9/01/2006

Improving Security and Usability....

It's generally considered to be the case that security and usability (i.e. convenience) are mutually exclusive trade-offs. Anyone who has flown on a commercial flight in the past few weeks (years) has seen this in action. One place where usability and security tend to collide in a facility like TeraGrid is the process by which authorized users get authenticated and gain access to services and resources. We actually have an opportunity to move to an architecture that will both improve usability and security. Yes, it sounds too good to be true....

A few weeks ago I posted a note about attribute-based authorization and a pointer to a paper that Von Welch (from the GridShib project has been putting together (with myself, Ian Foster, Tom Scavo, and Frank Siebenlist), and a TeraGrid Authorization, Authentication, and Account Management workshop scheduled to take place at Argonne this week. Ian also recently wrote about attribute-based authorization in his blog with some good pointers.

The workshop concluded yesterday, and I spoke with Dane Skow (TeraGrid deputy director) this morning about how it went. Dane was one of the co-organizers of the workshop (along with Von and also PSC's Jim Marsteller, the head of the TeraGrid security working group). In addition to checking out the website for the workshop, where all of the notes and background information can be found, you might be interested in Dane's take on what was accomplished:

1) We figured out how to cut 1 week off the process of getting new users accounts in a pretty easy first step and identified a path to cutting the time to issue new accounts even further.
2) We identified a very small set of information (persistent unique identifier and (maybe) citizenship) as the required set for gatewayed users. [editor's note, the verb "to gateway" here refers to obtaining TeraGrid access via a Science Gateway... it is usually a good sign when the proper name for a project gets verbed]
3) We designed a testbed that would enable users to use their Shibboleth credentials from home institutions to generate credentials that would work on TeraGrid. They would not have to retain a persistent x509 environment on their workstations, though for some usage modes, they would have to use short-lived proxies put into a local Globus environment.

From my point of view it was tremendous to see about 35 participants working together from TeraGrid sites as well as partner organizations such as the Globus Alliance and the Internet2 Shibboleth project. We had experts in security, accounting, grid software development, and identity management constructively grappling with this important set of issues together. The event was a nice example of why you get on an airplane and travel to a workshop - to make progress about 50 times faster than exchanging email and position papers! Having made this investment, we are ready to take the next concrete steps to make this vision a reality.

Improving security and usability at the same time. How often do you get a chance to do that?


1 Comments:

Blogger Portal Dude said...

I'll add that the issue of shortening the time to get a TeraGrid account has been an issue I've been trying to approach for almost a year now. However, because the issue "touches" so many groups (i.e. accounting, security, operations) solving this problem over email would not have worked. It simply took getting the people whom the problem affects most internally and the people with the access and knowhow to fix it in the same room for 2 hours to figure out that an initial solution wasn't really that hard. These types of face to face meetings are incredibly beneficial.

9/05/2006 01:43:00 PM  

Post a Comment

<< Home