A AAAA Model to Support Science Gateways with Community Accounts
|
|
- Madeleine Bell
- 6 years ago
- Views:
Transcription
1 A AAAA Model to Support Science Gateways with Community Accounts Von Welch 1, Jim Barlow, James Basney, Doru Marcusiu NCSA 1 Introduction Science gateways have emerged as a concept for allowing large numbers of users in communities to easily access high-performance computing resources which previously required a steep learning curve to utilize. In order to reduce the complexity of managing access for these communities, which can often be large and dynamic, the concept of community accounts is being considered. Unlike group accounts, where a number of users log directly in to a single account, a community account is an account shared by community of users who all access the account through a science gateway, which allows the community itself to authorize individual users, removing the burden from the resource provider. A community account has a number of differences in its security model from traditional single-user accounts. In this paper we propose a security model for community accounts, organized by the 4 A s of security, Authentication, Authorization, Auditing, Accounting. We start with a detailed discussion of the motivation for community accounts, and then discuss our model in terms of each of the AAAA areas. We conclude with a discussion of open issues and future plans. 2 Motivation for a Community Accounts Traditionally, users of high-performance computational resources have interacted with those resources at very rudimentary level they obtain authorization (i.e. an account) and some amount of allocation, then they log in and interact with the resource through a lowlevel interface (e.g. a command-line shell or ftp client). While this method of interaction provides these users with a great amount of control over how they use the resource, e.g. they can compile their own applications and do fine-grain debugging, it has two drawbacks: (1) these low-level interfaces have a very steep learning curve, placing a large burden on users to learn how to use the resources; and (2) it requires the resource provider to setup and maintain state (typically an account) about each user utilizing the resource, which can be a burden for user communities that are large and/or dynamic. Web-based Portals have emerged as a mechanism to overcome the first drawback, by providing not only a graphical means for allowing the user to express their desired actions, but typically an interface that is tailored to the user s application domain. However such portals typically require users to obtain traditional accounts on the computational resources to which they grant access. So while the portal has served as an interface between the users and the resources, it has not played a substantial role in the 1 Contact author: vwelch@ncsa.uiuc.edu,
2 underlying security relationships between the user and the resources and so the second drawback mentioned previously remains. Science gateways seek to take portals a step further and aid users in their relationships with the computational resources by obtaining a community account on the resources and allowing users to obtain access on resources by getting an account on the science gateway. There are a number of benefits of this approach: 1. In many cases, a science gateway will allow access to resources at a number of organizations; this allows the user to avoid having to obtain multiple accounts to use the science gateway. 2. There is an expectation that the science gateway, by virtue of allowing the user to perform very limited actions (compared to them having a traditional account with shell access) can have a lower bar for granting accounts than direct access to the resources. 3. It abstracts the resources used, allowing resources to come and go without the involvement of the user. 4. It distributes the burden of account management from the resource owner to the community running the science gateway. This can allow the community to react more quickly to their own changes in membership, and can allow for scalability as it removes the resource owner as a potential bottleneck. 3 Our Model Our model of having community accounts is based on a sharing of AAAA responsibilities and privileges between the resources and the community operating the science gateway. In the standard account mode, a user s authenticates directly to a target resource and all subsequent authorization, auditing and accounting operations are performed by the resource. Even with the user going through a web portal as an interface with the resource, this model is basically unchanged. In our community account model, the science gateway plays a significant role in these security relationships, acting as an active agent in establishing trust between the resources and the users. The community establishes with each resource an account with the resources along with an allocation and set of authorization privileges for use by their science gateway. During day-to-day use, the science gateway authenticates and authorizes users, passing their requests on to the resources. The resources service the requests, using the community account, due to their trust of the gateway. In the following subsections we examine this model for each area of AAAA (Authentication, Authorization, Auditing, Accounting). Authentication and authorization are intertwined and we discuss them together. 3.1 Authentication and Authorization Users are normally authenticated by a resource as a step that allows for establishing their authorization privileges, as well as for auditing and account. As a precursor, a user is usually registered by a site, during which time the site creates an account for the user (or equivalent state), and collects contact information regarding the user to allow the site to
