Advance Security in Federated Cloud

Background

Organizations that provide geospatial data are exploring ways to make their information more accessible. This includes sharing data via cloud infrastructure providers (e.g. Amazon Web Services, Google Cloud, and Microsoft Azure). The National Oceanic and Atmospheric Administration’s (NOAA) Big Data Project is one such example.

Migrating to the Cloud and Securing Data

As they migrate to the cloud, organizations are decomposing their stove-piped monolithic applications into loosely coupled “microservices” that take advantage of the horizontal scaling available in cloud architectures. Data is no longer bound to the application, allowing the information to be explored in new and novel ways.

Freeing the data comes at a cost. The application controls designed to protect information from unauthorized access are lost. Exposing the data via published, well-understood interfaces increases opportunities for bad actors to use the data for malicious purposes. These challenges might be addressed as follows:

Apply a standardized approach to securing geospatial big data: attribute-based attribute control ([ABAC](http://www.ryerson.ca/content/dam/pbdi/Resources/The Importance of ABAC to Big Data 05-2015.pdf)). Using ABAC, attributes assigned to the requesting user are compared against those assigned to the data. The eXtensible Access Control Markup Language (XACML) standard, developed by OASIS, provides an architecture and processing model for implementing ABAC.
Provide situational awareness by performing near real-time analysis on audit data generated by data access services. By monitoring the activity, security personnel can be alerted to malicious activity.
When malicious activity is verified, allow personnel responsible for data to dynamically update security polices to deny access to bad actors. The XACML architecture provides policy lifecycle management capabilities to address this use case.

Challenges Implementing ABAC

Implementing ABAC presents a significant cultural change for organizations. Attribute schemas for both end users and data must be established. This is easier in controlled environments where all end users are known and governance can be enforced. The users and data must then be assigned values for the attribute elements.

In public environments, users may not be known. Tracking these identities is still desirable as the information can provide metrics on who is using the data and how they might better be served. Public identity providers (IDP) (e.g. Facebook, Amazon, and LinkedIn) can identify anonymous users. Onboarding these users presents a challenge. The attributes assigned to users will vary from IDP to IDP. End users may also restrict access to some attributes due to privacy concerns.

Managing Microservices Microservices are managed via API gateways capable of authenticating a client and determining whether that client is authorized to access a requested resource (e.g. web service, cloud service, data, etc). If the client is authorized, an access token will be issued to the calling application. The client application will act on behalf of the user.

The OAuth2 access token provides authorization, but does not natively carry identity information. This can pose a problems for data with fine grain acess control requirements. A Policy Enforcement Point (PEP) may sit behind the API gateway to enforce these policies. It will require the user’s identiy to make authorization decisions. This is further complicated in composed services in which multiple services are called. Each service may have a different values for a given attribute and the values must be aggregated to ensure no service receives data at a higher classification than the lowest cleared service in the chain.

To carry identity, JWT tokens can be included within the OAuth2 token body to carry identity. For composed services, Enterprise Service Buses may be able to track the identities of all services in a chain.

Overview and Motivation

Many organizations that generate geospatial data need to make that data more accessible and share it with other organizations. Examples include a) The National Oceanic and Atmospheric Administration’s (NOAA) Big Data Project, b) International disaster response agencies, and c) the Earth Observation Cloud Thread of TB14. Within each of these projects, multiple organizations need to collaborate, i.e., share data and resources in a secure way.

From an IT perspective, such collaborations can be managed using federation. A federation is a collaboration and security context wherein the participants can agree upon and enforce joint discovery and access policies for the resources (data and services) they wish to share.

To address this need in a general, standardized way, NIST and the IEEE have stood-up the NIST/IEEE Joint WG on Cloud Federation: http://standards.ieee.org/news/2017/intercloud_interoperability_and_federation.html One possibility that will be pursued is to define a standardizable Federation Agent that manages resource discovery and access across different administrative domains, i.e., organizations [1].

TB14 is a unique opportunity to directly address the secure collaboration requirements of a current, specific OGC application by prototyping a Federation Agent, and in addition -- by collaborating with the NIST/IEEE Joint WG -- to promote a standardizable Federation Agent that could be used for collaboration management across many other geospatial application domains.

