Standardization of Grid Security Policies for e-Science Infrastructures

Standardization of Grid Security Policies

for e-Science Infrastructures

David Groep

EUGridPMA

Physics Data Processing group NIKHEF

2007-10-10 NEDO - Standardization of Grid Security Policies for e-Science Infrastructure 2

Outline

• The grid– Introduction to grid ‘AA’

and the separation of Authentication and Authorisation

• Building the global authentication fabric– federation origins– a global authentication trust fabric– authentication profiles and minimum requirements– levels of assurance

• Auditing as a tool for trust establishment

• Towards integrated AA Infrastructures– leveraging home organisation attributes– towards a multi-authority world in a single decision point


Grid from 10 000 feet

The GRID: networked data processing centres and ”middleware” software as the “glue” of resources.

Researchers perform their activities regardless geographical location, interact with colleagues, share and access data

Scientific instruments, libraries and experiments provide huge amounts of data

graphic from: [email protected]


Virtual Organisation

What is a Virtual Organisation?

A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.

graphic from: Anatomy of the Grid, Foster, Kesselman and Tuecke

• Users are usually a member of more than one VO• Any “large” VO will have an internal structure,

with groups, subgroups, and various roles


Virtual organisation structure

Lots of overlapping groups and communities

graphic: OGSA Architecture 1.0, OGF GFD-I.030


Virtual vs. Organic structure

• Virtual communities (“virtual organisations”) are many• An individual will typically be part of many communities

– has different roles in different VOs (distinct from organisational role)– all at the same time, at the same set of resources– but will require single sign-on across all these communities

graphic: OGSA Architecture 1.0, OGF GFD-I.030


Trust relationships

• For the VO model to work, parties need a trust relationship– the alternative: every user needs to register at every resource– we need to provide a ‘sign-on’ for the user that works across VOs

Org. Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

GSI

Org. CertificationAuthority

Sub-Domain B1

Authority

AuthZFederationService

VirtualOrganization

Domain

FederatedCertificationAuthorities

graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance

AuthenticationThe IGTF and international coordination

solving ‘stable’ issues first


History of International AuthN Coordination


History

Why a CA Federation?2000: Urgent need for providing cross-national trust for

the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects

‘National’ PKI• 1999/93/EC• uptake very slow

even today• but incorporation

was a primary goal

‘Grass Roots’ CAs• too project-specific• no documented policies• not suitable for a production infrastructure

‘Commercial’ CAs• main focus on

web server certs• many of them

(Thawte, Verisign,SwissSign, …)

• too expensive!• not user-oriented• hard to make

technicallycompatible

• needed for ‘pop-up’free web pages!


The first grid authentication infrastructures

• Establishing an Academic Grid PKI

– started off with pre-existing CAs, and some new ones, late 2000– ‘reasonable’ assurance level based on ‘acceptable’ procedures– a single assurance level inspired by grid-relying party** requirements– using a threshold model: minimum requirements

• Focus on current need to solve cross-national authentication issues– separation of AuthN and AuthZ allowed progress– minimum requirements convinced enough resource providers

to trust the AuthN assertions

– individuals were (and are) all over Europe and the world – started with 6 authorities (NL, CZ, FR, UK, IT, CERN)History


Federation Model for Grid Authentication

• A Federation of many independent CAs– common minimum requirements (in various flavours)– trust domain as required by users and relying parties

where relying party is (an assembly of) resource providers– defined and peer-reviewed acceptance process

• No strict hierarchy with a single top– spread of reliability, and failure containment (resilience)– maximum leverage of national efforts and complementarities

CA 1CA 2

CA 3

CA n

authenticationprofiles

distribution

acceptanceprocess

relying party 1

relying party n


‘Reasonable procedure … acceptable methods’

• 2001: Requirements and Best Practices for an “acceptable and trustworthy” Grid CA

Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.

Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person

Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:

a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network

minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...

