Security Concept and Implementation for a Cloud Based E-science Infrastructure

In this paper we present a novel Kerberos-based security concept for heterogeneous distributed e-Science infrastructures. The e-Science infrastructure we have recently developed is currently being tested by the breath gas analysis community, whose activities are based on large-scale collaborations. In many e-Science domains personal related data (e.g. patient data) is involved and therefore privacy and security is very important. Several publications mentioned that it is straightforward to add additional security to an existing infrastructure by the means of Kerberos. Our experience shows that it is not really true; at our e-Science infrastructure we discovered the following key problems: (a) to forward Kerberos tickets and (b) to use Kerberos within a cloud infrastructure. Exactly such challenges are addressed by this paper. The central aspect of the security concept presented is the authentication of the user to the lowest level (e.g. database) and not only to the first level of the e-Science services. We have to consider that our infrastructure involves several research centers with their own scientific private data. The designed security concept was implemented and tested with a cloud-based code execution framework to be able to concurrently execute problem solving environment codes (e.g. MATLAB, R, Octave). The resulting system supports EC2 compatible cloud infrastructures (e.g. AWS, Eucalyptus), enabling them to be combined to build a hybrid cloud. This paper describes several challenges and their solution including how to (a) use client authentication through all levels of the system, (b) guarantee secured execution of time consuming cloud based analysis, and (c) inject security credentials into dynamically created VM-instances.