3 contact the user in the future (e.g. in the course of investigate suspicious activity). Normally the site running a resource handles authentication, authorization and the preceding registration. In our science gateway model, the site out-sources this process to the gateway. In this model the site decided the level of authorization for the community as a whole. The community then sets privileges for each of its members. We discuss two possible modes by which authentication and authorization can take place: transitively through the science gateway, and through the use of authorization credentials Transitive Mode In the transitive mode, the user authenticates to the science gateway and the science gateway authenticates to the resource using its own identity credentials (e.g. SSH RSA key, GSI certificate). The resource trusts the science gateway to have correctly authenticated and authorized the user and at run-time has no knowledge of the user s identity. Authorization is determined by resource policy on the community as a whole, i.e. on the privileges granted to the community account. The community enforces authorization on individual users by which requests it passes on to the resources. The resources have no concept regarding which user a given request is associated with or what privileges the community grants to that user; they only can associate requests with a community Authorization Credentials Mode In the authorization credentials mode, the user has identity credentials of their own (issued by either the community, the resource owner, or a third party) and the science gateway augments these by providing authorization credentials that are supplied to the resource along with the user s identity credentials. The presentation of these authorization credentials relieves the resource of having to maintain state regarding the user. In this mode the resource knows the identity of the user, but does not need a priori state regarding the user since the authorization policy regarding the user is contained in the authorization credentials. The community and the resource owners have an agreement in place that the resource will enforce the policy expressed in these credentials. Typically the resource owner will also set a maximum permissible policy for any community member, meaning the policy enforced is the intersection of the resource owner policy for the community and the policy expressed by the community for the given user. Examples of services providing such credentials are CAS [1], VOMS [2], and the authorization service being developed by Indiana University as part of LEAD [3] Comparison of Authentication Modes The transitive mode is simpler to implement since the resource does not need to understand how to parse and enforce authorization credentials, which requires enhanced software not ubiquitously available for all services. However since the resource has no knowledge of the user identity, auditing and accounting are more difficult as we discuss in the subsequent sections. The transitive mode also does not allow a site to deny access to individual users (due to suspect credentials abuse or the user s non-conformance to an AUP or other policy in the past).
4 3.2 Auditing In the event that actions involving the science gateway look malicious, it is expected that the actions will be investigated to determine their cause so that appropriate action can be taken in response. The resource owner will typically lead this investigation since they are accustomed to and more able to perform this role today 2. Depending on whether the transitive or the authorization credential mode of operation, as described in the previous section, is in use, auditing will vary slightly. In the transitive mode of operation, the site will only be able to audit at the community level and not be able to distinguish which user caused a particular action to be initiated. This implies that site and the science gateway need a method of identifying each action invoked by the science gateway in such a way that the science gateway can map it back to a user it authenticated. The contact information needed by the site will influence the information gathered at registration by the science gateway (as described in 3.1). There is no standard mode of identifying a request made by a science gateway to a resource today, indicating this is an area where further work is needed. Currently the best available method is to manually correlate the timestamp of the request, full command and arguments in the logs on the science gateway and resource (note that this implies accurate clocks on both). This scenario is complicated even more during simultaneous use of the gateway by multiple users In the authorization credential mode of operation, the resource can log the identity of the user. However the resource owner may still need to contact the community for the registration information in order to contact the user since the identity alone does not provide contact information and the resource owner may not have the user in their user database (which would only be the case if the user had an account at the resource owner s organization outside of the community science gateway). 3.3 Accounting The community will typically have an agreement with the resource provide which grants the community some allocation of consumables (cycles, disk, bandwidth, etc.) on the resources made available to the community. The community may wish to divide up this allocation among its members based on some community policy. To divide the allocation up among its members, the community needs to know how much each member has used. Since the resources used by the science gateways do not keep state regarding the individual users (and even if they did, a user s total usage would be distributed over a number of resources) the science gateway is the natural place to keep track of each user s total usage. This requires that the resource communicate the total consumption of each request on its completion back to the science gateway. There is currently not a widely available means of performing this, however the GGF Usage Records working group [4] has a specification for a message to carry such information. 2 We could envision larger communities taking a lead role, but we believe that resource owners will continue to take the lead most often and so concentrate on that scenario.
