Security, Security, Security

By By Tony Hey, Contributing Author

May 30, 2005

The Grid presents significant new challenges for organizational security. Typical Grid applications require complex and dynamic patterns of trust to be established and to be implemented by computers making decisions about the identity and rights of individual users. In addition, much of the Grid middleware in common use has been designed for environments in which there is a high level of trust between systems and there is an implicit assumption that the network infrastructure is very open. Within such an environment, the major concern is to ensure that only legitimate users can access the set of resources to which they are entitled. There is often the tacit assumption that would-be illegitimate users are excluded by some external perimeter surrounding the enclosed trusted environment. Therefore, much of the concern with Grid security has been concentrated on authentication of users and authorization of resources within such a trusted environment rather than focusing on attacks that may come from outside.

Most university networks are moving away from a simple security model in which everything inside a perimeter is trusted and everything outside is not. This move toward a more complex security structure is due to two pressures: (1) the need for inter-institutional collaboration with people and systems outside such a perimeter and (2) the increased threat from rapidly spreading worms and viruses that can appear both outside and inside the perimeter. Production networks in education now typically implement firewalls and routers that control the flow of traffic both between and within organizations.

The problem is that these security measures were designed to manage traditional patterns of computing in which client and server functions are performed by different systems with well known protocols and where there are simple trust relationships reflecting the organizational hierarchies. By contrast, Grid applications often require transmission of very large amounts of data at high speeds in non-standard use patterns. This can cause problems for these routers and firewalls. For example, firewalls need to be able to distinguish between “good” traffic that should be permitted to pass and “hostile” traffic that should be blocked. Traditionally, this has been done using port numbers with a typical firewall allowing connections on ports 80 and 443 to the Web server and port 25 to the mail server. For simple protocols using a single TCP connection, this level of description by port and destination is adequate. Grid applications, however, tend to involve multiple connections between groups of machines and these protocols are much more complex to describe.

Of course, for Grids deployed entirely within an enterprise, security is perhaps not such an issue. However, even here there is the need for reliable accounting solutions, as Grids typically cross multiple administrative domains. More fundamental security issues arise when Grid applications cross institutional boundaries. Although the move toward Web services is to be welcomed as a step toward building robust, industrial-strength Grid middleware, the situation surrounding security standards is, unfortunately, confused.

It was for this reason that a meeting on “Security for e-Science: Approaches and Interoperability” was held April 11 in London by the U.K. e-Science Core Program. Speakers representing the various different approaches made presentations on the possible key technologies and the meeting was very useful in presenting a “map” of the present state of Grid security. However, as can be seen from the following summary of the talks at this meeting, there are many different strands that must ultimately be reconciled to provide an acceptable set of Grid security solutions.

The meeting opened with an overview of security technologies from Peter Henderson of the United Kingdom's Open Middleware Infrastructure Institute. Marty Humphrey from the University of Virginia then gave a presentation on the present sorry state of Web service security standards. He began by reminding the audience of the beautiful Web services security roadmap proposed by IBM and Microsoft in 2002.

From this roadmap, the WS-Security proposal has progressed from a proposed specification in April 2002 to an OASIS standard by April 2003. Unfortunately, the status of other specifications on the roadmap — such as WS-Policy, WS-SecureConversation, WS-Trust and WS-Federation — is rather unclear. The statuses of WS-Privacy and WS-Authorization are even less clear. Humphrey then described the WS-I Security Profile and the SAML and XACML OASIS standards and noted a potentially confusing overlap between XACML and SAML. He concluded with a discussion of WS-Delegation, a GGF standards effort led by Olle Mulmo. David Chadwick then gave an overview of GGF activities on authentication and authorization using PERMIS. He stressed that it is the use of resources by an application — rather than a user — that is the primary motivation for introducing proxy certificates.

From these rather abstract discussions, the meeting moved on to concrete implementations, with talks from Frank Siebenlist on the Globus GT4 security architecture, Olle Mulmo on the approach to security of the European EGEE project and Li Zha on security in the CNGrid VEGA project. Siebenlist began by stressing the importance of a security policy for a virtual organization (VO) and the role of security services in facilitating enforcement of this policy. After reviewing the OGSA security services, he outlined GT4's support for different mechanisms for attribute assertions — VOMS, PERMIS, X.509, Shibboleth and SAML. He noted that moving to an SAML/XACML approach provided GT4 with a more flexible way to support a variety of security solutions than just X.509 certificates. An open source XACML runtime is being shipped with GT4. He concluded that the capability to form a dynamic, “five-minute VO” is still an as yet unrealized goal for the Grid community.