History


Grid Relying Parties & resource providers

• In Europe– Enabling Grid for E-sciencE (EGEE) (~ 200 sites)– Distr. Eur. Infrastructure for Supercomputer Apps (DEISA) (~15 sites)– South Eastern Europe: SEE-GRID (10 countries)– many national projects (NL BiG Grid, UK e-Science, Grid.IT, …)

• In the Americas– EELA: E-infrastructure Europe and Latin America (24 partners)– WestGrid (6 sites), GridCanada, …– Open Science Grid (OSG) (~ 60 sites)– TeraGrid (~ 9 sites + many users)

• In the Asia-Pacific– AP Grid (~10 countries and regions participating)– Pacific Rim Applications and Grid Middleware Assembly (~15 sites)

data as per mid 2006


Building the federation

• Trust providers (‘CAs’) and relying parties (‘sites’) together shape the common requirements– Several profiles for different identity management models

– Authorities demonstrate compliance with profile guidelines– Peer-review process within the federation

to (re-) evaluate members on entry & periodically

– reduces effort on the relying parties• single document to review and assess for all CAs under a profile

– reduces cost for the authorities• but participation does come at a cost of involved participation …

• Ultimate trust decision always remains with the RP• An authority is not necessarily limited to just ‘grid’ use


Relying Party issues to be addressed

Common Relying Party requests on the Authorities

1. standard accreditation profiles sufficient to assure approximate parity

effectively, a single level of assurance sufficed then for relying parties– is changing today, as more diverse resources are being incorporated

2. monitor [] signing namespaces for name overlaps3. a forum [to] participate and raise issues4. [operation of] a secure collection point for information

about CAs which you accredit5. common practices where possible

6. reasonable likeness for a subject’s name*7. a subject’s name should be forever persistent*

list courtesy of the Open Science Grid (* and wLCG and EGEE draft policy)


Founded on April 2nd, 2004

The European Policy Management Authority for Grid Authentication in e-Science (EUGridPMA) is a body

• to establish requirements and best practices for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources.

The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter – the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.

The EUGridPMA


EUGridPMA Membership

EUGridPMA membership for Authorities

(the European specific policy to maintain a manageable trust fabric)

• single Authority per– country, – large region (e.g. the Nordic Countries), or – international treaty organization

• ‘serve largest possible community with small number of stable authorities’

• ‘operated as a long-term commitment’– many CAs are operated by the (national) NREN

(CESNET, ESnet, Belnet, NIIF, EEnet, SWITCH, DFN, … )

– or by the e-Science programme or science foundation(UK eScience, VL-e, CNRS, … )

Other ‘RP’ members: DEISA, EGEE, SEE-GRID projects, OSG, LCG, TERENA.


Geographical coverage of the EUGridPMA

Green: EMEA countries with an Accredited Authority 23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RS, RU, TR, “SEE-catch-all”

Other EUGridPMA Accredited Authorities: DoEGrids (.us) GridCanada (.ca) CERN


Constituency

The e-Science constituency is defined in broad terms

• academic community• independent research organisations• pre-competitive industrial/commercial research

‘Catch-all’ CAs for countries/constituencies without national CA

• CNRS Grid-FR CA• SEE-GRID CA• LAC Grid CA• ASGCC CA• DoEGrids LCG RA


Global Effort, Regional Progress

• EU, Middle East, Africa and Canada– Expansion of the EU Information Society Technologies Grid projects leads to

expansion of the DataGrid CA Coordination Group

– New projects and countries, ware of duplicating effort, join the group (CrossGrid, many national e-Science projects)

• Asia Pacific– Fostered by projects like APGrid and PRAGMA,

a set of country and project CAs forged a permanent coordinating effort

• USA– large number of test bed efforts (Globus, NASA IPG, NCSA Alliance)

– lacking the coordination for “sustainable production infrastructure”the coordination effort was limited, and many of these early CAs have been forgotten

– only the DoEScienceGrids CA, mainly used in collaborations with the European CERN organisation, becomes a ‘production’ service (‘DoEGrids’)History


The Tokyo Accord

Need for coordination of a basic trust fabric is ‘obvious’– common security is the only strong requirement for interoperation

as all other services can be used ‘in parallel’

• 2001: Grid-CP working group in GGF– Mike Helm, Peter Geitz, and various CA representatives

from all over the world– GGF could not host coordination activity at the time

• During the Tokyo GGF, March 2003:

CA and PMA representatives from over the world agreed to coordinate and work towards a grid PMA

