Self-paced-training tutorial: Chapter 6: Security

examples/tutorials/self-paced-training/part-2_federated_learning_system/chapter-3_federated_computing_platform/03.1_federated_computing_architecture/system_architecture.ipynb

@@ -85,12 +85,16 @@
     "From top to bottom, FCI has the following layers:\n",
     "\n",
     "* **API Layer**: This is the API exposed to application developers, like Communicator and Cellnet.\n",
+    "\n",
     "* **Streamable Framed Message (SFM)**: This is the core of FCI and it provides abstraction on top of different communication protocols. It manages endpoints and connections.\n",
+    "\n",
     "* **Transport Drivers**: This layer is responsible for sending frames to other endpoints. It treats the frame as opaque bytes.\n",
+    "One can use one of driver out of box such as gRPC, TCP, HTTP/Websocket. One can also develop custom driver for alternative protocols. Switch driver will not affect the application layers \n",
     "\n",
     "<img src=\"./fci.png\" alt=\"FLARE Communication Interface\" width=\"300\" height=\"400\">\n",
     "\n",
-    "## Federated Computing Architecture\n",
+    "\n",
+    "## Federated Job Processing Architecture\n",
     "\n",
     "There are two parent control processes with corresponding job processes on each site. This enables support of concurrent, multi-job processes.\n",
     "\n",

examples/tutorials/self-paced-training/part-3_security_and_privacy/chapter-6_Security_in_federated_compute_system/06.0_introduction/introduction.ipynb

@@ -1,11 +1,56 @@
 {
  "cells": [
   {
-   "cell_type": "code",
-   "execution_count": null,
+   "cell_type": "markdown",
    "id": "ceca45d8-437c-44ae-8ed9-7a784983731f",
    "metadata": {},
-   "outputs": [],
+   "source": [
+    "\n",
+    "## **Security in NVIDIA FLARE Federated Computing Systems**  \n",
+    "\n",
+    "Federated Computing System requires robust security mechanisms to ensure that only legitimate and trusted participants contribute, while also protecting communication channels and enforcing authorization policies. Below are the critical security components of an FL system.  \n",
+    "\n",
+    "This area is concerned with these two trust issues:\n",
+    "\n",
+    "* **Authentication**\n",
+    "\n",
+    "ensures communicating parties have enough confidence about each other’s identities: everyone is who they claim to be.\n",
+    "\n",
+    "* **Authorization** \n",
+    "\n",
+    "ensures that the user can only do what he/she is authorized to do.\n",
+    "\n",
+    "Due to the distributed nature of federated computing system, additional authentications and authorization are needed for each participate organizations. \n",
+    "\n",
+    "You can find out how NVIDIA FLARE instrumented these via event-based Federated Authentication and authorization\n",
+    "\n",
+    "* **Privacy Protection**: \n",
+    "\n",
+    "another aspect of security is privacy protection. We have introduced different privacy enhancement technologies (PETs) in [Chapter 5](../../chapter-5_Privacy_In_Federated_Learning/05.0_introduction/introduction.ipynb), here ware going to explore what's privacy protection mechanism at the organization level. \n",
+    "\n",
+    "* **Trust-based security** \n",
+    "\n",
+    "Trust-based mechanism will adding another layer of protection to the security mechansim\n",
+    "leveraging confidential computing's VM-based trust execution environment (TEE), NVIDIA FLARE will enable end-to-end confidential federated AI. We will brief touch on it in this chapter. The details will be added in the future. \n",
+    "\n",
+    "\n",
+    "* **Communication Security**\n",
+    "\n",
+    "Use of Secure Protocols – TLS for secure transmission. FLARE support both mutual TLS (mTLS) as well normal TLS with signed message \n",
+    "\n",
+    "\n",
+    "\n",
+    "\n",
+    "\n",
+    "\n",
+    "\n",
+    "\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "c7a65a24",
+   "metadata": {},
    "source": []
   }
  ],

examples/tutorials/self-paced-training/part-3_security_and_privacy/chapter-6_Security_in_federated_compute_system/06.1_security_architecture/Seurity_architecture.ipynb