Mulmo from KTH in Stockholm then described the EU-funded EGEE project that connects more than 100 sites across Europe and constitutes probably the largest production Grid in the world with more than 10,000 CPUs and over 5 petabytes of storage. The EGEE infrastructure uses X.509 and proxy certificates with the VOMS package for authorization and VO management. He noted that for the third “A” of AAA, “accounting,” no solution was currently deployed. Similarly, there was as yet no overall solution for “audit,” the so-called fourth “A” of AAA.

Zha from the ICT Institute of the Chinese Academy of Sciences described security in the VEGA project. After an overview of the VEGA GOS architecture, he described the Agora and Grip services that, along with WS-Security, form the basis for implementing the VEGA security architecture. The Agora service provides VO authorization and access control using a SAML based authorization token. The Grip service is a Grid process that provides a runtime construct to deliver secure access to a service.

So far, the meeting had concentrated on the security concerns of a VO as typified by Grid application projects. However, members of any Grid VO are also members of institutions, each of which have their own security infrastructure. The remaining talks were concerned with Internet2's Shibboleth architecture. Shibboleth mandates neither a specific authentication scheme (this is taken to be the responsibility of the home institution) nor a specific authorization scheme (this is the responsibility of the resource owner). Instead, Shibboleth is an open standards-based protocol for securely transferring attributes between the home site and the resource site. The message flows are defined in SAML and the institution member attributes (in U.S. academia) are typically taken from the eduPerson and eduOrg schemas.

There is growing international acceptance for Shibboleth with its deployment by some 30 major U.S. universities; serious trials in the United Kingdom, Switzerland and other countries in Europe; and a significant deployment project in Australia. Alan Robiette from JISC reported on an interesting U.K. project attempting to add more intelligence to the resource manager by integrating PERMIS as a decision engine within the Shibboleth framework. Martin Sutter from the Swiss academic research network organization SWITCH reported on the “SWITCHaai” project. This has successfully deployed a Shibboleth-based Authentication and Authorization infrastructure (AAI) across the seven major Swiss universities. The final talk of the day was by Von Welch from NCSA who explained the goals of the NSF-funded “GridShib” project. This project aims to incorporate Shibboleth-issued attributes for authorization into Grids built on the Globus GT4 toolkit. The project is exploring possible methods of managing attributes for members of Grid VOs.

Although the picture for Grid security is a very complex one, the meeting was useful in exposing some of the real practical problems facing Grid VOs. I conclude this tale of unfinished business by describing the U.K. “GOLD” e-Science research project that is examining even more security issues for VOs. The project is focusing on the problems of coordination, information management, security and trust in a VO. The project is grounding its work with a proof of concept example VO taken from the chemical industry. The GOLD work on coordination and trust has focused on distributed workflow enactment. It has taken a more formal approach to these issues than most Grid projects and is defining semantics using the pi calculus and using the SPIN model checker for compositions. In addition, because its VOs involve commercial organizations, legal issues such as rights and obligations need to established through some form of electronic contracts. The project is using the Promela language to specify such contracts and implementing a “two-phase commit” type protocol to enforce non-repudiation.

As can be seen from the wide range of issues touched on in this article, there is still much to be done on Grid security!

A UKERNA Guidance Note on “Deploying Grids” by Andrew Cormack, UKERNA's chief security adviser, is available on the UKERNA Web site at www.ukerna.ac.uk. The presentations at the U.K. e-Science Security Meeting can be found on the NeSC Web site at www.nesc.ac.uk/events/townmeeting0405.

© Tony Hey May 2005

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

Hyperion: AI-driven HPC Industry Continues to Push Growth Projections

November 21, 2019

Three major forces – AI, cloud and exascale – are combining to raise the HPC industry to heights exceeding expectations. According to market study results released this week by Hyperion Research at SC19 in Denver, Read more…

By Doug Black

At SC19: Bespoke Supercomputing for Climate and Weather

November 20, 2019

Weather and climate applications are some of the most important uses of HPC – a good model can save lives, as well as billions of dollars. But many weather and climate models struggle to run efficiently in their HPC en Read more…

By Oliver Peckham

Microsoft, Nvidia Launch Cloud HPC Service

November 20, 2019

Nvidia and Microsoft have joined forces to offer a cloud HPC capability based on the GPU vendor’s V100 Tensor Core chips linked via an InfiniBand network scaling up to 800 graphics processors. The partners announced Read more…

