The OpenStack Summit, November 5-8, 2013 brings together the brightest technical minds to discuss the future of cloud computing. With OpenStack software quickly gaining adoption around the world, the Summit will feature case studies, visionary keynotes, hands-on workshops and technical sessions for cloud operators and developers. Register NOW.
Back To Schedule
Friday, November 8 • 9:00am - 9:40am
The Virtual Organization Concept for Authorization Management in Federated Clouds

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Many organizations across academia, industry and government need to securely share data and services with partners to accomplish common goals. “Big Science”, such as high-energy physics, requires access to unique scientific instruments by collaborative research teams across the globe. Digital film production can require the collaboration of many independent production houses for different special effects to produce a final feature. Many sovereign governments have issued mandates for their agencies to adopt cloud computing, which in turn must interact with citizens, industry and other governments. The requirement these use cases have in common is to selectively authorize particular individuals and roles from different organizations that collectively constitute what can be called a virtual organization.

In the NIST cloud definition, the concept of a community cloud was intended to capture this requirement. However, what a community cloud really represents, and requires, is secure cloud federation. Cloud federation begins with federated identity management -- enabling different cloud providers to authenticate users from different organizations that rely on different identity providers. An approach for federated identity management in OpenStack has already been implemented and proposed by the University of Kent. Once identity has been established, however, how can authorization to resources across multiple, federated cloud providers be managed in a secure way, given that only subsets of users from each identity provider need to be selectively authorized to use the protected resources?

In this talk, we present the Virtual Organization (VO) concept for managing federated authorization. We will begin by presenting the current status of the Kent work, and how it can directly support VO-based authorization. A VO is essentially a context for managing security and collaboration across multiple institutions. It is used to manage group membership that is not tied to any one institution. We will present the basic VO concepts and also discuss a number of design issues and implementation options: (a) the use of an external VO management server vs. a distributed database, (b) managing cloud federation at the infrastructure level (resources on-demand) vs. federation at the application level (access to cloud-hosted application data and services, (c) role-based vs. attribute-based authorization, and (d) semantic interoperabililty. We also present results from a prototype VO implementation in the OpenStack Keystone and Swift services for the NCOIC/NGA GEOINT Community Cloud prototype
for international disaster response. This prototype demonstrated how international stakeholders can securely share cloud-hosted data, on-demand, to respond to a natural disaster, such as a Haiti earthquake. (NOTE: This prototype is on-track for final demonstration in September 2013 in the Washington DC area.)

The goals of this presentation are to (a) present the design space and implementation options for VOs in cloud federation, (b) gauge marketplace requirements, and (c) galvanize further work in the OpenStack community towards practical solutions.

avatar for David Chadwick

David Chadwick

Professor, University of Kent
Professor of Information Systems Security Publications My publications are available from the University of Kent's Academic Repository. Research Interests I belong to the following research groups: Programming Languages and Systems Group Security Group Future Computing Group My O... Read More →
avatar for Craig Lee

Craig Lee

Senior Scientist, Aerospace Corporation
Dr. Craig A. Lee is a Senior Scientist in the Computer Systems Research Department of the AerospaceCorporation. He has worked in high-performance parallel and distributed computing for the last thirtyyears. This work has led to Dr. Lee's involvement in the Open Grid Forum (OGF) where... Read More →

Friday November 8, 2013 9:00am - 9:40am HKT
Expo Breakout Room 1 AsiaWorld-Expo

Attendees (0)