5 A second issue is that if a user has a small amount of allocation left, the science gateway may want to ensure that a request does not go beyond that allocation. This implies some means of communicating this restriction along with the request to a resource. This is currently an area that requires further work. 4 Other Challenges We briefly describe a number of open challenges regarding AAAA in Science Gateways and community accounts. Standardization of community-resource owner agreements: The community and the resource owners need to agree on a number of issues. A standard template for such agreements would expedite this process. Some issues that need to be agreed on include: what contact information from users will be collected and how often it will be refreshed; how will users be routinely authenticated; what forms of usage by the community and its users will be acceptable; and how (and when) can the resource owner contact the community in the event of suspicious activity or incident involving the science gateway. Policies regarding group accounts: Group accounts are often disallowed, often at high levels (e.g. funding agencies) and these policies will often be applied to community accounts. Such polices need to be clarified as to allow community accounts on the bases that community accounts, through the cooperation of the community, provide missing audit information which group accounts lack. Restricted accounts: It is expected that often the gateway will be running a limited range of applications in the community account. The site may use technical means to restrict the account and limit accidental or malicious abuse of the account. Standard mechanisms for doing so should be determined and documented. Sandboxing of multiple users: One downside to community accounts is that multiple users will not have sandboxing from each other (it terms of processes interacting or protection of data). For many science gateways we expect this will not be an issue because what the users can do will be limited such that these interactions will not be meaningful. However from some gateways this may be an issue. A possible solution to this would be the exploration of a dynamic account mechanism that creates a new, temporary Unix account for each process invoked by the gateway. Community Administrators: The community needs to configuration and maintain applications and data deployed in the community account. This could be done via group membership, allowing a number of users (who have individual logins on the resources) to access data and programs accessible by the community account. A process by which these community administrators can be enabled needs to be experimentally determined and documented. 5 Bibliography [1] Pearlman, L., Welch, V., Foster, I., Kesselman, C. and Tuecke, S., A Community Authorization Service for Group Collaboration. IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002.
6 [2] EU DataGrid, VOMS Architecture v [3] Personal communication with Dennis Gannon. [4] GGF Usage Records Working Group.
A Roadmap for Integration of Grid Security with One-Time Passwords
A Roadmap for Integration of Grid Security with One-Time Passwords April 18, 2004 Jim Basney, Von Welch, Frank Siebenlist jbasney@ncsa.uiuc.edu, franks@mcs.anl.gov, vwelch@ncsa.uiuc.edu 1 Introduction
More informationA RESOURCE MANAGEMENT FRAMEWORK FOR INTERACTIVE GRIDS
A RESOURCE MANAGEMENT FRAMEWORK FOR INTERACTIVE GRIDS Raj Kumar, Vanish Talwar, Sujoy Basu Hewlett-Packard Labs 1501 Page Mill Road, MS 1181 Palo Alto, CA 94304 USA { raj.kumar,vanish.talwar,sujoy.basu}@hp.com
More informationCredential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003
Credential Management in the Grid Security Infrastructure GlobusWorld Security Workshop January 16, 2003 Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Credential Management Enrollment:
More informationA VO-friendly, Community-based Authorization Framework
A VO-friendly, Community-based Authorization Framework Part 1: Use Cases, Requirements, and Approach Ray Plante and Bruce Loftis NCSA Version 0.1 (February 11, 2005) Abstract The era of massive surveys
More informationCredentials Management for Authentication in a Grid-Based E-Learning Platform
Credentials Management for Authentication in a Grid-Based E-Learning Platform Felicia Ionescu, Vlad Nae, Alexandru Gherega University Politehnica of Bucharest {fionescu, vnae, agherega}@tech.pub.ro Abstract
More informationSupporting Secure Ad-hoc User Collaboration in Grid Environments
Supporting Secure Ad-hoc User Collaboration in Grid Environments HPDC11 Paper Abstract Markus Lorch, Dennis Kafura Department of Computer Science Virginia Tech Contact e-mail: mlorch@vt.edu Abstract We
More informationGSI Online Credential Retrieval Requirements. Jim Basney
GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify
More informationNetwork Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004
