Feature - The security-accessibility tug-o-war

Rajasthani women take part in tug of war game at Pushkar fair, in India's desert state of Rajasthan. Image courtesy of Sumith Meher, CC BY-SA 2.0.

In the tug-o-war between security and ease of use, priorities can vary widely. But if there is a sweet spot, Mine Altunay is going to find it.

“We’re trying to understand how we can provide end-to-end infrastructure that is secure enough but easy enough to use,” said Altunay, who is Open Science Grid’s security officer.

Altunay began the process by running a joint OSG-ESnet workshop on identity management last November, where they sought input from users and a small number of resource providers.

“We wanted to touch bases with our user community and we wanted to understand how this process is working for the end user,” Altunay explained.

What they found is that the current process is too complicated and time consuming for end users. In order to sign into OSG, users must acquire a digital certificate, and according to Altunay, that process can take between two and five days. One biology-focused virtual organization, SBGrid, told Altunay that they are losing new users at a high rate each week because registration is an eight step process. Three steps, they told her, would be much more reasonable.

Since then, Altunay has been working with the SBGrid team to shorten the process. They were able to replace an especially cumbersome step with an automated application that does the job for the user invisibly.

“For the end-users, security is not a concern; they’d much rather make it a lot simpler,” Altunay said. But that could be a problem, as users are not the only stakeholders.

A whiteboard records the brainstorming results of a session at the workshop organized by ESnet and OSG. Click here to download the document in which it appears. Image courtesy of Mine Altunay, Mike Helm, and Doug Olson.

“OSG is a bridge between the users and the resource providers,” Altunay explained. But, she adds, if the system is not secure enough to meet the resource providers' needs, they have no obligation to provide their resources.

The problem is further complicated by the fact that not all the resource providers require the same level of security. Some may be quite happy with a more lightweight identity mechanism, but not all. Likewise, user security needs can be quite diverse. Some of the virtual organizations need a higher level of security and assurance.

Altunay also points out that lightweight does not always mean less secure. "There are a lot of people who are wary of lightweight systems because they perceive them as less secure," she said.

“We knew that we needed to review things; we can just tell by talking to our users in unofficial conversations,” Altunay said. “Now our response is to work on a solution.”

To that end, Altunay is investigating how OSG could leverage existing technologies and adapt them for the grid. Some of these technologies are from Europe; others are home-grown products. Some may not be designed for use on a grid – these sorts of issues are not, after all, unique to grid computing.

Federated solutions that allow a user to use one credential in several different organizations, all of which are members of the same federation – such as a university ID – are also on the table.

The assessment remains a work in progress. “We don’t have a timeline, we are just experimenting. We are at the stage of developing plans for different infrastructure, different identity management services,” Altunay said. “We’re not ruling out anything yet. We know one size does not fit all, and different users and resources will have different needs. But we are certain that we’re not going to make it more complex.”