A Secure Task Delegation Model for Workflows

International audienceWorkflow management systems provide some of the required technical means to preserve integrity, confidentiality and availability at the control-, data- and task assignment layers of a workflow. We currently observe a move away from predefined strict workflow enforcement approaches towards supporting exceptions which are difficult to foresee when modelling a workflow. One specific approach for exception handling is that of task delegation. The delegation of a task from one principal to another, however, has to be managed and executed in a secure way, in this context implying the presence of a fixed set of delegation events. In this paper, we propose first and foremost, a secure task delegation model within a workflow. The novel part of this model is separating the various aspects of delegation with regards tousers, tasks, events and data, portraying them in terms of a multi-layered state machine. We then define delegation scenarios and analyse additional requirements to support secure task delegation over these layers. Moreover, we detail a delegation protocol with a specific focus on the initial negotiation steps between the involved principals

SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

Security Mechanisms for Workflows in Service-Oriented Architectures

Die Arbeit untersucht, wie sich Unterstützung für Sicherheit und Identitätsmanagement in ein Workflow-Management-System integrieren lässt. Basierend auf einer Anforderungsanalyse anhand eines Beispiels aus der beruflichen Weiterbildung und einem Abgleich mit dem Stand der Technik wird eine Architektur für die sichere Ausführung von Workflows und die Integration mit Identitätsmanagement-Systemen entwickelt, die neue Anwendungen mit verbesserter Sicherheit und Privatsphäre ermöglicht

Utilising Provenance to Enhance Social Computation

Postprin

Preparing to Preserve: Three Essential Steps to Building Experience with Long-Term Digital Preservation

Many organizations face complex questions of how to implement affordable and sustainable digital preservation practices. One strategic priority at the University Libraries at the University of Nevada-Las Vegas, United States, is increased focus toward preservation of unique digital assets, whether digitized from physical originals or born digital. A team comprised of experts from multiple functional library departments (including the special collections/archives area and the technology area) was established to help address this priority, and efforts are beginning to translate into operational practice. This work outlines a three-step approach: Partnership, Policy, Pilot taken by one academic research library to strategically build experience utilizing a collaborative team approach. Our experience included the formation of a team, education of all members, and a foundational attitude that decisions would be undertaken as partners rather than competing departments or units. The team’s work included the development of an initial digital preservation policy, helping to distill the organizational priority and values associated with digital preservation. Several pilot projects were initiated and completed, which provided realistic, first-person experience with digital preservation activities, surfaced questions, and set the stage for developing and refining sustainable workflows. This work will highlight key activities in our journey to date, with the hope that experience gained through this effort could be applicable, in whole or part, to other organizations regardless of their size or capacity

CaGrid Workflow Toolkit: A taverna based workflow tool for cancer grid

SOFTWAR