Network Working Group Request for Comments: 3820 Category: Standards Track S. Tuecke ANL V. Welch NCSA D. Engert ANL L. Pearlman USC/ISI M. Thompson LBNL June 2004 Status of this Memo Internet X.509 Public
More informationShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,
More informationSoft Enforcement of Access Control Policies in Distributed Environments
Soft Enforcement of Access Control Policies in Distributed Environments Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University Varanasi, India vipulg@cpan.org
More informationRB-GACA: A RBAC based Grid Access Control Architecture
RB-GACA: A RBAC based Grid Access Control Architecture Weizhong Qiang, Hai Jin, Xuanhua Shi, Deqing Zou, Hao Zhang Cluster and Grid Computing Lab Huazhong University of Science and Technology, Wuhan, 430074,
More informationRSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief
RSA Solution Brief Managing Risk Within Advanced Security Operations RSA Solution Brief How do you advance your security operations function? Increasingly sophisticated security threats and the growing
More informationAn Object-Dependent and Context Constraints-Aware Access Control Approach Based on RBAC
An Object-Dependent and Context Constraints-Aware Access Control Approach Based on RBAC Xiaoli Ren, Lu Liu and Chenggong Lv School of Economics & Management, Beihang University, Beijing 100083, P.R. China
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationACCEPTABLE USE POLICY (AUP) 3W INFRA reserves the right to unilaterally amend the conditions set out in the Acceptable Use Policy (the Policies ).
ACCEPTABLE USE POLICY (AUP) 1. SERVICE AGREEMENT 3W INFRA and CUSTOMER have executed a Service Agreement (the Agreement ). The Parties agree that the terms and conditions of the Agreement govern this document.
More informationDeploying the TeraGrid PKI
Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu
More informationJ. Basney, NCSA Category: Experimental October 10, MyProxy Protocol
GWD-E J. Basney, NCSA Category: Experimental October 10, 2005 MyProxy Protocol Status of This Memo This memo provides information to the Grid community. Distribution is unlimited. Copyright Notice Copyright
More informationUsing the MyProxy Online Credential Repository
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on
More informationA Distributed Media Service System Based on Globus Data-Management Technologies1
A Distributed Media Service System Based on Globus Data-Management Technologies1 Xiang Yu, Shoubao Yang, and Yu Hong Dept. of Computer Science, University of Science and Technology of China, Hefei 230026,
More informationGrids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan
Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1 TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security
More informationInterfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory
Interfacing Operational Grid Security to Site Security Eileen Berman Fermi National Accelerator Laboratory Introduction Computing systems at Fermilab belong to one of two large enclaves The General Computing
More informationGoal. TeraGrid. Challenges. Federated Login to TeraGrid
Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials
More informationAn authorization Framework for Grid Security using GT4
www.ijcsi.org 310 An authorization Framework for Grid Security using GT4 Debabrata Singh 1, Bhupendra Gupta 2,B.M.Acharya 3 4, Sarbeswar Hota S O A University, Bhubaneswar Abstract A Grid system is a Virtual
More informationCentrally Managed SSH
Access Control Excellence Centrally Managed SSH Many data centers are replacing unencrypted and unsecure communication protocols such as telnet and ftp with Secure Shell (SSH). SSH is a secure network
More informationSAS Environment Manager A SAS Viya Administrator s Swiss Army Knife
Paper SAS2260-2018 SAS Environment Manager A SAS Viya Administrator s Swiss Army Knife Michelle Ryals, Trevor Nightingale, SAS Institute Inc. ABSTRACT The latest version of SAS Viya brings with it a wealth
More informationGrid Security Infrastructure
Grid Security Infrastructure On basis of works: An overview of the methods used to create a secure grid Mike Jones (The University of Manchester) Security Implications of Typical Grid Computing Usage Scenarios
More informationRole-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2007 Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, page 1 The User
More informationSubscriber Data Correlation
Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service
More informationThe Community Authorization Service: Status and Future
The Authorization Service: Status and Future L. Pearlman, C. Kesselman USC Information Sciences Institute, Marina del Rey, CA V. Welch, I. Foster, S. Tuecke Argonne National Laboratory, Argonne, IL Virtual
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationA Multipolicy Authorization Framework for Grid Security
