Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Federated Single Sign-On and Zero Trust Co-design for AI and HPC Digital Research Infrastructures

Sadaf R. Alam, Christopher Woods, Matt Williams, Dave Moore, Isaac Prior, Ethan Williams, Anna Price, James Womack, Simon McIntosh-Smith, Fan Yang-Turner, Matt Pryor, Ilja Livenson

TL;DR

This paper presents an implementation of a federated IAM solution, which is coupled with multiple layers of security controls, multi-factor authentication, cloud-native protocols, and time-limited role-based access controls that has been co-designed and deployed for the Isambard-AI and HPC super-computing Digital Research Infrastructures in the UK.

Abstract

Scientific workflows have become highly heterogenous, leveraging distributed facilities such as High Performance Computing (HPC), Artificial Intelligence (AI), Machine Learning (ML), scientific instruments (data-driven pipelines) and edge computing. As a result, Identity and Access Management (IAM) and Cybersecurity challenges across the diverse hardware and software stacks are growing. Nevertheless, scientific productivity relies on lowering access barriers via seamless, single sign-on (SSO) and federated login while ensuring access controls and compliance. We present an implementation of a federated IAM solution, which is coupled with multiple layers of security controls, multi-factor authentication, cloud-native protocols, and time-limited role-based access controls (RBAC) that has been co-designed and deployed for the Isambard-AI and HPC supercomputing Digital Research Infrastructures (DRIs) in the UK. Isambard DRIs as a national research resource are expected to comply with regulatory frameworks. Implementation details for monitoring, alerting and controls are outlined in the paper alongside selected user stories for demonstrating IAM workflows for different roles.

Federated Single Sign-On and Zero Trust Co-design for AI and HPC Digital Research Infrastructures

TL;DR

This paper presents an implementation of a federated IAM solution, which is coupled with multiple layers of security controls, multi-factor authentication, cloud-native protocols, and time-limited role-based access controls that has been co-designed and deployed for the Isambard-AI and HPC super-computing Digital Research Infrastructures in the UK.

Abstract

Scientific workflows have become highly heterogenous, leveraging distributed facilities such as High Performance Computing (HPC), Artificial Intelligence (AI), Machine Learning (ML), scientific instruments (data-driven pipelines) and edge computing. As a result, Identity and Access Management (IAM) and Cybersecurity challenges across the diverse hardware and software stacks are growing. Nevertheless, scientific productivity relies on lowering access barriers via seamless, single sign-on (SSO) and federated login while ensuring access controls and compliance. We present an implementation of a federated IAM solution, which is coupled with multiple layers of security controls, multi-factor authentication, cloud-native protocols, and time-limited role-based access controls (RBAC) that has been co-designed and deployed for the Isambard-AI and HPC supercomputing Digital Research Infrastructures (DRIs) in the UK. Isambard DRIs as a national research resource are expected to comply with regulatory frameworks. Implementation details for monitoring, alerting and controls are outlined in the paper alongside selected user stories for demonstrating IAM workflows for different roles.

Paper Structure

This paper contains 20 sections, 2 figures.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. UK Future of Computing Report and DRI Investment
  4. Federated IAM for EuroHPC and European Open Science Cloud (EOSC)—MyAccessID
  5. Zero Trust Architecture (ZTA)
  6. Design and implementation
  7. Isambard Modular Data Centres (MDCs)
  8. Isambard Sitewide Services (SWS)
  9. Front Door Services (FDS)
  10. Security Services (SEC)
  11. Results and analysis
  12. User stories
  13. A project owner or principle investigator (PI) who has been granted an allocation is invited to join the project
  14. A BriCS admin registers an administrators only account
  15. A cluster user sets up an account
  16. ...and 5 more sections

Figures (2)

  • Figure 1: Implementation details of federated SSO and ZTA for Isambard DRIs, demonstrating different domains (MDCs, SWS, FDS and SEC), different zones (Access, HPC and Management) and segmentation, technical and tooling details, and workflows for user roles (project owners or PIs and researchers) and different administrator roles. RBAC is not global and is managed per service; access is controlled on a per session basis.
  • Figure 2: Login page for the Isambard services. Users choose their identity provider, which for most researchers would be "University Login (MyAccessID)". This also links to the privacy policy, route to gain help with logins and methods of contacting the technical team.