trust federation
play

Trust Federation enabling an interoperable David Groep EUGridPMA - PowerPoint PPT Presentation

Jan 03, 2023 •462 likes •676 views

The International Grid Trust Federation enabling an interoperable David Groep EUGridPMA global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323, and BiG Grid, the Dutch eScience Grid The Need for a Global Trust Fabric More than

  1. The International Grid Trust Federation enabling an interoperable David Groep EUGridPMA global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323, and BiG Grid, the Dutch eScience Grid

  2. The Need for a Global Trust Fabric More than one administrative organisation More than one service provider participates in a single transaction More than one user in a single transaction More than one authority influences effective policy Single interoperating instance at the global level 2011-06-10 International Grid Trust Federation 2005 - 2011

  3. Overlapping Communities – Common Trust Reduce over-all policy burden by adhering to common criteria Goals • allow multiple sources of authority: User, Institute, Community • acknowledge both long- and short-term community structures • enable security incident response and containment • balance data protection and right to privacy to provide basis for access control decisions by resources and communities 2011-06-10 International Grid Trust Federation 2005 - 2011

  4. Attributes and Access Control Several communities have complementary information for a user Access control based on policy expressed in these attributes, including the ID • attributes will need to be linked • link identifier to provide persistency 2011-06-10 International Grid Trust Federation 2005 - 2011

  5. Requirements on a trusted source Privacy and data Access Control Attribute handle • unique binding protection • never re-assigned • important ‘unalienable Measurement and right’ for research Accounting • correlation of PII among service providers could allow profiling • publication metrics • exchange of PII often fraught with issues • usage metering, billing • auditing and compliance monitoring Incident Response A common ID must live • long-term* traceable in a policy ecosystem to • independent from short-lived community protect participants • must be revocable and to limit its use to • correlate with other information sources specific purposes • banning and containment handle 2011-06-10 International Grid Trust Federation 2005 - 2011

  6. Elements of Trusted Identity 1. Vetting and assurance – for identity and attributes – vetting rules and data quality – expiration and renewal – revocation and incident containment 2. Operational requirements for identity providers – operating environment and site security – staff qualification and control 3. Publication and audits – openness of policy, practices and meta-data – review and auditing 4. Privacy and confidentiality guarantees 5. Compromise, disaster recovery and business continuity 2011-06-10 International Grid Trust Federation 2005 - 2011 OGF CAOPS-WG: Authentication Profile Structure, WG draft

  7. Assurance levels Trust in the assertions by resource and service providers is key • Until now, our e- Infrastructure used a single ‘level’ – there are well- known ‘government’ standards for LoA (US: OMB M-04-04 & NIST SP800-63) – but 95/46/EC and 1999/93/EC are not of much use to us and the Nice treaty states that identity is a national matter … – there is rough but not 1:1 correspondence between balanced needs of the providers and users and the NIST LoA levels 2011-06-10 International Grid Trust Federation 2005 - 2011

  8. IGTF Assurance Levels Type and classification of e-Infrastructure services drives the level of assurance required • Security and assurance level set to be commensurate – not overly high for ‘commodity’ resources – not too low, as providers otherwise start implementing additional controls on top of and over the common criteria – defined in collaboration with resource providers – using transparency and a peer review processes – leveraging our own community organisation mechanisms 2011-06-10 International Grid Trust Federation 2005 - 2011

  9. Establishing the IGTF – EU AP TAG • EU DataGrid established Coordination Group in 2000 • Global need resulted in the 2003 Tokyo Accord • With start of production e-Infrastructures – EUGridPMA established with DEISA, EGEE, SEE-GRID, and TERENA (TACAR) as relying parties and national identity providers in 2004, with e-IRG endorsement – APGrid and PRAGMA establish the APGridPMA – Canada, EELA-countries and USA IdPs establish TAGPMA • Consistent guidelines and service provider involvement 2011-06-10 International Grid Trust Federation 2005 - 2011

