Security, Security, Security

By By Tony Hey, Contributing Author

May 30, 2005

The Grid presents significant new challenges for organizational security. Typical Grid applications require complex and dynamic patterns of trust to be established and to be implemented by computers making decisions about the identity and rights of individual users. In addition, much of the Grid middleware in common use has been designed for environments in which there is a high level of trust between systems and there is an implicit assumption that the network infrastructure is very open. Within such an environment, the major concern is to ensure that only legitimate users can access the set of resources to which they are entitled. There is often the tacit assumption that would-be illegitimate users are excluded by some external perimeter surrounding the enclosed trusted environment. Therefore, much of the concern with Grid security has been concentrated on authentication of users and authorization of resources within such a trusted environment rather than focusing on attacks that may come from outside.

Most university networks are moving away from a simple security model in which everything inside a perimeter is trusted and everything outside is not. This move toward a more complex security structure is due to two pressures: (1) the need for inter-institutional collaboration with people and systems outside such a perimeter and (2) the increased threat from rapidly spreading worms and viruses that can appear both outside and inside the perimeter. Production networks in education now typically implement firewalls and routers that control the flow of traffic both between and within organizations.

The problem is that these security measures were designed to manage traditional patterns of computing in which client and server functions are performed by different systems with well known protocols and where there are simple trust relationships reflecting the organizational hierarchies. By contrast, Grid applications often require transmission of very large amounts of data at high speeds in non-standard use patterns. This can cause problems for these routers and firewalls. For example, firewalls need to be able to distinguish between “good” traffic that should be permitted to pass and “hostile” traffic that should be blocked. Traditionally, this has been done using port numbers with a typical firewall allowing connections on ports 80 and 443 to the Web server and port 25 to the mail server. For simple protocols using a single TCP connection, this level of description by port and destination is adequate. Grid applications, however, tend to involve multiple connections between groups of machines and these protocols are much more complex to describe.

Of course, for Grids deployed entirely within an enterprise, security is perhaps not such an issue. However, even here there is the need for reliable accounting solutions, as Grids typically cross multiple administrative domains. More fundamental security issues arise when Grid applications cross institutional boundaries. Although the move toward Web services is to be welcomed as a step toward building robust, industrial-strength Grid middleware, the situation surrounding security standards is, unfortunately, confused.

It was for this reason that a meeting on “Security for e-Science: Approaches and Interoperability” was held April 11 in London by the U.K. e-Science Core Program. Speakers representing the various different approaches made presentations on the possible key technologies and the meeting was very useful in presenting a “map” of the present state of Grid security. However, as can be seen from the following summary of the talks at this meeting, there are many different strands that must ultimately be reconciled to provide an acceptable set of Grid security solutions.

The meeting opened with an overview of security technologies from Peter Henderson of the United Kingdom's Open Middleware Infrastructure Institute. Marty Humphrey from the University of Virginia then gave a presentation on the present sorry state of Web service security standards. He began by reminding the audience of the beautiful Web services security roadmap proposed by IBM and Microsoft in 2002.

From this roadmap, the WS-Security proposal has progressed from a proposed specification in April 2002 to an OASIS standard by April 2003. Unfortunately, the status of other specifications on the roadmap — such as WS-Policy, WS-SecureConversation, WS-Trust and WS-Federation — is rather unclear. The statuses of WS-Privacy and WS-Authorization are even less clear. Humphrey then described the WS-I Security Profile and the SAML and XACML OASIS standards and noted a potentially confusing overlap between XACML and SAML. He concluded with a discussion of WS-Delegation, a GGF standards effort led by Olle Mulmo. David Chadwick then gave an overview of GGF activities on authentication and authorization using PERMIS. He stressed that it is the use of resources by an application — rather than a user — that is the primary motivation for introducing proxy certificates.

From these rather abstract discussions, the meeting moved on to concrete implementations, with talks from Frank Siebenlist on the Globus GT4 security architecture, Olle Mulmo on the approach to security of the European EGEE project and Li Zha on security in the CNGrid VEGA project. Siebenlist began by stressing the importance of a security policy for a virtual organization (VO) and the role of security services in facilitating enforcement of this policy. After reviewing the OGSA security services, he outlined GT4's support for different mechanisms for attribute assertions — VOMS, PERMIS, X.509, Shibboleth and SAML. He noted that moving to an SAML/XACML approach provided GT4 with a more flexible way to support a variety of security solutions than just X.509 certificates. An open source XACML runtime is being shipped with GT4. He concluded that the capability to form a dynamic, “five-minute VO” is still an as yet unrealized goal for the Grid community.

Mulmo from KTH in Stockholm then described the EU-funded EGEE project that connects more than 100 sites across Europe and constitutes probably the largest production Grid in the world with more than 10,000 CPUs and over 5 petabytes of storage. The EGEE infrastructure uses X.509 and proxy certificates with the VOMS package for authorization and VO management. He noted that for the third “A” of AAA, “accounting,” no solution was currently deployed. Similarly, there was as yet no overall solution for “audit,” the so-called fourth “A” of AAA.

