| << Chapter < Page | Chapter >> Page > |
Many researchers require environments providing seamless access to and usage of a heterogeneous variety of distributed resources: on-line journals, data repositories and archives, software, large scale high-performance computing facilities (HPC) or indeed support for collaborations between distributed research teams themselves. The internet-age is truly upon us and there are few disciplines where radical IT-driven change in the way research is undertaken has not been felt. The vision of e-Science and the Grid, as part of e-Research, has been to support seamless and transparent access to such heterogeneous resources. Solutions within the e-Science model should support user/research-oriented environments offering seamless single sign-on to a range of research-specific distributed resources. For many disciplines however, trust and security are paramount and many existing models of single-sign on security are inadequate. Instead controlled trust-driven environments are required where sites can remain autonomous and in strict control of their resources through their own discretionary local access and usage policies. In this paper we outline how the UK Access Management Federation , augmented with advanced authorization solutions, supports this model. This UK example can serve as a more general exemplar for other national contexts.
It is a fact that security is essential for much, if not all, inter-organizational collaborative research. Many disciplines place a higher emphasis on security of resources, e.g. the clinical health domain, but even those disciplines where security is not a primary focus, e.g. the particle physics domain, would be seriously affected by downtime or compromise of HPC facilities that they use.
From a security perspective, the vision of e-Science and the Grid has been to provide single sign-on access to distributed resources, i.e. where a user is able to access multiple resources without the need for multiple, individual authentications (username/password challenges for example). This has been largely tackled in the UK through establishment of a centralized Certification Authority (CA – www.grid- support.ac.uk/ca ). Through recognizing and trusting a CA in associating the identity of a researcher with a particular digital certificate (typically through a local institutional Registration Authority charged with ensuring that the user presents in person their passport or matriculation card as evidence of their identity), single sign-on authentication can be supported. Thus researchers use their X509 certificate (or more often a proxy credential created from that X509 certificate) with a common username given by the distinguished name (DN) associated with that credential and a single (strong) password. Through sites trusting the CA that issued the certificate, the end user is able to access a wide range of resources that recognize that credential without the need for multiple usernames and passwords across those sites. In short, the approach is based upon a model of public key infrastructure (PKI) supporting user authentication.
Notification Switch
Would you like to follow the 'Research in a connected world' conversation and receive update notifications?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|