Challenges and Solutions in Data Security and Authorization for INDIGO-DataCloud RIA-653549

Slide Note
Embed
Share

Large-scale virtualization resources in INDIGO-DataCloud RIA-653549 aim to enhance computing capacities, flexibility for data analysis, and cost-effectiveness by adopting standards-based computing platforms. Addressing the AAI problem of heterogeneous infrastructures, the project seeks to provide common authentication and authorization mechanisms across distributed infrastructures, ensuring secure and efficient access for users. Technical challenges involve managing identities, attributes, and privileges in a uniform and secure manner throughout the INDIGO stack.

maas_ssa
maas_ssa Follow

Uploaded on Dec 15, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. INDIGO DataCloud Security and Authorization in WP5 RIA-653549 Andrea.ceccanti@cnaf.infn.it INFN

  2. Outline The AAI problem AAI WP5 objectives The IAM service Next steps INDIGO-DataCloud RIA-653549

  3. Context Large scale virtualization resources to achieve on-demand compute capacities, improve flexibility for data analysis and avoid unnecessary costly large data transfers. Development and adoption of a standards-based computing platform (with open software stack) that can be deployed on different hardware and e-infrastructures (such as clouds providing infrastructure-as-a-service (IaaS), HPC, grid infrastructures ) to abstract application development and execution from available (possibly remote) computing systems. This platform should be capable of federating multiple commercial and/or public cloud resources or services and deliver Platform-as-a- Service (PaaS) adapted to the scientific community with a short learning curve. INDIGO-DataCloud RIA-653549

  4. The AAI problem Heterogeneous infrastructures use heterogeneous authentication/authorization mechanisms Hard to integrate resources from distributed infrastructures without common AAI ground Even where a single authentication technology is used, managing user and privileges on distributed resources in a dynamic and secure way is complex DCIs are not easily and securely accessible from common users Federated identity support lacking or very limited INDIGO-DataCloud RIA-653549

  5. AAI: main challenges How can we have common auhtN and auhtZ primitives that just work across several distributed infrastructures? Which tools should we provide to our users so that they have complete control on how authN and authZ is configured and performed on the resources (assembled from distributed providers) they will use for their research? How do we avoid reinventing the wheel? How do we exploit what is already available, leverage existing standards and ensure that what we develop is sustainable? INDIGO-DataCloud RIA-653549

  6. Technical challenges (I) Provide a layer where identities provided by different sources can be can be managed in a uniform way Define how attributes linked to this identities (on which authorization decisions are based) are represented and understood at lower and higher levels of the INDIGO stack Define a cryptografically strong token used to carry these attributes around in a secure way Define how the token carrying the attributes is exchanged between services Define how controlled delegation of privileges can happen INDIGO-DataCloud RIA-653549

  7. Technical challenges (II) Provide the tools to support cross-organizational user and privilege management Group management Enrollment flows management Provide tools to define, propagate, compose and enforce authorization policies based on these attributes at various levels of the INDIGO stack Uniform and consistent authZ over resources assembled from multiple, heterogeneous providers INDIGO-DataCloud RIA-653549

  8. Security and AuthZ in WP5 INDIGO-DataCloud RIA-653549 Figure 14: WP5 architecture

  9. The IAM service Provides the tools needed to enable a secure composition of services from multiple providers in support of scientific applications Provides a unified view on identities and privileges on resources assembled from various providers Supports and integrates existing fed authN mechanims Provides tools to define and manage enrollment flows for research communities INDIGO-DataCloud RIA-653549

  10. IAM service technologies Standard APIs/protocols for user/group management SCIM, VOOT Federated AuthN support SAML, OpenID connect Attribute authority/token service SAML, OAuth Policy definition and composition XACML INDIGO-DataCloud RIA-653549

  11. But before defining how the IAM service will work we need to define INDIGO-DataCloud RIA-653549

  12. Ground work first steps Lots of questions to be answered! Agree on supported federated authN mechanism SAML, OpenID connect Define security token SAML assertion? JWT? Macaroons? Define protocol to request/exchange token SAML attribute query vs OAuth2 Define how delegation is done INDIGO-DataCloud RIA-653549

  13. Cross-WP AAI task force? Fast-paced discussion to sort out fundamental issues Produce proposal for wider discussion INDIGO-DataCloud RIA-653549

  14. IAM service first steps Define basic required functionalities User and group management Attribute authority/token services Policy authoring and distribution Enrollment flows and registration management Survey existing solutions and protocols Leverage standards Consider extending existing enstabilished products and contribute back upstream Design INDIGO-DataCloud RIA-653549

  15. Lots of work ahead of us Tight deadlines and relatively scarce effort but we do not start from scratch! INDIGO-DataCloud RIA-653549

Related


No related presentations.

More Related Content