Zha from the ICT Institute of the Chinese Academy of Sciences described security in the VEGA project. After an overview of the VEGA GOS architecture, he described the Agora and Grip services that, along with WS-Security, form the basis for implementing the VEGA security architecture. The Agora service provides VO authorization and access control using a SAML based authorization token. The Grip service is a Grid process that provides a runtime construct to deliver secure access to a service.

So far, the meeting had concentrated on the security concerns of a VO as typified by Grid application projects. However, members of any Grid VO are also members of institutions, each of which have their own security infrastructure. The remaining talks were concerned with Internet2's Shibboleth architecture. Shibboleth mandates neither a specific authentication scheme (this is taken to be the responsibility of the home institution) nor a specific authorization scheme (this is the responsibility of the resource owner). Instead, Shibboleth is an open standards-based protocol for securely transferring attributes between the home site and the resource site. The message flows are defined in SAML and the institution member attributes (in U.S. academia) are typically taken from the eduPerson and eduOrg schemas.

There is growing international acceptance for Shibboleth with its deployment by some 30 major U.S. universities; serious trials in the United Kingdom, Switzerland and other countries in Europe; and a significant deployment project in Australia. Alan Robiette from JISC reported on an interesting U.K. project attempting to add more intelligence to the resource manager by integrating PERMIS as a decision engine within the Shibboleth framework. Martin Sutter from the Swiss academic research network organization SWITCH reported on the “SWITCHaai” project. This has successfully deployed a Shibboleth-based Authentication and Authorization infrastructure (AAI) across the seven major Swiss universities. The final talk of the day was by Von Welch from NCSA who explained the goals of the NSF-funded “GridShib” project. This project aims to incorporate Shibboleth-issued attributes for authorization into Grids built on the Globus GT4 toolkit. The project is exploring possible methods of managing attributes for members of Grid VOs.

Although the picture for Grid security is a very complex one, the meeting was useful in exposing some of the real practical problems facing Grid VOs. I conclude this tale of unfinished business by describing the U.K. “GOLD” e-Science research project that is examining even more security issues for VOs. The project is focusing on the problems of coordination, information management, security and trust in a VO. The project is grounding its work with a proof of concept example VO taken from the chemical industry. The GOLD work on coordination and trust has focused on distributed workflow enactment. It has taken a more formal approach to these issues than most Grid projects and is defining semantics using the pi calculus and using the SPIN model checker for compositions. In addition, because its VOs involve commercial organizations, legal issues such as rights and obligations need to established through some form of electronic contracts. The project is using the Promela language to specify such contracts and implementing a “two-phase commit” type protocol to enforce non-repudiation.

As can be seen from the wide range of issues touched on in this article, there is still much to be done on Grid security!

A UKERNA Guidance Note on “Deploying Grids” by Andrew Cormack, UKERNA's chief security adviser, is available on the UKERNA Web site at www.ukerna.ac.uk. The presentations at the U.K. e-Science Security Meeting can be found on the NeSC Web site at www.nesc.ac.uk/events/townmeeting0405.

© Tony Hey May 2005

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industry updates delivered to you every week!

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing power it brings to artificial intelligence.  Nvidia's DGX Read more…

Call for Participation in Workshop on Potential NSF CISE Quantum Initiative

March 26, 2024

Editor’s Note: Next month there will be a workshop to discuss what a quantum initiative led by NSF’s Computer, Information Science and Engineering (CISE) directorate could entail. The details are posted below in a Ca Read more…

Waseda U. Researchers Reports New Quantum Algorithm for Speeding Optimization

March 25, 2024

Optimization problems cover a wide range of applications and are often cited as good candidates for quantum computing. However, the execution time for constrained combinatorial optimization applications on quantum device Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at the network layer threatens to make bigger and brawnier pro Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HBM3E memory as well as the the ability to train 1 trillion pa Read more…

Nvidia Appoints Andy Grant as EMEA Director of Supercomputing, Higher Education, and AI

March 22, 2024

Nvidia recently appointed Andy Grant as Director, Supercomputing, Higher Education, and AI for Europe, the Middle East, and Africa (EMEA). With over 25 years of high-performance computing (HPC) experience, Grant brings a Read more…

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing po Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HB Read more…

Nvidia Looks to Accelerate GenAI Adoption with NIM

March 19, 2024

Today at the GPU Technology Conference, Nvidia launched a new offering aimed at helping customers quickly deploy their generative AI applications in a secure, s Read more…

The Generative AI Future Is Now, Nvidia’s Huang Says

March 19, 2024

We are in the early days of a transformative shift in how business gets done thanks to the advent of generative AI, according to Nvidia CEO and cofounder Jensen Read more…

Nvidia’s New Blackwell GPU Can Train AI Models with Trillions of Parameters

March 18, 2024

Nvidia's latest and fastest GPU, codenamed Blackwell, is here and will underpin the company's AI plans this year. The chip offers performance improvements from Read more…

