Security, Security, Security

By By Tony Hey, Contributing Author

May 30, 2005

The Grid presents significant new challenges for organizational security. Typical Grid applications require complex and dynamic patterns of trust to be established and to be implemented by computers making decisions about the identity and rights of individual users. In addition, much of the Grid middleware in common use has been designed for environments in which there is a high level of trust between systems and there is an implicit assumption that the network infrastructure is very open. Within such an environment, the major concern is to ensure that only legitimate users can access the set of resources to which they are entitled. There is often the tacit assumption that would-be illegitimate users are excluded by some external perimeter surrounding the enclosed trusted environment. Therefore, much of the concern with Grid security has been concentrated on authentication of users and authorization of resources within such a trusted environment rather than focusing on attacks that may come from outside.

Most university networks are moving away from a simple security model in which everything inside a perimeter is trusted and everything outside is not. This move toward a more complex security structure is due to two pressures: (1) the need for inter-institutional collaboration with people and systems outside such a perimeter and (2) the increased threat from rapidly spreading worms and viruses that can appear both outside and inside the perimeter. Production networks in education now typically implement firewalls and routers that control the flow of traffic both between and within organizations.

The problem is that these security measures were designed to manage traditional patterns of computing in which client and server functions are performed by different systems with well known protocols and where there are simple trust relationships reflecting the organizational hierarchies. By contrast, Grid applications often require transmission of very large amounts of data at high speeds in non-standard use patterns. This can cause problems for these routers and firewalls. For example, firewalls need to be able to distinguish between “good” traffic that should be permitted to pass and “hostile” traffic that should be blocked. Traditionally, this has been done using port numbers with a typical firewall allowing connections on ports 80 and 443 to the Web server and port 25 to the mail server. For simple protocols using a single TCP connection, this level of description by port and destination is adequate. Grid applications, however, tend to involve multiple connections between groups of machines and these protocols are much more complex to describe.

Of course, for Grids deployed entirely within an enterprise, security is perhaps not such an issue. However, even here there is the need for reliable accounting solutions, as Grids typically cross multiple administrative domains. More fundamental security issues arise when Grid applications cross institutional boundaries. Although the move toward Web services is to be welcomed as a step toward building robust, industrial-strength Grid middleware, the situation surrounding security standards is, unfortunately, confused.

It was for this reason that a meeting on “Security for e-Science: Approaches and Interoperability” was held April 11 in London by the U.K. e-Science Core Program. Speakers representing the various different approaches made presentations on the possible key technologies and the meeting was very useful in presenting a “map” of the present state of Grid security. However, as can be seen from the following summary of the talks at this meeting, there are many different strands that must ultimately be reconciled to provide an acceptable set of Grid security solutions.

The meeting opened with an overview of security technologies from Peter Henderson of the United Kingdom's Open Middleware Infrastructure Institute. Marty Humphrey from the University of Virginia then gave a presentation on the present sorry state of Web service security standards. He began by reminding the audience of the beautiful Web services security roadmap proposed by IBM and Microsoft in 2002.

From this roadmap, the WS-Security proposal has progressed from a proposed specification in April 2002 to an OASIS standard by April 2003. Unfortunately, the status of other specifications on the roadmap — such as WS-Policy, WS-SecureConversation, WS-Trust and WS-Federation — is rather unclear. The statuses of WS-Privacy and WS-Authorization are even less clear. Humphrey then described the WS-I Security Profile and the SAML and XACML OASIS standards and noted a potentially confusing overlap between XACML and SAML. He concluded with a discussion of WS-Delegation, a GGF standards effort led by Olle Mulmo. David Chadwick then gave an overview of GGF activities on authentication and authorization using PERMIS. He stressed that it is the use of resources by an application — rather than a user — that is the primary motivation for introducing proxy certificates.

From these rather abstract discussions, the meeting moved on to concrete implementations, with talks from Frank Siebenlist on the Globus GT4 security architecture, Olle Mulmo on the approach to security of the European EGEE project and Li Zha on security in the CNGrid VEGA project. Siebenlist began by stressing the importance of a security policy for a virtual organization (VO) and the role of security services in facilitating enforcement of this policy. After reviewing the OGSA security services, he outlined GT4's support for different mechanisms for attribute assertions — VOMS, PERMIS, X.509, Shibboleth and SAML. He noted that moving to an SAML/XACML approach provided GT4 with a more flexible way to support a variety of security solutions than just X.509 certificates. An open source XACML runtime is being shipped with GT4. He concluded that the capability to form a dynamic, “five-minute VO” is still an as yet unrealized goal for the Grid community.