  10. Global Trust 86 accredited authorities from 53 countries and economic regions

  11. Structure of Trust • Common criteria and model – globally unique and persistent identifier provisioning – not fully normative, but based on minimum requirements • Trust is technology agnostic – technology and assurance ‘profiles’ in the same trust fabric – ‘classic’ traditional public key infrastructure – ‘MICS’ dynamic ID provisioning leveraging federations – ‘SLCS’ on-demand short-lived token generation a basis for ‘arbitrary token’ services – new profiles 2011-06-10 International Grid Trust Federation 2005 - 2011

  12. IGTF Common Criteria 2011-06-10 International Grid Trust Federation 2005 - 2011

  13. Assurance levels in the IGTF Technical and operational controls • Authorities come in two basic flavours – off-line (only used in ‘traditional’ PKI): human controls and air-gap security provide protection against attacks – on-line infrastructure (federation-backed, SLCS and classic): valuable security material is network connected need compensatory controls: • secure hardware, compliant to FIPS 140-2 level 3 • additional layered network security • Technical requirements apply to any attribute source – such as community registries like ‘VOMS’ 2011-06-10 International Grid Trust Federation 2005 - 2011

  14. Vetting Assurance Levels Identity controls and vetting • long-term traceable assurance (classic, MICS) – based on in-person checking of (nationally defined) official identity documents – recorded identity persists beyond the moment of issuance – assertions can live for a long time (over a year) to facilitate long- term use – but compromise may happen, so is revocable • momentary assurance (SLCS) – traceability to a physical person for at least one year – may use any vetting mechanism that assures that traceability – but assertions are limited in time to 24 hours (unless revocable, in which case: 11 days) https://www.eugridpma.org/guidelines/{classic,mics,slcs} 2011-06-10 International Grid Trust Federation 2005 - 2011

  15. Building trust – an exercise in scaling • Accreditation process – Extensively documented public practices (CP/CPS, RFC3647) – Interviewing and scrutiny by peer group (the PMA) – Assessment against the Authentication Profiles – Technical compliance checks (RFC5280 and GFD.125) • Periodic, peer-reviewed, self-audits – Based on Authentication Profiles, standard reference: GFD.169 – OGF & IGTF, inspired by NIST SP800-53/ISO:IEC 27002 • Federated assessment methodology by region (IGTF) https://www.eugridpma.org/guidelines/accreditation 2011-06-10 International Grid Trust Federation 2005 - 2011

  16. Federated Identity in Europe Today Map colour coding Green: classic accredited authority Blue: classic + federated authority Yellow: pending classic accreditation Federated ‘translating’ authorities: integrity requirements propagate to all data sources e.g. TERENA Certificate Service qualifying Federations IdPs meet all IGTF requirements and TCS provides instant access to globally trusted identities Also in Australia: ARCS SLCS, in USA: CILogon 2011-06-10 International Grid Trust Federation 2005 - 2011

  17. Beyond identity • Many attributes come in to an authorization decision – identity, community, group membership, roles, position, ... – the ‘other attributes’ are important for contextual control and thus of importance beyond only resource providers • Operational requirements translate easily to any kind of attribute source • Operational and assurance requirements apply where assertions are bridged such as in the STS 2011-06-10 International Grid Trust Federation 2005 - 2011

  18. Carrying assertions across domains Service access crosses technology and domain boundaries and may need translating in a Security Token Service (STS) – trust relationship – operational requirements STS examples: GEMBus, EMI-STS, ... Requirements on • assurance level • operational security • auditing, data protection and transparency of process all remain GEMBus image by Diego Lopez, RedIRIS and GEANT, 22 nd EUGridPMA meeting EMI STS image by Christoph Witzig, SWITCH and EMI, 22 nd EUGridPMA meeting 2011-06-10 International Grid Trust Federation 2005 - 2011

  19. Common Criteria and Diversity • Up till now ... – providers of compute and storage services in e- Infra able to agree single ‘least common denominator’ – many content-only (web site) providers could live with lower assurance and asked no real LoA requirements ... but this may be changing • more diverse content and services being offered – via many mechanisms, both web and non-web – may need diversifying not only technology, but also LoA 2011-06-10 International Grid Trust Federation 2005 - 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UNDERSTANDING WS-FEDERATION Agenda WS-Trust and WS-Federation Fundamentals Enterprise

