JISC Security and Access Management Event
27 February 2006, Armada House, Bristol
http://www.jisc.ac.uk/index.cfm?name=event_security_0206
Re-run of the October version of this event (see http://www.nesc.ac.uk/action/esi/contribution.cfm?Title=622 for slides etc.).
Anne Trefethen introduction
- General intro to AuthN and AuthZ, auditing trails of what heppened etc.
- Important that e-Science doesn't come up with security solutions that are completely bespoke to the application - it really needs to be more broadly applicable. Mentioned Shibboleth and how e-Science and the IE community should move together in this respect.
Nicole Harris, Programme Manager. "Access Management and Security"
- Going to be talking with most of the emphasis on e-research. How does JISC support e-Research? 6 sub-committees, but especially the "Support of Research" committee (JCSR). JISC doesn't do pure research - more implementation-oriented.
- Divided into 'champion' areas.
- Visualisation
- Public Understanding and Outreach
- Middleware And Technical development (Neil Geddes)
- Security (Brian Gilmore)
- [and several others I didn't catch!]
- Core Middleware: Technology Development
- and CM: Infrastructure.
- AuthN
- AuthZ
- Directory Services
- Identifiers
- Athens
- e-research CA
- Federated access trials
- IP, proxy etc.
- Shibbolising JISC resources at MIMAS and EDINA
- Support service - MATU at Eduserv
- Early adopter funding for individual institutions
- Regional Early Adoptors
- Full federated service (probably UKERNA)
- Communications and outreach programme (e.g. letters to all HE institutions)
- Evaluation element
- Repository of outputs
- Only really expecting early adopters to be using national service at that point.
- Other new starters expected September 2006.
- DYCOM (PERMIS and GRASP) to allow fine grained AM across multiple authorities
- DYVOSE - dynamic delegation of authority
- FAME-PERMIS - authN strength/LoA
- SIPS - PERMIS and Shib
SHEBANGS and ShibGrid
- SPIE - n-tier issues
- LICHEN - eduRoam in the UK
- AMIE - attribute assignment and management
Devel. core middleware with international partnerships
- Enhancing AAI services
- Virtual home for identities
- VO support
eduRoam/Federation co-ordination
ShibGrid implementation
- MIAP trials for e-Learning (Life-long learning)
- joint support posts at UKERNA and CA
- Accounting and auditing developments
- Level of Assurance
- users need to understand a little how it works.
- WS- and SAML compatibility, SAML 2.0 developments
- Access management
- Repositories
- (Don't know how aware that most people in the room were of Shib, grids and the general AM issues as most questions came from only a few people - including the presenters).
- SIGNET (USA)
- SHARPe (Australia)
- Divided into 'champion' areas.
Andrew Cormack, Chief Security Advisor UKERNA "Grids: Just another programme?"
- Grids are different/challenging
- but not as different as an MLE
- but more different than a new mail system (that uses standard protocols).
- Think about support and response Users: rights and responsibilities
- users need to be more aware, the environment is non-hierarchical
- non-hierarchical but might have its own policies
- different challenges
- grid apps are still developing
- more tinkering etc.
- staff need to liaise between users and providers
- grid services need to be promoted to potential users
- help early adopters - they will then promote to others
- grid fault/incident response often involves others
- (mentioned the EGEE security exercise recently)
- grids distribute faults, mistakes and incidents too
- decide what a grid incident might look like
- and what is the appropriate response?
- develop existing detection/response plans to suit
- "Expand your list of contacts"!
- Shared resources mean shared responsibilities
- e.g. don't write applications to grab all bandwidth if there are other users dependent on that bandwidth.
- Users must be cooperative and act responsibly
- Users must respect policy decisions
- of home site, networks and (many) resource providers
- the users have more power to abuse (intentionally/unintentionally) using grids and therefore must be more aware.
- Sites may need to trust users
- Grids are work in progress
- Users need some technical understanding
- And sensitivity to policy and organisational issues
- Policies may be behind the times
- Users need to be understanding if they do something bad that doesn't break the existing policy
- Some (not all) grids have high network demands
- Ensure LAN and user equipment is suitable
- May need to re-partition networks to segregate demand
- Some (not all) grids use challenging protocols
- Arrange firewalls - allow trunk flows
- Dynamic flows in secured (including endpoints) tunnels
- Make sure that you aren't providing a route around your existing security
- Make sure exposed devices are well maintained
- Applications
- Grid software
- Services
- AND OSs
- Grids often share across traditional boundaries
- Depts, orgs, national
- User doesn't have a contract with the owner of that distant resource: therefore we need better understanding and enforcement.