A Multipolicy Authorization Framework for Grid Security Bo Lang,,2 Ian Foster,,3 Frank Siebenlist,,3 Rachana Ananthakrishnan, Tim Freeman,3 Mathematics and Computer Science Division, Argonne National Laboratory,
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationCentrify Infrastructure Services
Centrify Infrastructure Services Evaluation Guide for Windows November 2017 (release 2017.2) Centrify Corporation Legal notice This document and the software described in this document are furnished under
More informationReport for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids
GFD-I.089 Von Welch, NCSA (Editor) October 6, 2005 Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids Copyright Open Grid Forum (2006-2007). All Rights Reserved.
More informationRSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]
s@lm@n RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ] Question No : 1 An RSA SecurID tokencode is unique for each successful authentication
More informationGlobus Toolkit Firewall Requirements. Abstract
Globus Toolkit Firewall Requirements v0.3 8/30/2002 Von Welch Software Architect, Globus Project welch@mcs.anl.gov Abstract This document provides requirements and guidance to firewall administrators at
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationUser and System Administration
CHAPTER 2 This chapter provides information about performing user and system administration tasks and generating diagnostic information for obtaining technical assistance. The top-level Admin window displays
More informationAuthentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline
More informationLeveraging the InCommon Federation to access the NSF TeraGrid
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign jbasney@ncsa.uiuc.edu
More informationAuthorization Strategies for Virtualized Environments in Grid Computing Systems
Authorization Strategies for Virtualized Environments in Grid Computing Systems Xinming Ou Anna Squicciarini Sebastien Goasguen Elisa Bertino Purdue University Abstract The development of adequate security
More informationQUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because
1 RSA - 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because A. a token periodically calculates a new
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationDynamic Creation and Management of Runtime Environments in the Grid
Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey keahey@mcs.anl.gov Matei Ripeanu matei@cs.uchicago.edu Karl Doering kdoering@cs.ucr.edu 1 Introduction Management of complex,
More informationIVOA/AstroGrid SSO system and Grid standards
IVOA/AstroGrid SSO system and Grid standards Guy Rixon and Keith Noddle Presentation to Astro-RG at GGF17 IVOA/AstroGrid SSO system and Grid standards; Astro-RG session, GGF17, Tokyo, May 2006 Slide 1
More informationVMware Identity Manager Connector Installation and Configuration (Legacy Mode)
VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until
More informationTrend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationRSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief
Providing Secure Access to Corporate Resources from BlackBerry Devices Leveraging Two-factor Authentication Augmenting the BlackBerry Enterprise Solution BlackBerry devices are becoming ubiquitous throughout
More informationUNICORE Globus: Interoperability of Grid Infrastructures
UNICORE : Interoperability of Grid Infrastructures Michael Rambadt Philipp Wieder Central Institute for Applied Mathematics (ZAM) Research Centre Juelich D 52425 Juelich, Germany Phone: +49 2461 612057
More informationTop-Down Network Design
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer 1 Network Security Design The steps for security design are: 1. Identify
More informationSecurity Guide Release 4.0
[1]Oracle Communications Session Monitor Security Guide Release 4.0 E89197-01 November 2017 Oracle Communications Session Monitor Security Guide, Release 4.0 E89197-01 Copyright 2017, Oracle and/or its
More informationComodo LoginPro Software Version 1.0
Comodo LoginPro Software Version 1.0 User Guide Guide Version 1.0.102512 Comodo Security Solutions 1255 Broad Street STE 100 Clifton, NJ 07013 Table of Contents 1.Introduction to Comodo LoginPro... 3 1.1.System
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationMobility best practice. Tiered Access at Google
Mobility best practice Tiered Access at Google How can IT leaders enable the productivity of employees while also protecting and securing corporate data? IT environments today pose many challenges - more
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationCloudiway Google Groups migration. Migrate from Google Groups to Office 365 groups
Cloudiway Google Groups migration Migrate from Google Groups to Office 365 groups Copyright 2017 CLOUDIWAY. All right reserved. Use of any CLOUDIWAY solution is governed by the license agreement included
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationEXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.
