News Stay informed about the latest enterprise technology news and product updates.

Helix Nebula cloud security hinges on federated identity management

CERN and the Cloud Security Alliance explain how federated identity management protects Helix Nebula, a European cloud platform that's running applications for such research projects as the Large Hadron Collider.

When you're building a multi-national cloud computing platform that involves some of the leading scientific research organizations in Europe, more than a dozen commercial partners and numerous data centers across the globe, federated identity management becomes a crucial pillar.

That's one of the key lessons learned from the Helix Nebula project, also known as the "Science Cloud." The ambitious cloud computing project was first announced in March 2012 by the European Council for Nuclear Research (CERN), the European Space Agency, and the European Molecular Biology Laboratory.

The three scientific groups teamed up with several technology companies including Atos SE, CapGemini SA, T-Systems International GmbH and SAP AG, as well as industry consortiums such as the Cloud Security Alliance (CSA) and the European Grid Infrastructure. Within just a few months, the partnership had Helix Nebula up and running and successfully moved part of a major research project for CERN's Large Hadron Collider (LHC) to the cloud.

Specifically, CERN migrated the flagship application of its Atlas experiment, which helped discover the Higgs boson particle or "God particle" in the summer of 2012, to the Helix Nebula cloud. The application, which runs complex simulations, has "massive computing power requirements," said Bob Jones of CERN's IT department head office, and represented a major proof-of-concept for the cloud platform.

But with more than 20 organizations involved in Helix Nebula, not to mention a vast number of experiments and research projects, building a proper security architecture was also key. And because of the sheer volume of the cloud platform and number of parties involved, identity and access management was at the top of the priority list.

Federated identity: Passport to cloud security

The CSA was a founding partner of the Helix Nebula project and was initially focused on providing a comprehensive security review of the cloud platform as well as the participating cloud provider partners.

"The role of the CSA was to push best practices for cloud security, particularly around federated identity management," said Jesus Luna, the CSA's director of research in Europe.

But before figuring out which organizations and research teams would have permission to access certain parts of the Helix Nebula cloud, the partners had to address each individual cloud provider's security systems. Jones said that was a major step before CERN could complete the Atlas experiment migration to the cloud.

"We did the Atlas conversion in two steps," Jones said. "First we worked with the independent business partners like Atos and T-Systems and performed individual [cloud] deployments with them. That was a complex process because we had to integrate with all the different hypervisors. Then there was the question of security and the firewalls at each of the data centers -- could we move in and out of them easily?"

Luckily, CERN had experience operating in a large computing network with numerous partners. In 2006, CERN launched a collaborative project called the Worldwide LHC Computing Grid, which as the name suggests is a grid-based computer network spanning more than 35 countries and dozens of universities and research institutions.

"We have a large global network of about 170 data centers around the world that are all participating in the processing and storage of LHC data," Jones said.

We're all interested in how we can increase the computing capacity that we have.
Bob JonesCERN's IT department head office

The LHC Computing Grid uses a federated identity management system based on X.509 certificates. "It's like an electronic passport," he said. "Members can get access to the grid and once they're in, then you have to have to navigate through all the different organizations and experiments and research, which have their own permissions and authorization levels."

But even with 170 data centers behind the LCH Computing Grid, CERN was still hungry for more computing power. Jones said CERN "very much appreciates the grid model," but the organization began to look at a cloud computing several years ago with OpenStack's open source cloud software running in its two data centers.

"We're big participants in OpenStack," Jones said. "We started looking at the cloud with other science agencies and organizations," Jones said. "We're all interested in how we can increase the computing capacity that we have."

Following in the footsteps of the LHC Computing Grid, the Helix Nebula project employed a similar system based on X.509. Relying on Helix Nebula partners such as infrastructure as a service (IaaS) provider CloudSigma AG, the project built a federated identity architecture with single sign-on and X.509 certificates to allow global members a simple but secure method to access the cloud.

"Global federated identities have proven to be very useful in other cases," Luna said, citing Google's universal IDs as an example.

But the federated identity architecture was just the first step for the security strategy. CERN and other Helix Nebula partners also had to decide what was permissible for the cloud and what was off limits.

Compute power vs. data management

While CERN moved its Atlas experiment application to the Helix Nebula cloud, the organization limited the use of the cloud to strict parameters. Specifically, CERN felt that, at least in the early stages of the project, it was best to use the cloud for raw CPU power rather that storing precious data. So the Atlas simulation was moved to the cloud to harness the extra CPU power afforded by the Helix Nebula.

"We were basically using the cloud as a data cache," Jones said.

