Papers by Frank Siebenlist
Grid computing is concerned with the sharing and coordinated use of diverse resources in distribu... more Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit®. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a serviceoriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight leastprivilege model that avoids the need for any privileged network service.
High Performance …, Jan 1, 2003
Proceedings of the 2003 ACM workshop on XML security - XMLSEC '03, 2003
Currently, members of the Grid community are working within the Global Grid Forum to articulate t... more Currently, members of the Grid community are working within the Global Grid Forum to articulate their security requirements, and to fill the gaps that are perceived to exist within industry-wide standardization efforts. Probably the main difference between the Grid community's requirements and those seen in the rest of the industry is the focus on how we can express, communicate and enforce the different security policies while crossing adminstrative boundaries.This presentation will discuss some Grid specific use cases to emphasize this difference in focus, briefly discuss the Open Grid Services Architecture that provides the framework in which we try to address these requirements, enumerate how security aspects can be addressed by existing standards and where the gaps are, and specifically show some details on our current work to address-many of our distributed authorization problems.
Proceedings of the 14th ACM symposium on Access control models and technologies - SACMAT '09, 2009
The virtualization technologies that underlie the cloud computing infrastructures pose challenges... more The virtualization technologies that underlie the cloud computing infrastructures pose challenges on enforcing security policy when we have a sense of ambiguity concerning the actual physical properties of the resources. On the other hand, the virtual machine managers provide us with better sandboxing, detailed monitoring capabilities and fine-grained access control on the resource usage. As we expect the whole world
19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06), 2006
Identity management and federation is becoming an ever present problem in large multi-institution... more Identity management and federation is becoming an ever present problem in large multi-institutional environments. By their nature, Grids span multiple institutional administration boundaries and aim to provide support for the sharing of applications, data, and computational resources in a collaborative environment. One underlying problem is to enable participating institutions to manage the identities of their own members by leveraging existing institutional identity management systems, while at the same time facilitating the participation in larger Grids through the deployment of grid-wide user credentials. Those grid-wide identities are used for features such as single sign-on, secure communication, and are the basis for authorization decisions. In this paper we will present the design and implementation of Dorian, a grid service infrastructure component that enables the federation of users across the collaboration.
Computers and the Internet are indispensable to our modern society, but by the standards of criti... more Computers and the Internet are indispensable to our modern society, but by the standards of critical infrastructure, they are notably unreliable. Existing analysis and design approaches have failed to curb the frequency and scope of malicious cyber exploits. A new approach based on complexity science holds promise for addressing the underlying causes of the cybersecurity problem. The application of complexity science to cybersecurity presents key research challenges in the areas of network dynamics, fault tolerance, and large-scale modeling and simulation. We believe that the cybersecurity problem is urgent enough, the limits of traditional reductive analysis are clear enough, and the possible benefits of reducing cyber exploits are great enough, that the further development of cybersecurity-targeted complexity-science tools is a major research need.
Fifth IEEE International Symposium on Network Computing and Applications (NCA'06), 2006
A Grid system is a Virtual Organization that is composed of several autonomous domains. Authoriza... more A Grid system is a Virtual Organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web Services security specifications such as XACML, SAML, and the special security needs of the Grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelistbased authorization mechanism that can be seamlessly integrated into the framework.
Proceedings of the 2004 workshop on Secure web service - SWS '04, 2004
... Liang Fang1 Computer Science Department, Indiana University [email protected] SamuelMeder... more ... Liang Fang1 Computer Science Department, Indiana University [email protected] SamuelMeder Department of Computer Science, University of Chicago [email protected] ... Page 7. and we would like to thank Dennis Gannon and Ian Foster for their continuous support. ...