The ABCs of Federation Management

There are several ways to implement federation management, but they must all accomplish the same goals: federated identity management "on the front end", and federated resource management "on the back end" [3]. Users from different organizations may have different types of identity credentials with differing types of identity and authorization attributes. Federated identity management enables these credentials to be "understood", for example, by mapping them to local attribute types. Tools like SAML redirections to a given Identity Provider can help with this. Once a user's identity is established, which resources from the different federation participants are they allowed to discover and use? This must be decided by a joint discovery policy based on agreed upon federation attributes. Likewise, when a service request is made, the Service Provider must be able to validate the user's credentials (wherever they are from) and make an appropriate access decision. Tools like XACML are relevant here. The major challenge, though, is how to integrate these existing "piece parts" into a coherent, user-facing federation model that is easy and intuitive to use [2].

Proposals for OGC TestBed 14

Identify an OGC TB Sponsor application domain that is inherently distributed and requires secure, distributed collaboration management
Collaborate with the NIST/IEEE Joint WG to define, prototype and evaluate a general Federation Agent
- A draft Federation Agent API is being defined for possible use
Evaluate the federated agent approach for other geospatial application domains
- Support further development and adoption by OGC Sponsors, including government organizations

References

[1] Craig A. Lee. A Design Space Review for General Federation Management Using Keystone. In First IEEE Cloud Federation Management Workshop, UCC 2014, December 2014.

[2] Craig A.Lee. Cloud Federation Management and Beyond: Requirements, Relevant Standards, and Gaps. IEEE Cloud Computing, 3(1):42–49, Jan-Feb 2016.

[3] Craig A. Lee, Marcio Assis, Luiz F. Bittencourt, Stefano Nativi, and Rafael Tolosana-Calasanz. Big Iron, Big Data, and Big Identity. In Advances in Parallel Computing, G. Fox (USA), V. Getov (UK), L. Grandinetti (Italy), G. Joubert (Germany), and T. Sterling (USA), editors, IOS, 2017. To appear.

Please consider Earth System Grid Federation (ESGF) as a pertinent potential federated environement for TB14. It hosts very large distributed and replicated geospatial information (NetCDF, OPEnDAP) as well as a slew of processing services (WPS) in several countries. It enforces strict security policies for its nodes and a continously evolving AuthN/AuthZ service base.

ESGF's main U.S.-based sponsors are DOE, NASA and NOAA. As for Europe, the Infrastructure for European Newtork of Earth System Modelling (IS-ENES) project shares close ties to ESA-led Copernicus. For Canada, I would recommend looking into CANARIE Canadian Access Federation (CAF) and at Compute Canada for its recent initiatives on national platforms.

Tom,

I greatly welcome ESGF’s involvement!

I hope you consider getting engaged in the new, joint WG that NIST and IEEE are standing-up for cloud interoperability and federation that has finally been officially announced: http://standards.ieee.org/news/2017/intercloud_interoperability_and_federation.html NIST will have the charter to “define” federation for the USGov and identify possible and necessary areas of standardization. Specific standardization efforts could then be taken-up by IEEE P2302. The kick-off meeting will be Aug. 31. (Details TBA.) The success of this effort will depend on getting stakeholders from all sectors engaged.

In a very related effort, the Open Research Cloud is endeavoring to define and build federated clouds for scientific collaborations. (This is being honchoed by Khalil Yazdi from Internet2. The web site is just getting stood-up: www.openresearchcloud.org ) They will be having their second congress in September at Science Park in Amsterdam http://www.openresearchcloud.org/orc-events/amsterdam-september-2017/ . Likewise, getting stakeholders from all sectors engaged will be critical.

Let’s keep in touch…

--Craig

Craig,

I will certainly consider participation to the initiatives you mentionned. I might not be able to make it to the events, but I will see how to articulate that into our own plans (more to come on that). In the meantime, please consider attending this year's ESGF Annual Face to Face conference in the first week of December. Right before OGC TB13 demo week.

Also, as stated by @bermud in his background info for this TB14 idea, please refer to me contacts or pointers from Microsoft you might have. I have to insure their presence at ESGF F2F this year, as the Big 3 is invited to share and exchange on Cloud capabilities.

Security in Federated Clouds is not Topic in Testbed-14 task Next Generation OGC Web Services, Federated Clouds, Security & Workflows

opengeospatial / ideas