UNDERSTANDING WS-FEDERATION Agenda WS-Trust and WS-Federation Fundamentals Enterprise

Specification features in selected application scenarios UNDERSTANDING WS-FEDERATION Agenda WS-Trust and WS-Federation Fundamentals Enterprise Scenario Request for Proposal Healthcare Scenario Patient Record Access 2 6/6/2007

833 views • 27 slides
Presentation Endangered Wildlife Trust Federation for a Sustainable Environment Mpumalanga

Presentation Endangered Wildlife Trust Federation for a Sustainable Environment Mpumalanga

Appellants Appeal Presentation Endangered Wildlife Trust Federation for a Sustainable Environment Mpumalanga Landbou/Agriculture Advocate Aymone Du Toit Athas proposed Yzermyn underground coal mine in in Wakkerstroom Magisterial

928 views • 77 slides
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research International Symposium on Grids & Clouds 2016 15 March 2016 Academia Sinica, Taipei, Taiwan Eisaku

503 views • 17 slides
WELCOME TO STRBSKE PLESO. With the trust of the European Federation for Company Sport we will soon

WELCOME TO STRBSKE PLESO. With the trust of the European Federation for Company Sport we will soon

DISCOVER SLOVAKIA, MEET EUROPE! WELCOME TO STRBSKE PLESO. With the trust of the European Federation for Company Sport we will soon be hosting the 15th European Company Winter Sports Games at Strbske Pleso in the High Tatras. Since 1998, Slovak

814 views • 9 slides
European Ranger Federation Under the umbrella of the IRF The European Ranger Federation

European Ranger Federation Under the umbrella of the IRF The European Ranger Federation

European Ranger Federation Under the umbrella of the IRF The European Ranger Federation was formed in May 2017 to network rangers across Europe. European Ranger Federation current ERF members include: Albania Austria Croatia

411 views • 13 slides
Small Fishers Federation of Lanka The Small Fishers Federation was set up in 1992 as a

Small Fishers Federation of Lanka The Small Fishers Federation was set up in 1992 as a

Sri Lanka Mangrove Conservation Programme of Small Fishers Federation Funded by Seacology Facilitated by Ministry of Environment of Sri Lanka Presenter: Senior Prof. Herath Dissanayaka , Scientist Forum Chairperson, Small Fishers Federation

128 views • 10 slides
News about... -The CRU federation -eduroam.fr -SCS in France -directory schema Federation

News about... -The CRU federation -eduroam.fr -SCS in France -directory schema Federation

News about... -The CRU federation -eduroam.fr -SCS in France -directory schema Federation news... Current members : 27 IdPs 18 SPs (including Elsevier and EBSCO) Future SPs : Microsoft (MSDN-AA) Ovid Lexis

299 views • 9 slides
Welcome to Willow Class September 2020 Proud to be part of The White Horse Federation

Welcome to Willow Class September 2020 Proud to be part of The White Horse Federation

Welcome to Willow Class September 2020 Proud to be part of The White Horse Federation Multi-Academy Trust | www.twhf.org.uk Mrs Tamsin Daddow Mon/Tues/Wed Mrs Alex Cruttenden Thurs/Fri Willow Class - FS2 children Typical routine The

498 views • 12 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
Reception Induction Meeting 2020 Proud to be part of The White Horse Federation Multi-Academy

Reception Induction Meeting 2020 Proud to be part of The White Horse Federation Multi-Academy

Reception Induction Meeting 2020 Proud to be part of The White Horse Federation Multi-Academy Trust | www.twhf.org.uk On behalf of everyone here at Bowerhill Primary School, welcome to a new and exciting stage in your childs life. During

381 views • 16 slides
2008 International Federation 2008 International Federation on Ageing Conference (IFA) Presented

2008 International Federation 2008 International Federation on Ageing Conference (IFA) Presented

2008 International Federation 2008 International Federation on Ageing Conference (IFA) Presented by: Brenda Wong, Seniors Coordinator Sheila Hallett, Edmonton Seniors Coordinating Council Trina Homeniuk, United Way Montreal

