Securing HPC using Federated Authentication

Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user’s more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.

[1]  Jeremy Kepner,et al.  Big Data strategies for Data Center Infrastructure management using a 3D gaming platform , 2015, 2015 IEEE High Performance Extreme Computing Conference (HPEC).

[2]  Jeremy Kepner,et al.  Driving big data with big compute , 2012, 2012 IEEE Conference on High Performance Extreme Computing.

[3]  Jeremy Kepner,et al.  Achieving 100,000,000 database inserts per second using Accumulo and D4M , 2014, 2014 IEEE High Performance Extreme Computing Conference (HPEC).

[4]  Jeremy Kepner,et al.  Enhancing HPC security with a user-based firewall , 2016, 2016 IEEE High Performance Extreme Computing Conference (HPEC).

[5]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[6]  Matthew R. Hanlon,et al.  Securing HPC: Development of a Low Cost, Open Source Multi-factor Authentication Infrastructure , 2017, SC17: International Conference for High Performance Computing, Networking, Storage and Analysis.

[7]  George W. Bush Homeland Security Presidential Directive 13: Maritime Security Policy , 2004 .

[8]  Jeremy Kepner,et al.  MIT SuperCloud portal workspace: Enabling HPC web application deployment , 2017, 2017 IEEE High Performance Extreme Computing Conference (HPEC).

[9]  Robert K. Cunningham,et al.  Computing on masked data: a high performance method for improving big data veracity , 2014, 2014 IEEE High Performance Extreme Computing Conference (HPEC).

[10]  Prateek Sharma,et al.  Design and Operational Analysis of a Green Data Center , 2017, IEEE Internet Computing.

[11]  Vashek Matyas,et al.  The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli , 2017, CCS.

[12]  Lisa Dusseault,et al.  HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) , 2007, RFC.

[13]  Jeremy Kepner,et al.  LLgrid: Enabling On-Demand Grid Computing with gridMatlab and pMatlab , 2004 .

[14]  Jeremy Kepner,et al.  Enabling on-demand database computing with MIT SuperCloud database management system , 2015, 2015 IEEE High Performance Extreme Computing Conference (HPEC).

[15]  Simson L. Garfinkel,et al.  Secure and Usable Enterprise Authentication: Lessons from the Field , 2016, IEEE Security & Privacy.

[16]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[17]  Jeremy Kepner,et al.  D4M: Bringing associative arrays to database engines , 2015, 2015 IEEE High Performance Extreme Computing Conference (HPEC).

[18]  Jeremy Kepner,et al.  Dynamic distributed dimensional data model (D4M) database and computation system , 2012, 2012 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[19]  Jeremy Kepner,et al.  D4M 2.0 schema: A general purpose high performance schema for the Accumulo database , 2013, 2013 IEEE High Performance Extreme Computing Conference (HPEC).

[20]  Hyung Seok Kim,et al.  Interactive Grid Computing at Lincoln Laboratory , 2006 .