Nvidia Showcases Quantum Cloud, Expanding Quantum Portfolio at GTC24

March 18, 2024

Nvidia’s barrage of quantum news at GTC24 this week includes new products, signature collaborations, and a new Nvidia Quantum Cloud for quantum developers. Wh Read more…

Houston We Have a Solution: Addressing the HPC and Tech Talent Gap

March 15, 2024

Generations of Houstonian teachers, counselors, and parents have either worked in the aerospace industry or know people who do - the prospect of entering the fi Read more…

Alibaba Shuts Down its Quantum Computing Effort

November 30, 2023

In case you missed it, China’s e-commerce giant Alibaba has shut down its quantum computing research effort. It’s not entirely clear what drove the change. Read more…

Nvidia H100: Are 550,000 GPUs Enough for This Year?

August 17, 2023

The GPU Squeeze continues to place a premium on Nvidia H100 GPUs. In a recent Financial Times article, Nvidia reports that it expects to ship 550,000 of its lat Read more…

Shutterstock 1285747942

AMD’s Horsepower-packed MI300X GPU Beats Nvidia’s Upcoming H200

December 7, 2023

AMD and Nvidia are locked in an AI performance battle – much like the gaming GPU performance clash the companies have waged for decades. AMD has claimed it Read more…

DoD Takes a Long View of Quantum Computing

December 19, 2023

Given the large sums tied to expensive weapon systems – think $100-million-plus per F-35 fighter – it’s easy to forget the U.S. Department of Defense is a Read more…

Synopsys Eats Ansys: Does HPC Get Indigestion?

February 8, 2024

Recently, it was announced that Synopsys is buying HPC tool developer Ansys. Started in Pittsburgh, Pa., in 1970 as Swanson Analysis Systems, Inc. (SASI) by John Swanson (and eventually renamed), Ansys serves the CAE (Computer Aided Engineering)/multiphysics engineering simulation market. Read more…

Choosing the Right GPU for LLM Inference and Training

December 11, 2023

Accelerating the training and inference processes of deep learning models is crucial for unleashing their true potential and NVIDIA GPUs have emerged as a game- Read more…

Intel’s Server and PC Chip Development Will Blur After 2025

January 15, 2024

Intel's dealing with much more than chip rivals breathing down its neck; it is simultaneously integrating a bevy of new technologies such as chiplets, artificia Read more…

Baidu Exits Quantum, Closely Following Alibaba’s Earlier Move

January 5, 2024

Reuters reported this week that Baidu, China’s giant e-commerce and services provider, is exiting the quantum computing development arena. Reuters reported � Read more…

Leading Solution Providers

Contributors

Comparing NVIDIA A100 and NVIDIA L40S: Which GPU is Ideal for AI and Graphics-Intensive Workloads?

October 30, 2023

With long lead times for the NVIDIA H100 and A100 GPUs, many organizations are looking at the new NVIDIA L40S GPU, which it’s a new GPU optimized for AI and g Read more…

Shutterstock 1179408610

Google Addresses the Mysteries of Its Hypercomputer 

December 28, 2023

When Google launched its Hypercomputer earlier this month (December 2023), the first reaction was, "Say what?" It turns out that the Hypercomputer is Google's t Read more…

AMD MI3000A

How AMD May Get Across the CUDA Moat

October 5, 2023

When discussing GenAI, the term "GPU" almost always enters the conversation and the topic often moves toward performance and access. Interestingly, the word "GPU" is assumed to mean "Nvidia" products. (As an aside, the popular Nvidia hardware used in GenAI are not technically... Read more…

Shutterstock 1606064203

Meta’s Zuckerberg Puts Its AI Future in the Hands of 600,000 GPUs

January 25, 2024

In under two minutes, Meta's CEO, Mark Zuckerberg, laid out the company's AI plans, which included a plan to build an artificial intelligence system with the eq Read more…

Google Introduces ‘Hypercomputer’ to Its AI Infrastructure

December 11, 2023

Google ran out of monikers to describe its new AI system released on December 7. Supercomputer perhaps wasn't an apt description, so it settled on Hypercomputer Read more…

China Is All In on a RISC-V Future

January 8, 2024

The state of RISC-V in China was discussed in a recent report released by the Jamestown Foundation, a Washington, D.C.-based think tank. The report, entitled "E Read more…

Intel Won’t Have a Xeon Max Chip with New Emerald Rapids CPU

December 14, 2023

As expected, Intel officially announced its 5th generation Xeon server chips codenamed Emerald Rapids at an event in New York City, where the focus was really o Read more…

IBM Quantum Summit: Two New QPUs, Upgraded Qiskit, 10-year Roadmap and More

December 4, 2023

IBM kicks off its annual Quantum Summit today and will announce a broad range of advances including its much-anticipated 1121-qubit Condor QPU, a smaller 133-qu Read more…

  • arrow
  • Click Here for More Headlines
  • arrow
HPCwire