341 views • 23 slides
Carbon Taxes PRESENTATION BY THE CANADIAN TAXPAYERS FEDERATION Canadian Taxpayers Federation

Carbon Taxes PRESENTATION BY THE CANADIAN TAXPAYERS FEDERATION Canadian Taxpayers Federation

Carbon Taxes PRESENTATION BY THE CANADIAN TAXPAYERS FEDERATION Canadian Taxpayers Federation Mission statement: lower taxes, less waste and accountable government Funded entirely by donations from 200,000 supporters across Canada The

330 views • 13 slides
Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go.

Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go.

Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go. jp yoshio. tanaka@aist. go. jp) ) Yoshio Tanaka ( APGrid PMA, Chair PMA, Chair APGrid Grid Technology Research Center, Grid Technology

255 views • 22 slides
Ontario Teachers Federation The OnTariO Teachers FederaTiOn is the advocate for the

Ontario Teachers Federation The OnTariO Teachers FederaTiOn is the advocate for the

Ontario Teachers Federation The OnTariO Teachers FederaTiOn is the advocate for the teaching profession in Ontario and for its 160,000 teachers. OTF members are full-time, part-time and occasional teachers in all publicly funded

170 views • 4 slides
ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3 Symposium 15-16 October 2012 Agenda 1. The Politics behind Federation Policies 2. Tales from a Federation Operator: On-boarding of prospective

195 views • 16 slides
AWS Identity and Access Management (IAM) made easy with Terraform Kala Maturi, Technology

AWS Identity and Access Management (IAM) made easy with Terraform Kala Maturi, Technology

AWS Identity and Access Management (IAM) made easy with Terraform Kala Maturi, Technology Services Yoon Lee, Technology Services Topics AWS Authentication AWS Authorization About Roles & Policies Best practices Terraform

1.92k views • 33 slides
Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government Act of 2002 and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 Resolution on Privacy by Design, Data Protection

556 views • 41 slides
The FDIC ! ! An independent federal agency ! ! Major responsibilities: " ! Insuring deposits

The FDIC ! ! An independent federal agency ! ! Major responsibilities: " ! Insuring deposits

!"#$"%&' Money Smart Teacher Training Module, Part 1 The FDIC ! ! An independent federal agency ! ! Major responsibilities: " ! Insuring deposits " ! Bank supervision " ! Failed bank resolution ! ! Economic Inclusion

750 views • 33 slides
Solar Consumer Protection Workshop May 17, 2018 www.cesa.org Sustainable Solar Education

Solar Consumer Protection Workshop May 17, 2018 www.cesa.org Sustainable Solar Education

Solar Consumer Protection Workshop May 17, 2018 www.cesa.org Sustainable Solar Education Project A project to provide information to state and municipal officials on strategies to ensure distributed solar Remains consumer friendly

452 views • 14 slides
XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard

XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard

XRootD Monitoring Report A.Beche D.Giordano Outlines Talk 1: XRootD Monitoring Dashboard Context Dataflow and deployment model Database: storage & aggregation User interface & use cases Open issues & future

539 views • 37 slides
INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden

INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden

INCF Cyberinfrastructure - storage layer - Raphael Ritz INCF Secretariat, Stockholm, Sweden Code Jam V, Edinburgh, UK, March 16, 2012 Joint work with Sean Hill (INCF, Stockholm) Ruggero Cucchiani (INCF, Stockholm) Stephen Larson

719 views • 16 slides
Overview of NDN Pla/orm, Applica5on Libraries, and API

Overview of NDN Pla/orm, Applica5on Libraries, and API

Overview of NDN Pla/orm, Applica5on Libraries, and API NDNComm 2014 September 4, 2014 jburke@ucla.edu 1 Mo<va<on The NDN project's approach

654 views • 29 slides
From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton

From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton

From ER Diagrams to the Relational Model Rose-Hulman Institute of Technology Curt Clifton Review Entity Sets and Attributes Entity set: collection of things in the DB Attribute: property of an entity calories name Soda

395 views • 25 slides

More recommend