CompTIA EXAM - CAS-002 CompTIA Advanced Security Practitioner (CASP) Exam Buy Full Product http://www.examskey.com/cas-002.html Examskey CompTIA CAS-002 exam demo product is here for you to test the quality
More informationCILogon Project
CILogon Project GlobusWORLD 2010 Jim Basney jbasney@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by
More informationAvanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.
Avanan for G Suite Technical Overview Contents Intro 1 How Avanan Works 2 Email Security for Gmail 3 Data Security for Google Drive 4 Policy Automation 5 Workflows and Notifications 6 Authentication 7
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationA Guanxi Shibboleth based Security Infrastructure for e-social Science
A Guanxi Shibboleth based Security Infrastructure for e-social Science Wei Jie 1 Alistair Young 2 Junaid Arshad 3 June Finch 1 Rob Procter 1 Andy Turner 3 1 University of Manchester, UK 2 UHI Millennium
More informationCybersecurity with Automated Certificate and Password Management for Surveillance
Cybersecurity with Automated Certificate and Password Management for Surveillance October 2017 ABSTRACT This reference architecture guide describes the reference architecture of a validated solution to
More informationDesign patterns for data-driven research acceleration
Design patterns for data-driven research acceleration Rachana Ananthakrishnan, Kyle Chard, and Ian Foster The University of Chicago and Argonne National Laboratory Contact: rachana@globus.org Introduction
More informationIntegrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM
Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM Weide Zhang, David Del Vecchio, Glenn Wasson and Marty Humphrey Department of Computer Science, University
More informationGDPR Controls and Netwrix Auditor Mapping
GDPR Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About GDPR The General Data Protection Regulation (GDPR) is a legal act of the European Parliament and the Council (Regulation
More informationIntroduction and Statement of the Problem
Chapter 1 Introduction and Statement of the Problem 1.1 Introduction Unlike conventional cellular wireless mobile networks that rely on centralized infrastructure to support mobility. An Adhoc network
More informationDIRAC distributed secure framework
Journal of Physics: Conference Series DIRAC distributed secure framework To cite this article: A Casajus et al 2010 J. Phys.: Conf. Ser. 219 042033 View the article online for updates and enhancements.
