Security

From Cidays

[edit] Open Science Grid

Stringent requirements for security and accounting differentiate grid computing from other distributed computing models. Grid user authorization in OSG, for example, is handled through Virtual Organizations. A VO must authenticate and register its members, and enter into agreements with the other VOs on the target grid to define which resources are shared, who is allowed to share them, and the conditions under which sharing occurs. The middleware implements these agreements.

VOs in OSG must require their members to obtain an X509 PKI certificate. Each user's job, when submitted to the OSG, is accompanied by a short-lived proxy of his or her (longer lived) certificate, thus allowing the destination resource to identify the user and authorize the job to run.

OSG resources may honor certificates from a variety of Certificate Authorities (CAs), but we only document how to get a certificate from the DOEGrids CA.

OSG's security plan, risk assessment, policies and other security information is collected at OSG Cyber Security.

[edit] Internet2

The Internet2 Identity and Access Management model provides a framework for simplifying the management of access to services, implementing policy, increasing transparency, and enabling operations to scale by integrating an enterprise identity management infrastructure with services provided by both central and distributed IT.

Activities include:

• Encouraging the deployments of common architecture, policy, and practice principles in campus identity and access management infrastructures. Examples include the Internet2/EDUCAUSE CAMP Workshops, Roadmaps, Campus practices, and Case Studies.

• Identifying data exchange standards and mechanisms and assisting in implementation at the campus level. Leverage these core services to fuel federated identity. Examples include: eduPerson Directory Schema, enterprise directory practices, and OpenSAML.

• Developing federating software and related trust services to support an R&E trust community. Examples include Shibboleth® Federating and Single Sign-on Software and the InCommon Federation.

• Providing tools for managing authorization-related information to ensure appropriate access to CI-enabled resources. Include user tools for controlling group membership that can be leveraged by multiple applications. Examples include Grouper Groups Management Toolkit and Signet Privilege Management System.

• Integrating above items and providing consolidated interfaces and infrastructure for project leads to control access to their suite of resources. Examples include COManage under development.

• Partnering with organizations important to the R&E Community to ensure interoperability. Examples include OASIS, Liberty, Microsoft, Federal Government, International Federations

The Internet2 Community is working together to build an interoperable trust community, encompassing the diverse set of partnerships, technologies, and related infrastructure needed to enable collaboration nationally and worldwide.