Security Standards in OGF
Security is an important aspect of Grids. Grids provide easily accessible resources with service providers in other parts of the user's country or other parts of the world. The service provider needs some assurance that the user is using the resource correctly, and can be traced in case of (usually unintentional) misuse. The user, conversely, needs assurance that resources allocated to them are safe and that they are talking to the service provider they expect to talk to. An analogy is a passport service: with a passport, anyone can authenticate to the local post office, as well as travel to other countries (sometimes they need visas, too). Likewise, the Grid security infrastructure provides the ability to use resources locally and globally (but sometimes requires authorisation). Like the passport service, grid security has to be well implemented, or they will not be trusted.
The Security Area in OGF encompasses a number of groups working in Grid security or related aspects, but one should also remember that security influences and underpins most aspects of services: accounting and bookkeeping, job submission, data management, information systems, applications, and more.
The Need for Standards
As in other areas where OGF works, standards are important. They help ensure reusability of protocols and implementations, because they are open: no one person or group can monopolise the protocol or the software, for the standards process in OGF is open. Standards promote interoperation. Interoperation, in turn, provides flexibility when service providers can choose between components for authorisation (say), and can reuse other people's components when required.
The Need for Trust
It is perhaps not obvious that it is not obvious (if that makes sense). We have a security infrastructure built on protocols, software, standards, implementations, procedures, operations, policies, frameworks, etc., but it is useless if it is not trusted. As you know, a chain is as strong only as its weakest link.
The perhaps greatest contribution of the OGF is in helping to establish trust on a global scale: partly because the OGF provides a forum for bringing key security people together. Whether they design or implement protocols, provide services or consume services, have security concerns or solutions, they can come along to OGF meetings and discuss the issues with other security people. A lot of trustbuilding goes on in the coffee breaks and over lunch - we may live in a global digital age, but there is still a lot of benefits from meeting a collaborator in person.
By establishing standards and best practices, the OGF helps promote trust. The best example is the global public key infrastructure: many of the global Grids have decided to trust any certification authority accredited to IGTF (see below) standards, and by doing this, they have almost automatically gained global interoperation for authentication.
Highlights of OGF Security Standards
- Establishing the International Grid Trust Federation - this provides a global public key infrastructure, ensuring that users and services across the world (from member countries) can authenticate themselves to services in any other (member) country;
- Establishing protocols and documenting frameworks for authorisation for OGSA services;
- Procedures for auditing Grid Certification Authorities;
- Establishing experimentally best practices for use of X.509 certificates on the Grid;
- Documenting how to best protect Grid credentials, both "normal" ones like user and service credentials, and particularly "precious" ones like those signing attributes for attribute authorities;
- Work on establishing the right level(s) of assurance for the appropriate contexts - many aspects of security interplay with each other.
Standards at OGF28
One of the main topics for the security area will be a meeting of the operations groups for certification authorities (CAs), CAOPS-WG. The group looks at operational issues for (grid) certification authorities, to ensure that best practices are shared and documented. It also brings together the International Grid Trust Federation, the body which unites groups of (mainly grid) CAs. The IGTF is growing; new countries are added all the time (there is about 80 member countries at the moment). The IGTF also uses the OGF to standardise practices for certificate management in the Grid world. Standards are obviously important to help ensure interoperation - grid certificates provide one of the core technologies common to all large grid infrastructures, a technology which users all over the world rely on.
Other topics for the security area include interesting discussions with the Cloud Security Alliance, to see how much common ground there is between the two groups, and to look for areas for collaboration.
Finally, OGF28 will bring many of the worlds leading grid security practitioners and researchers to Munich, and there will be opportunities for them to use their expertise to help other working groups formulate and analyse security problems. No doubt they will also welcome the opportunities to talk to each other over lunch and coffee, to exchange ideas and share tales from the frontier of security research.
Security Area page