The document summarizes the research of the XSIM Team on facilitating scientific collaborations through delegating identity management. It provides context on how scientific collaborations have evolved from localized to remote and large-scale. It identifies barriers to identity management like historical inertia, risk aversion, and compliance requirements. The document then presents the XSIM VO Identity Model and examples of incremental identity delegation approaches used at facilities like NERSC and XSEDE to reduce costs while maintaining security. It concludes that virtual organizations are essential to science and strategies exist to incrementally increase trust and delegation of identity functions.

1. Facilitating Scientific Collaborations by
Delegating Identity Management
Reducing Barriers and
Roadmap for Incremental Implementation
Robert Cowles, Craig Jackson, Von Welch (PI)
May 5th, 2015

2. 2
The XSIM Team
Robert Cowles – BrightLite Information
Security, former CISO of SLAC.
Craig Jackson – CACR Policy Analyst,
former practicing attorney.
Von Welch – CACR Director, long time
distributed science security researcher.

3. 3
Our talk…
• Context – scientific collaboration,
resource providers and identity.
• Barriers and potential mitigation
• Our VO Identity Model

4. 4
The “Good Old Days”
Scientists were
employees or
students – physically
co-located.
Image credit: Wikipedia
4

5. 5
Then remote access…
Scientists start being
remote from the
computers.
But still affiliated
with computing
centers.
Image credit: All About Apple Museum
Creative Commons Attribution-Share Alike 2.5 Italy
5

6. 6
Growth of the scientific
collaboration
Number of scientists, institutions, resources.
Large, expensive, rare/unique instruments.
Increasing amounts of data.
Image credit: Ian Bird/CERN
6

7. 7
VO Identity Management
A number of approaches have been tried:
VOMS, Glide-ins, Science gateways,
COManage, Community/group
accounts, etc.
We now have 15 years of applied
experimentation in VO IdM.

8. 8
Extreme Scale Identity
Management for Science (XSIM)
• Research and develop a VO-IdM model to
express the trust relationships between
resource providers (RPs) and
collaboratories
• Validate the model and determine the
motivations that lead to the different choices
• Develop guidance to collaboratories and
RPs in architecting their IdM and trust
choices

9. 9
Interviewees
Collaboratories
•Atlas
•BaBar
•Belle-II
•CMS
•Darkside
•Engage
•Earth System Grid
•Fermi Space Telescope
•LIGO
•LSST/DESC
Resource Providers
•Atlas Great Lakes T2
•FermiGrid
•GRIF
•U. Nebraska (CMS)
•LCLS
•RAL
•GRIF/LAL
•LLNL
•NERSC
•Blue Waters

10. 10
Seemingly Contradictory Demands
• Current Processes and Policies
• Strong identification, authentication, and
authorization of user communities
• User communities
• Large scale with dynamic membership
• Span multiple resource providers
• Desire ease-of-use (e.g. single sign-on)
• Self management

11. Barriers and Mitigations

12. 12
Identified Barriers
• Historical Inertial
• Risk Aversion
• Compliance and Assurance
Requirements
• Technology Limitations

13. 13
Deemed Export
• “ … the release of controlled technology
to a foreign person … “
• An export license is required, EXCEPT:
• Research involving public information
• Fundamental research
• Suppliers of grid or cloud computing
• Can eliminate requirement for identity
proofing (needs legal review)

14. 14
Unclassified Foreign Visits
• DOE O 142.3A (2010)
• Policy for access to computing resources
responsibility of DOE CIO; no policy
exists
• Access to scientific information and
commercially available technology is not
within scope of the order
• Can eliminate requirement for identity
proofing (needs legal review)

15. 15
Inertia and Risk
• Significant policy and cultural investment
in current risk profile for cyber security
• DOE recognized need to shift to risk-
based security with O 205.1B in 2011
• Cyber program can be flexible if risks are
documented and residual risks accepted
• Transitive trust may significantly reduce
costs with little increase in residual risk

16. 16
Traceability
• Throughout history of LHC grid, this has
been a requirement by the RPs
• With transitive trust, RP has no ability to
contact individuals
• OSG Traceability Project investigated
and found that, except in improbable
circumstances, sufficient information was
always available

17. 17
Technology Limitations
• Many tools (source code systems, ssh,
etc.) assume traditional authentication
• Technology advances are coming rapidly
• Virtualization
• Grid and cloud computing
• Increased ability to share resources
within a group and increase isolation and
security from other groups

18. XSIM VO IdM Model

19. 19
Roadmap for Incremental
Implementation
• Delegation of IdM is not all-or-nothing
• Partial delegation – certain functions –
can create a simpler workflow (for RPs
and users)
• Trusting the VO and accepting the risk
can significantly decrease administrative
costs

20. 20
Transitive Trust
Classically RPs produced
and consumed all IdM data.
Brokered trust
relationships entail VOs &
TTPs generating user data,
to be consumed by RPs.
Transitive trust
relationships forego all
user data consumption by
RP.