More informationYour Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team
Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust Wise Athena Security Team Contents Abstract... 3 Security, privacy and trust... 3 Artificial Intelligence in the cloud and
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationRemote Support Security Provider Integration: RADIUS Server
Remote Support Security Provider Integration: RADIUS Server 2003-2019 BeyondTrust Corporation. All Rights Reserved. BEYONDTRUST, its logo, and JUMP are trademarks of BeyondTrust Corporation. Other trademarks
More informationFederated Incident Response
Federated Incident Response CIC Identity Management TeraGrid Pilot Group Jim Basney (NCSA), Michael Grady (UIUC), Matt Kolb (MSU), Rob Stanfield (Purdue), Keith Wessel (UIUC), Von Welch (Independent) CIC
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT less discovery can t find all keys and certificates Key and certificate management is no longer just an IT function. So it cannot be treated the same
More informationUse Cases for Unix & Linux
WHITE PAPER 15 Server Privilege Management PowerBroker for Unix & Linux, PowerBroker Identity Services, and PowerBroker for Sudo Table of Contents Executive Summary... 3 15 Common Use Cases... 4 1. Removing
More informationCloud Under Control. HyTrust Two-Man Rule Solution Brief
HyTrust Two-Man Rule Solution Brief Summary Summary The exposure of extremely confidential national security information by an N.S.A. systems administrator highlighted the catastrophic consequences of
More informationMay 1: Integrity Models
May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS 235B Spring Quarter 2017 Slide #1 Integrity Overview Requirements Very different than confidentiality policies Biba s models
More informationArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationIntroduction to Assurance
Introduction to Assurance Overview Why assurance? Trust and assurance Life cycle and assurance April 1, 2015 Slide #1 Overview Trust Problems from lack of assurance Types of assurance Life cycle and assurance
More informationGrid Security Policy
CERN-EDMS-428008 Version 5.7a Page 1 of 9 Joint Security Policy Group Grid Security Policy Date: 10 October 2007 Version: 5.7a Identifier: https://edms.cern.ch/document/428008 Status: Released Author:
More informationChapter 13: Protection. Operating System Concepts Essentials 8 th Edition
Chapter 13: Protection Operating System Concepts Essentials 8 th Edition Silberschatz, Galvin and Gagne 2011 Chapter 13: Protection Goals of Protection Principles of Protection Domain of Protection Access
More informationNIS Standardisation ENISA view
NIS Standardisation ENISA view Dr. Steve Purser Brussels, 19 th September 2017 European Union Agency for Network and Information Security Instruments For Improving Cybersecurity Policy makers have a number
More information5 OAuth EssEntiAls for APi AccEss control layer7.com
5 OAuth Essentials for API Access Control layer7.com 5 OAuth Essentials for API Access Control P.2 Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the
More informationDesign of a Simple, Distributed Network Access Control System
1 Design of a Simple, Distributed Network Access Control System By David Boen, Daniel Dent, Victor Chan, Andrew Tjia Abstract Network access control describes the measures used to control network nodes
More informationHP OO 10.x Network Architecture
Technical white paper HP OO 10.x Network Architecture Table of Contents Overview 2 Advancing to a Scalable Model 2 The Old Model 2 The New Model 3 Configuring the New Model 4 Firewall Configuration 4 Worker
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationFUJITSU Cloud Service S5. Introduction Guide. Ver. 1.3 FUJITSU AMERICA, INC.
FUJITSU Cloud Service S5 Introduction Guide Ver. 1.3 FUJITSU AMERICA, INC. 1 FUJITSU Cloud Service S5 Introduction Guide Ver. 1.3 Date of publish: September, 2011 All Rights Reserved, Copyright FUJITSU
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 12: Database Security Department of Computer Science and Engineering University at Buffalo 1 Review of Access Control Types We previously studied four types
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationAccess Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.
Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes
More informationUSING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE
USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE David Chadwick 1, Sassa Otenko 1, Von Welch 2 1 ISI, University of Salford, Salford, M5 4WT, England. 2 National Center
More information5 OAuth Essentials for API Access Control
5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows
More informationThe Insider Threat Center: Thwarting the Evil Insider
The Insider Threat Center: Thwarting the Evil Insider The CERT Top 10 List for Winning the Battle Against Insider Threats Randy Trzeciak 14 June 2012 2007-2012 Carnegie Mellon University Notices 2011 Carnegie
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationManaging Your Privileged Identities: The Choke Point of Advanced Attacks
Managing Your Privileged Identities: The Choke Point of Advanced Attacks Shirief Nosseir EMEA Alliances Director Identity & API Management Tuesday, 16 May 2017 Agenda Why Privileged Access Management Why
More information