Proceedings of the 5th Grid Computing Environments Workshop on - GCE '09, 2009
In this paper, we discuss the recent ESG's development and implementation efforts concerning its ... more In this paper, we discuss the recent ESG's development and implementation efforts concerning its authentication infrastructure. ESG's requirements are to make the user's logon-experience as easy as possible, and to facilitate the integration of the security services and the Grid components for both the developers and system administrators. To meet that goal, we leverage existing primary authentication mechanisms, deploy a "lightweight" but secure OpenID WebSSO, deploy a "lightweight" X.509-PKI, and use autoprovisioning to ease the burden of security configuration management. We're close to finalizing the associated development and deployment.
Grid systems, which are composed of autonomous domains, are open and dynamic. In such systems, th... more Grid systems, which are composed of autonomous domains, are open and dynamic. In such systems, there are usually a large number of users, the users are changeable, and different domains have their own policies. The traditional access control models that are identity based are closed and inflexible. The Attribute Based Access Control (ABAC) model, which makes decisions relying on attributes
This report outlines a preliminary response from DOE researchers to the following three questions... more This report outlines a preliminary response from DOE researchers to the following three questions: a) what are the key priorities w.r.t. cybersecurity R&D over the next decade? b) what would we recommend, in terms of a program, to address those priorities c) how would a DOE Office of Science program in this area complement other cybersecurity R&D initiatives such as
AMIA ... Annual Symposium proceedings / AMIA Symposium. AMIA Symposium, 2007
caGrid is the core Grid architecture of the NCI-sponsored cancer Biomedical Informatics Grid (caB... more caGrid is the core Grid architecture of the NCI-sponsored cancer Biomedical Informatics Grid (caBIG) program. The current release, caGrid version 1.0, is developed as the production Grid software infrastructure of caBIG. Based on feedback from adopters of the previous version (caGrid 0.5), it has been significantly enhanced with new features and improvements to existing components. This paper presents an overview of caGrid 1.0, its main components, and enhancements over caGrid 0.5.
There is great need for a secure, fine-grained, efficient, and user-friendly authorization infras... more There is great need for a secure, fine-grained, efficient, and user-friendly authorization infrastructure to protect the services in Grid community. Grid users and administrators still have to deal with authentication and authorization issues in the traditional supercomputer-centric fashion, especially with the host account maintenance and certificate management. This paper proposes a capability-based infrastructure that provides a fine-grained authorization solution to
Description/Abstract This report summarizes work carried out by the ESG-CET during the period Oct... more Description/Abstract This report summarizes work carried out by the ESG-CET during the period October 1, 2009 through March 31, 2009. It includes discussion of highlights, overall progress, period goals, collaborations, papers, and presentations. To learn more about our project, and to find previous reports, please visit the Earth System Grid Center for Enabling Technologies (ESG-CET) website. This report will be forwarded to the DOE SciDAC program management, the Office of Biological and Environmental Research (OBER) program ...
High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on, 2003
Grid computing is concerned with the sharing and coordinated use of diverse resources in distribu... more Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit®. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a serviceoriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.
Proceedings of the 16th International Symposium on High Performance Distributed Computing 2007, HPDC'07, 2007
This paper proposes the security infrastructure for user-controlled Virtual Workspace Service (VW... more This paper proposes the security infrastructure for user-controlled Virtual Workspace Service (VWSS-UC) that comprises of three layers: trusted computing platform, secure virtualised workspace, and user aplication. The suggestions on the technology selection are provided for the first two layers: industry adopted Trusted Computing (TCG) platform, and Virtual Workspace Service (VWSS) developed in the framework of the Globus Toolkit. Solutions and implementation are proposed and discussed for the application authorisation session security context management. The paper is based on experiences gained from major Grid based projects such as EGEE, Globus Toolkit, and Phosphorus.
The Grid 2, 2004
Page 1. An Open Grid Services Architecture Ian Foster Mathematics and Computer Science Division A... more Page 1. An Open Grid Services Architecture Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer Science The University of Chicago http://www.mcs.anl.gov/~foster Page 2. 2 [email protected] ...
Uploads
Papers by Frank Siebenlist