Mulmo from KTH in Stockholm then described the EU-funded EGEE project that connects more than 100 sites across Europe and constitutes probably the largest production Grid in the world with more than 10,000 CPUs and over 5 petabytes of storage. The EGEE infrastructure uses X.509 and proxy certificates with the VOMS package for authorization and VO management. He noted that for the third “A” of AAA, “accounting,” no solution was currently deployed. Similarly, there was as yet no overall solution for “audit,” the so-called fourth “A” of AAA.

Zha from the ICT Institute of the Chinese Academy of Sciences described security in the VEGA project. After an overview of the VEGA GOS architecture, he described the Agora and Grip services that, along with WS-Security, form the basis for implementing the VEGA security architecture. The Agora service provides VO authorization and access control using a SAML based authorization token. The Grip service is a Grid process that provides a runtime construct to deliver secure access to a service.

So far, the meeting had concentrated on the security concerns of a VO as typified by Grid application projects. However, members of any Grid VO are also members of institutions, each of which have their own security infrastructure. The remaining talks were concerned with Internet2's Shibboleth architecture. Shibboleth mandates neither a specific authentication scheme (this is taken to be the responsibility of the home institution) nor a specific authorization scheme (this is the responsibility of the resource owner). Instead, Shibboleth is an open standards-based protocol for securely transferring attributes between the home site and the resource site. The message flows are defined in SAML and the institution member attributes (in U.S. academia) are typically taken from the eduPerson and eduOrg schemas.

There is growing international acceptance for Shibboleth with its deployment by some 30 major U.S. universities; serious trials in the United Kingdom, Switzerland and other countries in Europe; and a significant deployment project in Australia. Alan Robiette from JISC reported on an interesting U.K. project attempting to add more intelligence to the resource manager by integrating PERMIS as a decision engine within the Shibboleth framework. Martin Sutter from the Swiss academic research network organization SWITCH reported on the “SWITCHaai” project. This has successfully deployed a Shibboleth-based Authentication and Authorization infrastructure (AAI) across the seven major Swiss universities. The final talk of the day was by Von Welch from NCSA who explained the goals of the NSF-funded “GridShib” project. This project aims to incorporate Shibboleth-issued attributes for authorization into Grids built on the Globus GT4 toolkit. The project is exploring possible methods of managing attributes for members of Grid VOs.

Although the picture for Grid security is a very complex one, the meeting was useful in exposing some of the real practical problems facing Grid VOs. I conclude this tale of unfinished business by describing the U.K. “GOLD” e-Science research project that is examining even more security issues for VOs. The project is focusing on the problems of coordination, information management, security and trust in a VO. The project is grounding its work with a proof of concept example VO taken from the chemical industry. The GOLD work on coordination and trust has focused on distributed workflow enactment. It has taken a more formal approach to these issues than most Grid projects and is defining semantics using the pi calculus and using the SPIN model checker for compositions. In addition, because its VOs involve commercial organizations, legal issues such as rights and obligations need to established through some form of electronic contracts. The project is using the Promela language to specify such contracts and implementing a “two-phase commit” type protocol to enforce non-repudiation.

As can be seen from the wide range of issues touched on in this article, there is still much to be done on Grid security!

A UKERNA Guidance Note on “Deploying Grids” by Andrew Cormack, UKERNA's chief security adviser, is available on the UKERNA Web site at www.ukerna.ac.uk. The presentations at the U.K. e-Science Security Meeting can be found on the NeSC Web site at www.nesc.ac.uk/events/townmeeting0405.

© Tony Hey May 2005

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

What’s New in Computing vs. COVID-19: Fugaku, Congress, De Novo Design & More

July 2, 2020

Supercomputing, big data and artificial intelligence are crucial tools in the fight against the coronavirus pandemic. Around the world, researchers, corporations and governments are urgently devoting their computing reso Read more…

By Oliver Peckham

OpenPOWER Reboot – New Director, New Silicon Partners, Leveraging Linux Foundation Connections

July 2, 2020

Earlier this week the OpenPOWER Foundation announced the contribution of IBM’s A21 Power processor core design to the open source community. Roughly this time last year, IBM announced open sourcing its Power instructio Read more…

By John Russell

HPC Career Notes: July 2020 Edition

July 1, 2020

In this monthly feature, we'll keep you up-to-date on the latest career developments for individuals in the high-performance computing community. Whether it's a promotion, new company hire, or even an accolade, we've got Read more…

By Mariana Iriarte

Supercomputers Enable Radical, Promising New COVID-19 Drug Development Approach

July 1, 2020

Around the world, innumerable supercomputers are sifting through billions of molecules in a desperate search for a viable therapeutic to treat COVID-19. Those molecules are pulled from enormous databases of known compoun Read more…

By Oliver Peckham

HPC-Powered Simulations Reveal a Looming Climatic Threat to Vital Monsoon Seasons

June 30, 2020

As June draws to a close, eyes are turning to the latter half of the year – and with it, the monsoon and hurricane seasons that can prove vital or devastating for many of the world’s coastal communities. Now, climate Read more…

By Oliver Peckham

AWS Solution Channel

Maxar Builds HPC on AWS to Deliver Forecasts 58% Faster Than Weather Supercomputer

When weather threatens drilling rigs, refineries, and other energy facilities, oil and gas companies want to move fast to protect personnel and equipment. And for firms that trade commodity shares in oil, precious metals, crops, and livestock, the weather can significantly impact their buy-sell decisions. Read more…

Intel® HPC + AI Pavilion

Supercomputing the Pandemic: Scientific Community Tackles COVID-19 from Multiple Perspectives

Since their inception, supercomputers have taken on the biggest, most complex, and most data-intensive computing challenges—from confirming Einstein’s theories about gravitational waves to predicting the impacts of climate change. Read more…

Hyperion Forecast – Headwinds in 2020 Won’t Stifle Cloud HPC Adoption or Arm’s Rise

June 30, 2020

The semiannual taking of HPC’s pulse by Hyperion Research – late fall at SC and early summer at ISC – is a much-watched indicator of things come. This year is no different though the conversion of ISC to a digital Read more…

By John Russell

OpenPOWER Reboot – New Director, New Silicon Partners, Leveraging Linux Foundation Connections

July 2, 2020

Earlier this week the OpenPOWER Foundation announced the contribution of IBM’s A21 Power processor core design to the open source community. Roughly this time Read more…

By John Russell

Hyperion Forecast – Headwinds in 2020 Won’t Stifle Cloud HPC Adoption or Arm’s Rise

June 30, 2020

The semiannual taking of HPC’s pulse by Hyperion Research – late fall at SC and early summer at ISC – is a much-watched indicator of things come. This yea Read more…

By John Russell

Racism and HPC: a Special Podcast

June 29, 2020

Promoting greater diversity in HPC is a much-discussed goal and ostensibly a long-sought goal in HPC. Yet it seems clear HPC is far from achieving this goal. Re Read more…

Top500 Trends: Movement on Top, but Record Low Turnover

June 25, 2020

The 55th installment of the Top500 list saw strong activity in the leadership segment with four new systems in the top ten and a crowning achievement from the f Read more…

By Tiffany Trader

ISC 2020 Keynote: Hope for the Future, Praise for Fugaku and HPC’s Pandemic Response

June 24, 2020

In stark contrast to past years Thomas Sterling’s ISC20 keynote today struck a more somber note with the COVID-19 pandemic as the central character in Sterling’s annual review of worldwide trends in HPC. Better known for his engaging manner and occasional willingness to poke prickly egos, Sterling instead strode through the numbing statistics associated... Read more…

By John Russell

ISC 2020’s Student Cluster Competition Winners Announced

June 24, 2020

Normally, the Student Cluster Competition involves teams of students building real computing clusters on the show floors of major supercomputer conferences and Read more…

By Oliver Peckham

Hoefler’s Whirlwind ISC20 Virtual Tour of ML Trends in 9 Slides

June 23, 2020

The ISC20 experience this year via livestreaming and pre-recordings is interesting and perhaps a bit odd. That said presenters’ efforts to condense their comments makes for economic use of your time. Torsten Hoefler’s whirlwind 12-minute tour of ML is a great example. Hoefler, leader of the planned ISC20 Machine Learning... Read more…

By John Russell

At ISC, the Fight Against COVID-19 Took the Stage – and Yes, Fugaku Was There

June 23, 2020

With over nine million infected and nearly half a million dead, the COVID-19 pandemic has seized the world’s attention for several months. It has also dominat Read more…

By Oliver Peckham

Supercomputer Modeling Tests How COVID-19 Spreads in Grocery Stores

April 8, 2020

In the COVID-19 era, many people are treating simple activities like getting gas or groceries with caution as they try to heed social distancing mandates and protect their own health. Still, significant uncertainty surrounds the relative risk of different activities, and conflicting information is prevalent. A team of Finnish researchers set out to address some of these uncertainties by... Read more…

By Oliver Peckham

[email protected] Turns Its Massive Crowdsourced Computer Network Against COVID-19