By George Leopold

Hazra Retiring from Intel Data Center Group, Successor Not Known

November 20, 2019

Rajeeb Hazra, corporate VP of Intel’s Data Center Group and GM for the Enterprise and Government Group, is retiring after more than 24 years at the company. At this writing, his successor is unknown. An earlier story on... Read more…

By Doug Black

Jensen Huang’s SC19 – Fast Cars, a Strong Arm, and Aiming for the Cloud(s)

November 20, 2019

We’ve come to expect Nvidia CEO Jensen Huang’s annual SC keynote to contain stunning graphics and lively bravado (with plenty of examples) in support of GPU-accelerated computing. In recent years, AI has joined the s Read more…

By John Russell

AWS Solution Channel

Making High Performance Computing Affordable and Accessible for Small and Medium Businesses with HPC on AWS

High performance computing (HPC) brings a powerful set of tools to a broad range of industries, helping to drive innovation and boost revenue in finance, genomics, oil and gas extraction, and other fields. Read more…

IBM Accelerated Insights

Data Management – The Key to a Successful AI Project

 

Five characteristics of an awesome AI data infrastructure

[Attend the IBM LSF & HPC User Group Meeting at SC19 in Denver on November 19!]

AI is powered by data

While neural networks seem to get all the glory, data is the unsung hero of AI projects – data lies at the heart of everything from model training to tuning to selection to validation. Read more…

SC19 Student Cluster Competition: Know Your Teams

November 19, 2019

I’m typing this live from Denver, the location of the 2019 Student Cluster Competition… and, oh yeah, the annual SC conference too. The attendance this year should be north of 13,000 people, with the majority attende Read more…

By Dan Olds

Hyperion: AI-driven HPC Industry Continues to Push Growth Projections

November 21, 2019

Three major forces – AI, cloud and exascale – are combining to raise the HPC industry to heights exceeding expectations. According to market study results r Read more…

By Doug Black

At SC19: Bespoke Supercomputing for Climate and Weather

November 20, 2019

Weather and climate applications are some of the most important uses of HPC – a good model can save lives, as well as billions of dollars. But many weather an Read more…

By Oliver Peckham

Hazra Retiring from Intel Data Center Group, Successor Not Known

November 20, 2019

Rajeeb Hazra, corporate VP of Intel’s Data Center Group and GM for the Enterprise and Government Group, is retiring after more than 24 years at the company. At this writing, his successor is unknown. An earlier story on... Read more…

By Doug Black

Jensen Huang’s SC19 – Fast Cars, a Strong Arm, and Aiming for the Cloud(s)

November 20, 2019

We’ve come to expect Nvidia CEO Jensen Huang’s annual SC keynote to contain stunning graphics and lively bravado (with plenty of examples) in support of GPU Read more…

By John Russell

Top500: US Maintains Performance Lead; Arm Tops Green500

November 18, 2019

The 54th Top500, revealed today at SC19, is a familiar list: the U.S. Summit (ORNL) and Sierra (LLNL) machines, offering 148.6 and 94.6 petaflops respectively, Read more…

By Tiffany Trader

ScaleMatrix and Nvidia Launch ‘Deploy Anywhere’ DGX HPC and AI in a Controlled Enclosure

November 18, 2019

HPC and AI in a phone booth: ScaleMatrix and Nvidia announced today at the SC19 conference in Denver a joint offering that puts up to 13 petaflops of Nvidia DGX Read more…

By Doug Black

Intel Debuts New GPU – Ponte Vecchio – and Outlines Aspirations for oneAPI

November 17, 2019

Intel today revealed a few more details about its forthcoming Xe line of GPUs – the top SKU is named Ponte Vecchio and will be used in Aurora, the first plann Read more…

By John Russell

SC19: Welcome to Denver

November 17, 2019

A significant swath of the HPC community has come to Denver for SC19, which began today (Sunday) with a rich technical program. As is customary, the ribbon cutt Read more…

By Tiffany Trader

Supercomputer-Powered AI Tackles a Key Fusion Energy Challenge

August 7, 2019

Fusion energy is the Holy Grail of the energy world: low-radioactivity, low-waste, zero-carbon, high-output nuclear power that can run on hydrogen or lithium. T Read more…

By Oliver Peckham

Using AI to Solve One of the Most Prevailing Problems in CFD

October 17, 2019

How can artificial intelligence (AI) and high-performance computing (HPC) solve mesh generation, one of the most commonly referenced problems in computational engineering? A new study has set out to answer this question and create an industry-first AI-mesh application... Read more…