And CERN has big data, to boot. In total, the LHC project produced more than 25 petabytes (PB) of data in 2013 alone, Jones said -- and that's just one project for one of the three scientific research organizations involved with Helix Nebula.

"For various reasons, we're not trying to store that 25 PB of data with the commercial cloud providers," Jones said. "But now we're looking at bigger data management needs."

To that end, CERN is working on a new, advanced federated identity management system that's designed for cloud providers supporting both Helix Nebula cloud and the LHC Computing Grid.  Jones said the FIM system is currently in production and that CERN hopes to have the system in place by 2016.

In the meantime, Jones said, CERN will be busy fending off a steady flow of complex cyberattacks directed at both the organization and the Helix Nebula cloud. Given the high-profile nature of the LHC as well as CERN's roots in the creation of the World Wide Web, the organization is a compelling mark for hackers.

"We're under constant attack," Jones said. "We have a dedicated security group at CERN that handles all attacks, although I can't go into details about what they do or the nature of the attacks. But it's a big concern as CERN is obviously a big name and a big target."

Since CERN and other scientific groups are limiting much of their Helix Nebula use to running applications rather than storing data, there's less concern about vital research data being stolen or leaked. The bigger concern, Jones said, is someone gaining access to the raw computing power of either the Helix Nebula or Worldwide LHC Computing Grid and misusing it -- especially to launch a massive distributed denial-of-service (DDoS) attack.

"If someone were to impersonate one of [the providers or partners] and launch an attack with that kind of scale," Jones said, "it would be devastating."

The Helix Nebula Marketplace

While the fears of cyberattacks are top of mind for Helix Nebula participants, it hasn't stopped the project participants from building off of the early success of the science cloud. In May, several of the European cloud providers behind Helix Nebula, including Atos, T-Systems, and CGI Group, announced the Helix Nebula Marketplace (HNX).

The new marketplace essentially opens up the Helix Nebula cloud to other organizations -- both public and commercial -- across the globe through a cloud broker model. HNX, which is operated by Montreal-based IT integrator CGI, will deliver commercial clouds services, fully compliant with European Union regulations, from within the Helix Nebula Cloud. In addition to new customers, HNX also invited new cloud providers to join the Helix Nebula Cloud.

As with the initial Helix Nebula cloud deployment, federated identity took center stage for HNX, Luna said. "The first problem you're going to see in this kind of marketplace is, how do I authenticate each customer or provider?" he said.

But because the cloud was on the verge of growing even larger with more potential providers and customers with the HNX cloud brokerage model, the Helix Nebula cloud partners created a new system -- a "blue box" software layer -- that sits between the cloud providers and customers to handle the coordination and offer different service oriented features like provisioning, configuration, and of course, identity management.

"One size does not fit all when it comes to cloud services," Luna said. "Each provider has different kinds of functionality and features, and each user has different specifications for the type of service they want. But security, and particularly identity management, is must."

Luna said that after working on the Helix Nebula cloud marketplace, the CSA has a new group that focuses specifically on the cloud broker model and how to best secure it with new IAM and FIM technology.

"That was a direct outgrowth of the Helix Nebula marketplace," Luna said.

But beyond identity management, Luna said there are additional security concerns for HNX and other cloud brokerages as they grow larger and more complex. First, he said, is managing service-level agreements between the brokers, cloud providers and third-party security firms to provide the proper security assurance to customers. And second and perhaps more important is the question of liability.

"How do to you manage liability and share responsibility between the brokers and cloud providers? That's a big question going forward," Luna said.

As with the initial Helix Nebula cloud deployment, the CSA will spend much of its time with HNX offering best practices for cloud security to new providers joining the marketplace. Those best practices include promoting the CSA's own standards bodies such as the Cloud Controls Matrix. Luna said not every cloud provider involved in HNX has adopted the full Cloud Controls Matrix -- mostly because the providers include a wide range services, sizes, maturity and functionality -- but many have adopted at least some part of the standards.

Jones said as the Helix Nebula and HNX grow larger, cloud certification and standardization will become even more crucial -- not only for the technology itself, but also for international regulatory and compliance laws pertaining to security and data management.

"I think there's a definite need for further certifications and standardizations for cloud," Jones said. "I'm very optimistic about the innovation. There are so many startups with lots of great ideas and compelling technology, especially around cloud security, but standardization is a key issue that needs to be addressed."

Next Steps

Formulating and managing online identity and access control

Using IAM tools to improve compliance

IBM ups cloud offering with Lighthouse acquisition

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use federated identity management for cloud services?
If everything stays secure here, it could go a long way toward increasing confidence in the cloud.