March 16, 2020

For gamers, fighting against a global crisis is usually pure fantasy – but now, it’s looking more like a reality. As supercomputers around the world spin up Read more…

By Oliver Peckham

[email protected] Rallies a Legion of Computers Against the Coronavirus

March 24, 2020

Last week, we highlighted [email protected], a massive, crowdsourced computer network that has turned its resources against the coronavirus pandemic sweeping the globe – but [email protected] isn’t the only game in town. The internet is buzzing with crowdsourced computing... Read more…

By Oliver Peckham

Global Supercomputing Is Mobilizing Against COVID-19

March 12, 2020

Tech has been taking some heavy losses from the coronavirus pandemic. Global supply chains have been disrupted, virtually every major tech conference taking place over the next few months has been canceled... Read more…

By Oliver Peckham

Supercomputer Simulations Reveal the Fate of the Neanderthals

May 25, 2020

For hundreds of thousands of years, neanderthals roamed the planet, eventually (almost 50,000 years ago) giving way to homo sapiens, which quickly became the do Read more…

By Oliver Peckham

DoE Expands on Role of COVID-19 Supercomputing Consortium

March 25, 2020

After announcing the launch of the COVID-19 High Performance Computing Consortium on Sunday, the Department of Energy yesterday provided more details on its sco Read more…

By John Russell

Steve Scott Lays Out HPE-Cray Blended Product Roadmap

March 11, 2020

Last week, the day before the El Capitan processor disclosures were made at HPE's new headquarters in San Jose, Steve Scott (CTO for HPC & AI at HPE, and former Cray CTO) was on-hand at the Rice Oil & Gas HPC conference in Houston. He was there to discuss the HPE-Cray transition and blended roadmap, as well as his favorite topic, Cray's eighth-gen networking technology, Slingshot. Read more…

By Tiffany Trader

Honeywell’s Big Bet on Trapped Ion Quantum Computing

April 7, 2020

Honeywell doesn’t spring to mind when thinking of quantum computing pioneers, but a decade ago the high-tech conglomerate better known for its control systems waded deliberately into the then calmer quantum computing (QC) waters. Fast forward to March when Honeywell announced plans to introduce an ion trap-based quantum computer whose ‘performance’ would... Read more…

By John Russell

Leading Solution Providers

Contributors

Neocortex Will Be First-of-Its-Kind 800,000-Core AI Supercomputer

June 9, 2020

Pittsburgh Supercomputing Center (PSC - a joint research organization of Carnegie Mellon University and the University of Pittsburgh) has won a $5 million award Read more…

By Tiffany Trader

‘Billion Molecules Against COVID-19’ Challenge to Launch with Massive Supercomputing Support

April 22, 2020

Around the world, supercomputing centers have spun up and opened their doors for COVID-19 research in what may be the most unified supercomputing effort in hist Read more…

By Oliver Peckham

Australian Researchers Break All-Time Internet Speed Record

May 26, 2020

If you’ve been stuck at home for the last few months, you’ve probably become more attuned to the quality (or lack thereof) of your internet connection. Even Read more…

By Oliver Peckham

15 Slides on Programming Aurora and Exascale Systems

May 7, 2020

Sometime in 2021, Aurora, the first planned U.S. exascale system, is scheduled to be fired up at Argonne National Laboratory. Cray (now HPE) and Intel are the k Read more…

By John Russell

Nvidia’s Ampere A100 GPU: Up to 2.5X the HPC, 20X the AI

May 14, 2020

Nvidia's first Ampere-based graphics card, the A100 GPU, packs a whopping 54 billion transistors on 826mm2 of silicon, making it the world's largest seven-nanom Read more…

By Tiffany Trader

10nm, 7nm, 5nm…. Should the Chip Nanometer Metric Be Replaced?

June 1, 2020

The biggest cool factor in server chips is the nanometer. AMD beating Intel to a CPU built on a 7nm process node* – with 5nm and 3nm on the way – has been i Read more…

By Doug Black

Summit Supercomputer is Already Making its Mark on Science

September 20, 2018

Summit, now the fastest supercomputer in the world, is quickly making its mark in science – five of the six finalists just announced for the prestigious 2018 Read more…

By John Russell

TACC Supercomputers Run Simulations Illuminating COVID-19, DNA Replication

March 19, 2020

As supercomputers around the world spin up to combat the coronavirus, the Texas Advanced Computing Center (TACC) is announcing results that may help to illumina Read more…

By Staff report

  • arrow
  • Click Here for More Headlines
  • arrow
Do NOT follow this link or you will be banned from the site!
Share This