Identity Federation in Cloud Computing Valentina Casola Dipartimento di Informatica e Sistemistica Universit` a degli Studi di Napoli Federico II casolav@unina.it Massimiliano Rak Dipartimento di Ingegneria dell’Informazione Seconda Universit` a di Napoli massimiliano.rak@unina2.it Umberto Villano Dipartimento di Ingegneria Universit` a del Sannio villano@unisannio.it Abstract—Both cloud and GRID are computing paradigms for the large-scale management of distributed resources. Even if the first is usually oriented to transaction-based applications, and the latter to High Performance Computation, there is a lot of interest in their integration. This is typically obtained through the Infrastructure-as-a-Service cloud model, which is exploited in the GRID context to offer machine with full administration rights to users. In this paper the focus is on the security problems linked to the integration of cloud and GRID computing. It is proposed the adoption of identify federation between different security domains to manage the relationship between the user machines and the standard GRID infrastructure. This solution is experimented within PerfCloud, a cloud implementation that exploits an underlying GRID platform. I. I NTRODUCTION According to the definition by NIST, cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential char- acteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service), three service models (IaaS, PaaS, AaaS), and four deployment models (Private, Community, Public, Hybrid) [1]. This can rely on a very high number of different technologies, and has an incredibly large set of possible use cases [2]. In this paper the focus will be on the security problems linked to the integration of cloud computing and GRID com- puting. The latter is a computing paradigm partially similar to cloud computing, whose most relevant implementations, Globus [3] and gLite [4], are largely diffused in the scientific community. As computing GRIDs enable access to high performance distributed resources in a simple and standard way, they are widely exploited in the e-science world for high performance computing tasks. As mentioned above, GRID and clouds have many points in common, not to mention the use of similar underlying technologies. However, they are typically exploited for dif- ferent purposes by different classes of users. In short, clouds are for users that are prone to buy computing resources to get their results as soon as possible. On the other hand, GRID users wish to exploit the optimum number of resources that solve the problem, overcoming the boundaries of a single enterprise. In fact, the two technologies complement gracefully each other, and currently their integration is actively investigated. At the state of the art, the two principal approaches used are the following: • GRID-on-Cloud: a cloud IaaS (Infrastructure as a Service) approach is exploited to build up and to manage a flexible GRID system [5]. As the GRID middleware runs on cloud-managed virtual machines, the main drawback of this approach is performance. Virtualization inevitably entails performance losses as compared to the direct use of physical resources. • Cloud-on-GRID: the well-known and stable GRID infrastructure is exploited to build up a cloud environ- ment. This is usually the preferred solution [6], because the cloud approach mitigates the inherent complexity of the GRID. The use of Globus workspaces [6], along with a set of GRID services for the Globus Toolkit 4 is the prominent solution, as in the Nimbus project [7]. The cloud-on-GRID approach has gained large interest in the scientific community, as it helps to manage some of the most common problems with parallel programming: the incredible variety of different softwares (and software versions), configurations, operating systems and hardware layers that often have to coexist, but are not mutually com- patible. Thanks to the adoption of clouds, and their under- lying virtualization techniques [8], [9], [10] it is possible to provide GRID users and parallel application developers with a “clean” environment, freely and completely customizable. Current cloud-on-GRID systems [7], [11], [12] offer services to manage (create, destroy, modify, . . . ) virtual clusters (i.e., clusters composed of virtual computing resources) on the underlying GRID infrastructure. In a “pure” cloud-on-GRID system, the virtualized en- vironments assigned to users are mutually isolated, and do not know of each other. Given two scientific communities working on different, but related problems, the users of each group have access to a freely-customizable computing platform, but cannot invoke the software services developed by the other group. Even if their computing environments exploit physically the same GRID, they are not interopera-