- May not fit existing AuthZ/enforcement structures
- Home org does the AuthN
- Resource provider does the AuthZ via a VO
-> Federation model
- Not a new idea
- (IT and) libraries have had guest users for years
- Will become increasingly common
- Grids, Shibboleth, JANET Roaming/eduRoam
- Federation of users and providers agree
- Clear policies and responsibilities
- Effective accounging and enforcement
- To reassure both providers and users
- Andrew's "Deploying Grids: UKERNA Technical Guide"
- also
- Grid Incident Response: TERENA TF-CSIRT discussion paper.
LUNCH
David Chadwick, PERMIS "Improved Authorisation"
- PERMIS AND SHIBBOLETH
- Weaknesses in Shibboleth
- Only one AA is supported
- Plain attributes (relatively easy to be tampered with)
- Only basic access control capability
- need the person who owns the resource to control the access
- at the moment it is mostly the "Apache administrator"
- Modular AuthZ infrastructure -- all aspects of AuthZ
- Allocating credentials to users
- Supports distributed credential management
- Supports dynamic delegation of authority
- Supports hierarchical RBAC
- Very secure as policies and credentials can be digitally signed.
- DyVOSE project (Dynamic Delegation of Authority) at Glasgow.
- Web-based selection of attributes (roles) and also delegation of authority, and revocation - builds PERMIS policy in the background.
- Now nearly at the point where PERMIS can be used to have a common policy (and interface) between grid resources and campus based resources.
- DyCOM project.
- Weaknesses in Shibboleth
Tim Chown - LICHEN and the Janet Roaming Service
- JRS
- Original requirement: people roaming about with wireless devices between institutions
- Was LIN (Location Independent Networking) - rebadged for service launch as JRS 2 scalable solutions:
- Web redirection gateway access control
- 802.1x access control
- access the layer 2 network (port) not granted until user enters their credentials
- Restricted VPN based access control (visit your home VPN)
- Would not scale as local firewall would have to have the IP addresses of all the institutions' VPN servers - OK for 10s of sites, but not for 100s or 1000s
- allows all members of a site to have access
- but for small collaborative projects, policy control is needed
- Soutampton, Bristol and Manchester
- for policies
- Can Shib be used for WLAN access control?
- Could the JRS be used as a back end for Shib?
- Problem: how can the wireless access point use a WAYF? and then a wireless WAYF use a home site Shib login?
What about JRS using a Virtual Identity Provider (VIdP)?
- This is the way!
- 3 levels of attribute support:
- A No attributes, just is 'a member of'
- B Implement a common set of eduPerson attributes
C Allow bespoke attributes between VIdP and SP What they don't know yet is the demand for such attributes.
Building a VIdP
- No changes to WAYF of SP code
IdP modified to become VIdP
- Home site needs to opt in
- Some policy decisions needed, though.
Who would manage the VIdP? Probably UKERNA.
- 3 levels of attribute support:
Neil Geddes - ShibGrid/GridShib
- Background
- JISC research into access management issues
- Improve the way that users access resources across UK educational sector
- JISC havce chosen Shibboleth
- One of the first working solutions
- Extensive testing in large deployments
IPG, DataGrid, TeraGrid, OSG, EGEE
- Building of process and trust
- Which certificates to trust (internationally)
- International Grid Trust Federation (ITGF) www.gridpma.org
- Proxy certificates (useful)
- Uses GSI from Globus
- Provides
- delegation
- international interoperability
- Provides
MyProxy
- Not always convenient to carry your X.509 certificate around with you
- Can put it (or a proxy) into a secure store which itself can be accessed easily from anywhere
to use MyProxy with Shib
- to use Shib brokered authN to the NGS portal
Talked a bit about GridShib project (Von Welch)
- uses cert via GSI
- but AuthZ via Shibboleth/SAML
Introduded SHEBANGS and ShibGrid Next version of Shibboleth is coming up with a delegation profile, but it may not be good enough for most grid use. Condor is doing a lot of work to become Shibboleth-friendly. Future priorities and issues:
- VOs
Shibboleth, VOMS, Permis, GridShib
- Build authZ into some real world application
- (I think he meant role-based)
Finished with relatively few questions and we pretty much got away early! Less animated than equivalent meeting in October in Edinburgh.
In the breaks I chatted with David White (Technology Assisted Lifelong Learning - TALL - at Oxford). He is doing something with Lionshare (peer to peer app.) for distance learners and the main problem is that their users cannot get on the Oxford databases (University Card, Herald etc.) and therefore they couldn't (easily) use Shibboleth or Webauth SSO to authenticate them.
Also spoke to Ioannis Daskalopoulos from Cambridge e-Science centre. He's working on Cancer Grid and is interested in role-based access to anonymised/de-anonymised data etc. etc. I told him about the VOTES work at Glasgow and of Von Welch's GridShib work.