By James Sharpe

Cray Wins NNSA-Livermore ‘El Capitan’ Exascale Contract

August 13, 2019

Cray has won the bid to build the first exascale supercomputer for the National Nuclear Security Administration (NNSA) and Lawrence Livermore National Laborator Read more…

By Tiffany Trader

DARPA Looks to Propel Parallelism

September 4, 2019

As Moore’s law runs out of steam, new programming approaches are being pursued with the goal of greater hardware performance with less coding. The Defense Advanced Projects Research Agency is launching a new programming effort aimed at leveraging the benefits of massive distributed parallelism with less sweat. Read more…

By George Leopold

AMD Launches Epyc Rome, First 7nm CPU

August 8, 2019

From a gala event at the Palace of Fine Arts in San Francisco yesterday (Aug. 7), AMD launched its second-generation Epyc Rome x86 chips, based on its 7nm proce Read more…

By Tiffany Trader

D-Wave’s Path to 5000 Qubits; Google’s Quantum Supremacy Claim

September 24, 2019

On the heels of IBM’s quantum news last week come two more quantum items. D-Wave Systems today announced the name of its forthcoming 5000-qubit system, Advantage (yes the name choice isn’t serendipity), at its user conference being held this week in Newport, RI. Read more…

By John Russell

Ayar Labs to Demo Photonics Chiplet in FPGA Package at Hot Chips

August 19, 2019

Silicon startup Ayar Labs continues to gain momentum with its DARPA-backed optical chiplet technology that puts advanced electronics and optics on the same chip Read more…

By Tiffany Trader

Crystal Ball Gazing: IBM’s Vision for the Future of Computing

October 14, 2019

Dario Gil, IBM’s relatively new director of research, painted a intriguing portrait of the future of computing along with a rough idea of how IBM thinks we’ Read more…

By John Russell

Leading Solution Providers

ISC 2019 Virtual Booth Video Tour

CRAY
CRAY
DDN
DDN
DELL EMC
DELL EMC
GOOGLE
GOOGLE
ONE STOP SYSTEMS
ONE STOP SYSTEMS
PANASAS
PANASAS
VERNE GLOBAL
VERNE GLOBAL

Cray, Fujitsu Both Bringing Fujitsu A64FX-based Supercomputers to Market in 2020

November 12, 2019

The number of top-tier HPC systems makers has shrunk due to a steady march of M&A activity, but there is increased diversity and choice of processing compon Read more…

By Tiffany Trader

Intel Confirms Retreat on Omni-Path

August 1, 2019

Intel Corp.’s plans to make a big splash in the network fabric market for linking HPC and other workloads has apparently belly-flopped. The chipmaker confirmed to us the outlines of an earlier report by the website CRN that it has jettisoned plans for a second-generation version of its Omni-Path interconnect... Read more…

By Staff report

Kubernetes, Containers and HPC

September 19, 2019

Software containers and Kubernetes are important tools for building, deploying, running and managing modern enterprise applications at scale and delivering enterprise software faster and more reliably to the end user — while using resources more efficiently and reducing costs. Read more…

By Daniel Gruber, Burak Yenier and Wolfgang Gentzsch, UberCloud

Dell Ramps Up HPC Testing of AMD Rome Processors

October 21, 2019

Dell Technologies is wading deeper into the AMD-based systems market with a growing evaluation program for the latest Epyc (Rome) microprocessors from AMD. In a Read more…

By John Russell

Rise of NIH’s Biowulf Mirrors the Rise of Computational Biology

July 29, 2019

The story of NIH’s supercomputer Biowulf is fascinating, important, and in many ways representative of the transformation of life sciences and biomedical res Read more…

By John Russell

Xilinx vs. Intel: FPGA Market Leaders Launch Server Accelerator Cards

August 6, 2019

The two FPGA market leaders, Intel and Xilinx, both announced new accelerator cards this week designed to handle specialized, compute-intensive workloads and un Read more…

By Doug Black

Intel Debuts New GPU – Ponte Vecchio – and Outlines Aspirations for oneAPI

November 17, 2019

Intel today revealed a few more details about its forthcoming Xe line of GPUs – the top SKU is named Ponte Vecchio and will be used in Aurora, the first plann Read more…

By John Russell

When Dense Matrix Representations Beat Sparse

September 9, 2019

In our world filled with unintended consequences, it turns out that saving memory space to help deal with GPU limitations, knowing it introduces performance pen Read more…

By James Reinders

  • arrow
  • Click Here for More Headlines
  • arrow
Do NOT follow this link or you will be banned from the site!
Share This