History


The Tokyo Accord

First meeting March 2003 at GGF 7 in Tokyo• Will co-locate and convene at GGF conferences• Will work on forming the Grid Policy Management Authority

GRIDPMA.org– Develop Minimum operational requirements - based on EDG work

– Develop a Grid Policy Management Authority Charter

• Representatives from all major Grid PMAs– European Data Grid & Cross Grid PMA: then 16 countries, 19 organizations

– NCSA Alliance

– Grid Canada

– DOEGrids PMA

– NASA Information Power Grid

– TERENA

– Asian Pacific PMA• AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore;

Kasetsart Univ., Thailand; CAS, China History


International Grid Trust Federation

Federation of 3 Regional “PMAs”, that define common guidelines and accredit credential-issuing authorities

TAGPMA EUGridPMA APGridPMA


Growth of the European Grid trust fabric

0

10

20

30

40

Mar

-01

Sep-0

1

Mar

-02

Sep-0

2

Mar

-03

Sep-0

3

Mar

-04

Sep-0

4

Mar

-05

Sep-0

5

Mar

-06

Sep-0

6

acc

red

ited

CA

sFoundation of the IGTF

allows migration of CAs to proper Regional PMA

History


Realising the roadmap

[The e-IRG] encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions.

e-IRG RecommendationDutch EU Presidency 2004

Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged.

The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces.

e-IRG RecommendationAustrian EU Presidency 2006

The Inner Workings of the Federation


Guidelines: common elements in the IGTF

• Coordinated namespace– Subject names refer to a unique entity (person, host)– Usable as a basis for authorization decisions– This name uniqueness is essential for all authentication profiles!

• Common Naming– Coordinated distribution for all trust anchors in the federation– Trusted, redundant, sources for download, verifiable via TACAR

• Concerns and ‘incident’ handling– Guaranteed point of contact– Forum to raise issues and concerns

• Requirement for documentation of processes– Detailed policy and practice statement– Auditing by federation peers


Guidelines: secured X.509 CAs

Aimed at long-lived identity assertions, the ‘traditional PKI’ world

• Identity vetting procedures– Based on (national) photo ID’s– Face-to-face verification of applicants

via a network of distributed Registration Authorities– Periodic renewal (once every year)– revocation and CRL issuing required

and we have all RPs actually downloading the CRLs several times a day– subject naming must be a reasonable representation of the entity name

• Secure operation– off-line signing key or HSM-backed on-line secured systems

• Audit requirements– data retention and audit trail requirements, traceability of certified entities

• Technical implementation– need to limit the number of issuing authorities for technical reasons

(most software and browsers cannot support O(1000) issuers)– certificate profile and interoperability


Short-lived or member integrated services

Aimed at short-lived ‘translations’, that are organisation/federation bound

• Identity vetting procedures– based on an existing ID Management system of sufficient quality– Original identity vetting must be of sufficient quality to trace the individual for

as long as name is in active use– If documented traceability is lost, the subject name can never be re-used– revocation and CRL issuing not required for assertion lifetimes << 1 Ms– subject naming must be a reasonable representation of the entity name

• Secure operation– HSM-backed on-line secured systems

• Audit requirements– data retention and audit trail requirements, traceability of certified entities

• Technical implementation– scaling of this model still needs to be demonstrated, and needs higher-level

coordination – most software and browsers cannot support O(1000) issuers– and a peer-review based trust fabric cannot do that either …– certificate profile and interoperability


MICS ID management system requirements

Documentation of how the IdM is populated, maintained and cleaned MUST be documented and agreed to by the PMA. Two modes

By example:The IdM used by the CA should be a system that is also used to protect access to critical resources, e.g. payroll systems, for use in financial transactions, granting access to highly-valuable resources, and be regularly maintained.

By review:Alternatively, equivalent security mechanisms must be provided, described in detail and presented to the PMA and are subject to PMA agreement.

and again the data for those entities in the IdM that qualify for ‘MICS’ assertions must be of a quality that allows unique tracing, name uniqueness and persistency – and a mechanism to clean ‘stale’ entries must be defined.Example: the UvAmsterdam does not trust its own system even for grading!

tries to ‘catch’ the quality of the system without having to report to formal audits

Identity vetting requirementsconvincing the world that you’re OK


MICS/SLCS Federated Deployment Model

• Grid AuthN interface based on national federations– use of MICS AP by pushing ‘down’ the requirements onto its members

– maximum leverage of national efforts

– in line with the complementarity principle

– needed for scalability of the PMA itself!