21. 21
Virtual Organization (VO)
• Created to manage scientific community
• Role in Transitive Trust IdM model
• Resource Providers (RPs) trust the VO to
manage its community
• Little or no individual user information is
transferred from the VO to the RP
• Central participant in Incident Response

22. VO IdM Model: Data-centric
Production & Consumption
Identity data is produced to
provide functionality to other
workflows when needed.
Identity data is consumed to
perform these functions.
Functionality
authentication
authorization
allocation/scheduling
accounting
auditing
user support
incident response
Model IdM Data
(1)User identifier
(2)User contact info
(3)VO membership/role

23. Examples of IdM Delegation

24. 24
Identity Data Flow in the “Classic Model”
Authn
Authz
Audit
Accounting
Incident
Response
UserSupport
User Ids
&
Contact
info
RP produces
and consumes
all IdM
information.
RP

25. 25
NERSC Scientific Gateway
• Defined “collaboration account” to enable
a team of researchers shared access to
resources in a secure, scalable manner
• NERSC delegates only authorization for
access to the collaboration account
• The VO determines user privileges and
resource access while NERSC controls
authentication, auditing, and accounting

26. 26
NERSC Collaboration Account
RP
Authn
Authz
Allocations/
Scheduling
Incident
Response
UserSupport
Membership
And role
VO
User Ids
&
Contact
infoAudit

27. 27
XSEDE Science Gateway
• Defn: Integrated set of tools customized
for a specific community
• Initially developed idea of “community
accounts” identifying projects, not users
• It was found that some identity needed to
be transmitted for purposes of accounting
• More recently, virtualization and cloud
computing have moved accounting
responsibility to the VO

28. 28
XSEDE Science Gateway Model
User Ids
RP
Authn
Authz
Allocations/
Scheduling
Incident
Response
UserSupport
Contact
info
Science
Gatewa
y
GW Id
Audit

29. 29
ATLAS use of PanDA
• PanDA – distributed job submission and
execution in a grid environment
• Uses a pilot job to allow VO control over
scheduling and can optionally run job
under submitting user’s identity
• All USATLAS sites (including DOE Labs)
do NOT use the identity changing option
• Complete delegation – RP’s depend on
ATLAS VO for user contact

30. 30
Identity Data Flow in Multi-user Pilot Jobs
User
Identity
PKI
RP
Authn
Authz
Allocations/
Scheduling
Incident
Response
UserSupport
VO
Membership
User
contact
info
VO
Audit

31. 31
Reference
Robert Cowles, Craig Jackson and Von
Welch. Facilitating Scientific Collaborations
by Delegating Identity Management:
Reducing Barriers & Roadmap for
Incremental Implementation
http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf
Will be presented at CLHS 15 in June 2015

32. 32
Conclusion
Virtual Organizations have become essential for
scientific computing and XSIM has developed a
model for describing VO IdM based on IdM data
production and consumption.
Existing policies allow for delegation of IdM
functions within context of acceptable risk
Strategies exist for incremental increase in trust
and delegation of IdM functions

33. 33
Thank you. Questions?
Von Welch (vwelch@iu.edu)
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for
Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as
necessarily representing the official policies or endorsements, either expressed or implied, of the
sponsors or any organization.

34. 34
Extra Slides

35. 35
Research
Robert Cowles, Craig Jackson, and Von
Welch. Identity Management Factors for HEP
Virtual Organizations. 20th International
Conference on Computing in High Energy and
Nuclear Physics (CHEP2013), 2013
https://iopscience.iop.org/1742-6596/513/3/032022

36. 36
Develop Model and Validate
Robert Cowles, Craig Jackson, and Von Welch. Identity
Management for Virtual Organizations: An Experience-Based
Model. eScience 2013, 2013
http://www.computer.org/csdl/proceedings/escience/2013/5083/00/5083a278-abs.html
Robert Cowles, Craig Jackson, Von Welch, and Shreyas
Cholia. A Model for Identity Management in Future Scientific
Collaboratories International Symposium on Grids and
Clouds (ISGC) 2014, 2014
http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf

37. 37
Develop Guidance
Von Welch, Robert Cowles, and Craig Jackson. XSIM OSG
IdM Guidance OSG-doc-1199, July 2014
http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199
Robert Cowles, Craig Jackson, and Von Welch. Facilitating
Scientific Collaborations by Delegating Identity Management:
Reducing Barriers and Roadmap for Incremental
Implementation. March, 2015.
http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf