are familiar with the IdP , and use it for everyday work (so no separate login or system) ◦ when rolled out, gives usability advantages (less helpdesk calls) and better security enforcement (single kill switch) many services can be linked to SSO services (usually via LDAP) — HR ◦ source of ‘validated’ ID attributes (registry) ◦ likely has existing practices to comply with privacy, data retention & protection, and legal issues — Management David Groep Nikhef Amsterdam ◦ buy-in to endorse policy and guarantee continuity PDP & Grid

  20. Join a federation with integrated IdM — For mid-size org needed effort not very high ◦ once there is common intent and purpose can be done within ~ 6 months (not full-time), using OSS tooling — Work items ◦ ensure buy-in ◦ write up a draft policy (using the AP template) ◦ set up ( LDAP -capable) directory service ◦ demonstrate some quick goodies: desktop login, link to no-policy test federation using simpleSAMLphp David Groep Nikhef ◦ review the policy J Amsterdam PDP & Grid ◦ join the full federation and give goodies to users

  21. Federation services as incentive and driving force for users David Groep Nikhef Amsterdam and organisational systems such as email as incentive for both PDP & Grid ICT (less support load, better controls) and users (single password)

  22. The harder bits — Goodies gain momentum, then take the next step ◦ convert ‘critical’ systems, such a email, self-services (travel request, budgetting, timesheets, ...) ◦ implement your account & password expiration policy in automated processes if that was not yet standing procedure (test first!) give reasonable grace period, say, 13 months ◦ start disabling services that are not SSO enabled David Groep Nikhef Amsterdam PDP & Grid

  23. So: What About the Policy? — Used IGTF Authentication Profile template — Missing elements related to user management ◦ need for data protection and attribute release policies ◦ additional user obligations (e.g. password changing) ◦ expiration controls ◦ differentiate between suspension and expiration ◦ you cannot ‘delete’ users (must keep the key identifier) — In section 3 (identity vetting) added ‘hardship clause’ – helps ease pain of policy faults by limited override David Groep Nikhef — Also Grid AUP and Site Ops Policy have useful elements Amsterdam PDP & Grid — Be prepared to disclose the policy – publicly, AFAIAC!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trust Federation enabling an interoperable David Groep EUGridPMA global trust fabric also

Trust Federation enabling an interoperable David Groep EUGridPMA global trust fabric also

The International Grid Trust Federation enabling an interoperable David Groep EUGridPMA global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323, and BiG Grid, the Dutch eScience Grid The Need for a Global Trust Fabric More than

676 views • 21 slides
Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid Computing T h e A m e r i c a s G r i d Policy Management Authority Prof. Vinod Rebello Instituto de Computao Universidade F ederal F

768 views • 18 slides
Smart Grid Uses and Applications? TCIPG Annual Industry Workshop November 7, 2011 Trustworthy

Smart Grid Uses and Applications? TCIPG Annual Industry Workshop November 7, 2011 Trustworthy

What is the Trust Required in New Smart Grid Uses and Applications? TCIPG Annual Industry Workshop November 7, 2011 Trustworthy Defined Trustworthy: Deserving of trust or confidence; dependable; reliable Trust: Reliance on the

385 views • 10 slides
SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International Symposium on Grid Computing (ISGC) Academia Sinica, Taipei, 5-12 March 2010 Dr. Ognjen Prnjat European and Regional Grid Management GRNET The

329 views • 31 slides
Simulation &amp; Emulation in Smart Grid Assessment David M. Nicol Director, Information Trust

Simulation &amp; Emulation in Smart Grid Assessment David M. Nicol Director, Information Trust

Simulation &amp; Emulation in Smart Grid Assessment David M. Nicol Director, Information Trust Institute Professor, Electrical &amp; Computer Engineering University of Illinois at Urbana-Champaign | 1 I have a dream That one day we will

808 views • 59 slides
SEE-GRID Deploying a Grid-enabled eInfrastructure in SE Europe www.see-grid.org Jorge Sanchez,

SEE-GRID Deploying a Grid-enabled eInfrastructure in SE Europe www.see-grid.org Jorge Sanchez,

SEE-GRID Deploying a Grid-enabled eInfrastructure in SE Europe www.see-grid.org Jorge Sanchez, Nikos Vogiatzis, SEEGRID Coordinators see-grid-pmo@grnet.gr Data Sources: EC, EGEE, SEEGRID, SEEREN The SEE-GRID initiative is co-funded by the

317 views • 18 slides
Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go.

Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go.

Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go. jp yoshio. tanaka@aist. go. jp) ) Yoshio Tanaka ( APGrid PMA, Chair PMA, Chair APGrid Grid Technology Research Center, Grid Technology

255 views • 22 slides
Smart Grid Increasing the IQ of the Smart Grid Unclear exactly what the smart grid is, but

Smart Grid Increasing the IQ of the Smart Grid Unclear exactly what the smart grid is, but

Smart Grid Increasing the IQ of the Smart Grid Unclear exactly what the smart grid is, but Through Active Customer it does include Participation in Wholesale Electricity Interval meters Markets Storage and load flexibility

465 views • 15 slides
Migrating from Grid to Cloud: Migrating from Grid to Cloud: Migrating from Grid to Cloud:

Migrating from Grid to Cloud: Migrating from Grid to Cloud: Migrating from Grid to Cloud:

Migrating from Grid to Cloud: Migrating from Grid to Cloud: Migrating from Grid to Cloud: Migrating from Grid to Cloud: Case Study from GEO Grid Case Study from GEO Grid Kyoung-Sook Kim Data Science Research Group Information Technology

541 views • 18 slides
Meta-data management issues underpinning Grid and P2P development Experiences from GRASP,

Meta-data management issues underpinning Grid and P2P development Experiences from GRASP,

Meta-data management issues underpinning Grid and P2P development Experiences from GRASP, SWAD-Europe, PELLUCID and CORAS projects at CCLRC/BITD Emphasis: trust &amp; security policy management Emphasis: trust &amp; security policy management

1.09k views • 39 slides
Security and Trust in an Industrial Grid Project ISGC 2011 (23 March 2011, , Taiwan)

Security and Trust in an Industrial Grid Project ISGC 2011 (23 March 2011, , Taiwan)

Security and Trust in an Industrial Grid Project ISGC 2011 (23 March 2011, , Taiwan) Andreas Schreiber &lt;Andreas.Schreiber@dlr.de&gt; German Aerospace Center (DLR), Cologne http://www.dlr.de/sc Folie 1 ISGC 2011 &gt; Andreas

450 views • 26 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
ON-GRID VS OFF-GRID SOLAR On-Grid Solar is solar generation that is connected to the utility grid

ON-GRID VS OFF-GRID SOLAR On-Grid Solar is solar generation that is connected to the utility grid

ON-GRID VS OFF-GRID SOLAR On-Grid Solar is solar generation that is connected to the utility grid All solar generation enters the grid co - generation with solar The grid provides backup power for a normally stand-alone solar installation

495 views • 20 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois

The Path to a Secure and Resilient Power Grid Infrastructure Bill Sanders University of Illinois at Urbana-Champaign www.tcipg.org whs@illinois.edu | 1 Power Grid Trust Dynamics Span Two Interdependent Infrastructures Cyber Infrastructure

337 views • 15 slides
About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables

About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables

BiG Grid HPC Cloud Beta Floris Sluiter SARA Computing and Networking services Amsterdam www.cloud.sara.nl About BiG Grid The BiG Grid project is a collaboration between NCF, Nikhef and NBIC, and enables access to grid infrastructures for

495 views • 24 slides
John hn Luk uke e Hill, Jr. (October 29, 1923 July 9, 2007) graduated from UT

John hn Luk uke e Hill, Jr. (October 29, 1923 July 9, 2007) graduated from UT

John hn Luk uke e Hill, Jr. (October 29, 1923 July 9, 2007) graduated from UT Law in 1947 and led a remarkable legal and public service career spanning 60 years. He is thus far the only person in Texas history to serve as

1.06k views • 49 slides
!&quot;#$%&amp;'(')&quot;*#+',-.&quot;/0123/-'%-0' !1./&quot;*%4 5617*',86**' 9*7*':%;%*'

!&quot;#$%&amp;'(')&quot;*#+',-.&quot;/0123/-'%-0' !1./&quot;*%4 5617*',86**' 9*7*':%;%*'

(N(EOL-0' P1.1&quot;#',-.#&quot;-#.'!#8.Q#0'R/&quot;?86/D !&quot;#$%&amp;'(')&quot;*#+',-.&quot;/0123/-'%-0' !1./&quot;*%4 5617*',86**' 9*7*':%;%*' &lt;8617*=#*7*&gt;?%@A-*2.BC/B7D' E%3/-%4',-83.1.#'/+',-+/&quot;$%3/-'%-0'F/$$1-*2%3/-8'

758 views • 63 slides
Robots are becoming an essential part in the human evolution. Robots or machines can

Robots are becoming an essential part in the human evolution. Robots or machines can

Running head: Robotics 1 (Intelligent) Robotics Omar Alenezi Montana Tech at University of Montana Running head: Robotics 2 Abstract This paper covers robotic history and their advancement and contribute in various of fields. Then talked about

336 views • 15 slides
Digital Design Methodology CENG/ELEC/SENG 399 Dr. F . Gebali, PhD, PEng ECE Dept. Faculty of

Digital Design Methodology CENG/ELEC/SENG 399 Dr. F . Gebali, PhD, PEng ECE Dept. Faculty of

Engineering Design Flow CAD Tools Summary Digital Design Methodology CENG/ELEC/SENG 399 Dr. F . Gebali, PhD, PEng ECE Dept. Faculty of Engineering http://www.ece.uvic.ca/ fayez 2012 c September 23, 2013 1 / 27 Engineering Design

673 views • 27 slides
EMACS, THE ULTIMATE Trung Ta Oracle Labs Australia &amp; National University of Singapore

EMACS, THE ULTIMATE Trung Ta Oracle Labs Australia &amp; National University of Singapore

EMACS, THE ULTIMATE Trung Ta Oracle Labs Australia &amp; National University of Singapore Brisbane, Australia August 9 th , 2017 Which editor do you use the most? CASE STUDY: REAL PROGRAMMERS CASE STUDY: REAL PROGRAMMERS

1.46k views • 101 slides
A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
System Design An Engineering Approach to Computer Networking An Engineering Approach to Computer

System Design An Engineering Approach to Computer Networking An Engineering Approach to Computer

System Design An Engineering Approach to Computer Networking An Engineering Approach to Computer Networking What is system design? A computer network provides computation, storage and A computer network provides computation, storage and

485 views • 35 slides
MIT Roofnet Performance MSR Mesh Summit, June 2004 Robert Morris Daniel Aguayo, John Bicket,

MIT Roofnet Performance MSR Mesh Summit, June 2004 Robert Morris Daniel Aguayo, John Bicket,

Roofnet node map MIT Roofnet Performance MSR Mesh Summit, June 2004 Robert Morris Daniel Aguayo, John Bicket, Sanjit Biswas, Douglas De Couto, Glenn Judd http://pdos.lcs.mit.edu/roofnet 1 kilometer 2 Typical rooftop view Roofnet radio

359 views • 3 slides

More recommend