• Example: SWITCH-aai– from entire existing federation with a single ‘SLCS’ front-end

– introduce concept of ‘entitlement’ so only appropriately vetted users can us the translation service

– issue grid compatible credentials automatically

– with life time ~ few days

– similar efforts in NL, UK/NGS

graphic courtesy Christoph Witzig,


Profile matrix: where we stand

Identity vetting With govt photo-ID

Only by in-person F2F meeting of RA

With govt photo-IDWith proven documented traceability to individual at any time (no definite F2F requirement)

…

Subject: soft-tokens allowed

Issuer: off-line or online HSM 140.2-3

Classic APnear-inline Id vetting

Subject: soft-tokens allowed

Issuer: online HSM 140.2-3MICStime-shifted Id vetting

SLCStime-shifted Id vetting

…

Multiple Authentication Profiles: where the IGTF stands today

Although ‘Single Trust Level’ is a good message,

trend is towards more diverse LoAs• diversity of resource types is increasing• alternate grid use models need for wider range of LoAs


Common Trust Anchor Distribution

The IGTF is a policy bridge architecture, thus …

• has a large set of ‘trust anchors’ (CA certificates)• single, common distribution across all of the IGTF• with ‘trusted committers’ in each PMA

• Dedicated authoritative secure source…enabled by NEDO– mirrored by each PMA – source host “dist.eugridpma.info”– https with browser-recognised cert– protected, with specific VMs

and monitoring

Auditing


Auditing

Auditing foundation laid by Yoshio Tanaka from 2005

• Derived from – the Classic AP guidelines– WebTrust Seal of Approval criteria

• Subsequently refined – applying it to all new CAs in the AP region– cross-reviews by the NAREGI project– review in the IGTF, and via the OGF CAOPS Working Group

• Thorough implementation in the APGridPMA allowed for rapid convergence and building experience for assessing compliance and severity of the auditing criteria


CAOPS-WG Auditing (draft)

CAOPS-WG Auditing

• list of essential items

• selected guidance


Expanding Auditing

Audit process developed by the NEDO project is now introduced as a basis for harmonizing international CA coordination

– EUGridPMA formally adopted the Continuous Audit Process– uses the Review Criteria document established by Yoshio Tanaka

– With an implementation process that will ensure bi-annual auditing of all CAs in the EUGridPMA

– In due course will become de-facto standard across all of the IGTF


EUGridPMA Examples

• Grid-Ireland CA

• DutchGrid CA

Where to go from here?


Interoperation

‘The Grid Cannot Be Switched Off’

• maintaining interoperation between all international grid projects is now essential to be successful for e-science and, even more, for industrial applications – continuity of service is a must

• This necessarily limits radical changes, certainly in the AuthN and AuthZ area, where any change in standard interfaces would hurt the most

• Fortunately, the AuthN (and most of the AuthZ) components use existing accepted standards that provide the required functionality– new features can be gradually introduced within the current framework, i.e. in

the X.509, X.509 AC and RFC3820 framework

– SAML/XACML are already geared towards X.509 interoperation


Outlook

• Confederation is coming for grids and science– the user scenarios require it, as the user community is international– national federations, leveraging home organisation identity vetting

or eGov IDs, are a ‘must’ for scalability• e-Infrastructure needs the campus–and your researchers need e-Infra …

– with a need for defined and verifiable LoAs (at high and low levels)– the ’homeless’ will be a permanent feature

• IGTF today provides an international trust fabric for AuthN– a source for ‘trusted’ identifiers– definition of multiple LoAs is starting, and we want to reach out and

co-leverage other efforts as much as possible– by structure, we are geared towards catering for the ‘homeless’– we continue to have pressing urgent needs for federation today– but we are a long way from the O(10M+) users mark

In Collaboration With & Supported By

Documents

Standardization of Grid Security Policies for e-Science Infrastructures