OSiRIS recently finished a 6-month engagement with the Center for Trustworthy Scientific Cyberinfrastructure which is featured on the CTSC Blog. The 2016-2017 CTSC-OSiRIS collaborative design review of OSiRIS Access Assertions produced a set of security recommendations documented in this report that the OSiRIS project plans to implement in its deployed cyberinfrastructure. CTSC identified no significant weaknesses in its review of the initial design of the OSiRIS access control system.
From our perspective, the CTSC staff was helpful in ensuring that we had a well planned and secure design for OAA. The engagment process was extremely valuable and we extend our thanks to CTSC!
What follows are some brief excerpts from the summary sections of the report:
After initial discussions with CTSC staff, representatives of the MI-OSiRIS project submitted a CTSC engagement application in June 2016. From August to October 2016, CTSC and OSiRIS staff developed the engagement plan, with the goal of conducting a joint design review of the OSiRIS Access Assertion (OAA) system. CTSC staff conducted the engagement from October 2016 to March 2017 via a series of hour-long phone calls with OSiRIS staff to discuss and review the OAA design. The report documents the outcomes of those discussions.
OAA design documents were the primary source materials used in the review. At the time of the review, the OAA system was in an early design and implementation phase, giving the group the opportunity to consider a variety of design options and give input to design decisions, in contrast to an after-the-fact security evaluation of an implemented system.
The engagement team discussed two categories of use cases for the OSiRIS system: 1) distributed access to scientific data using Ceph and 2) network discovery, monitoring, and management using perfSONAR for reliable and high-performance use of Ceph across the network. The former target science users, and the latter target network engineers. The OSiRIS design includes a common authentication and authorization mechanism across these use cases, supporting federated campus authentication via Internet2’s InCommon service and group-based access control (with delegated sub-groups) using Internet2’s COmanage software.Tags