@@ -1,11 +1,102 @@
 {
  "cells": [
   {
-   "cell_type": "code",
-   "execution_count": null,
+   "cell_type": "markdown",
    "id": "c563b1cd-2176-4198-96a7-52b096b0b656",
    "metadata": {},
-   "outputs": [],
+   "source": [
+    "# NVIDIA FLARE Security Architecture\n",
+    "\n",
+    "NVFLARE is an application running in the IT environment of each participating site. The total security of this application is the combination of the security measures implemented in this application and the security measures of the site’s IT infrastructure.\n",
+    "\n",
+    "NVFLARE implements security measures in the following areas:\n",
+    "\n",
+    "* **Identity Security**: the authentication and authorization of communicating parties\n",
+    "\n",
+    "* **Site Policy Management**: the policies for resource management, authorization, and privacy protection defined by each site\n",
+    "\n",
+    "* **Communication Security**: the confidentiality of data communication messages\n",
+    "\n",
+    "* **Message Serialization**: techniques for ensuring safe serialization/deserialization process between communicating parties\n",
+    "\n",
+    "* **Data Privacy Protection**: techniques for preventing local data from being leaked and/or reverse-engineered\n",
+    "\n",
+    "* **Auditing**: techniques for keeping audit trails to record events (e.g. commands issued by users, learning/training related events that can be analyzed to understand the final results)\n",
+    "\n",
+    "All other security concerns must be handled by the site’s IT security infrastructure. These include, but are not limited to:\n",
+    "\n",
+    "Physical security\n",
+    "\n",
+    "Firewall policies\n",
+    "\n",
+    "Data management policies: storage, retention, cleaning, distribution, access, etc.\n",
+    "\n",
+    "Security Trust Boundary and Balance of Risk and Usability\n",
+    "\n",
+    "The security framework does not operate in vacuum; we assume that physical security is already in place for all participating server and client machines. TLS provides the authentication mechanism within the trusted environments.\n",
+    "\n",
+    "\n",
+    "--- \n",
+    "\n",
+    "## Terminologies and Roles\n",
+    "\n",
+    "### Terminologies\n",
+    "NVIDIA FLARE uses the following terminologies, let's define them here: \n",
+    "\n",
+    "* Project -- A federated learning study with identified participants.\n",
+    "* Org -- An organization that participates in the study.\n",
+    "* Site -- The computing system that runs NVFLARE application as part of the study. There are two kinds of sites: Server and Clients. Each site belongs to an organization.\n",
+    "* FL Server -- An application running on a Server site responsible for client coordination based on federation workflows. \n",
+    "* FL Client -- An application running on a client site that responds to Server’s task assignments and performs learning actions based on its local data.\n",
+    "* User -- A human that participates in the FL project.\n",
+    "\n",
+    "### Roles\n",
+    "\n",
+    "A role defines a type of users that have certain privileges of system operations. Each user is assigned a role in the project. There are four defined roles: Project Admin, Org Admin, Lead Researcher, and Member Researcher.\n",
+    "\n",
+    "* Project Admin Role -- The Project Admin is responsible for provisioning the participants and coordinating personnel from all sites for the project. There is only one Project Admin for each project.\n",
+    "\n",
+    "* Org Admin Role -- This role is responsible for the management of the sites of his/her organization.\n",
+    "\n",
+    "* Lead Researcher Role -- This role can be configured for increased privileges for an organization for a scientist who works with other researchers to ensure the success of the project.\n",
+    "\n",
+    "* Member Researcher Role -- This role can be configured for another level of privileges a scientist who works with the Lead Researcher to make sure his/her site is properly prepared for the project.\n",
+    "\n",
+    "* FLARE Console -- A console application running on a user’s machine that allows the user to perform NVFLARE system operations with a command line interface.\n",
+    "\n",
+    "Now let's dive into identity security, autentication and authorization [here](../06.2_authentication_and_authorization/site_specific_authentication_and_authorization.ipynb)\n",
+    "\n",
+    "\n",
+    "\n",
+    "## Identity Security\n",
+    "\n",
+    "   see [here](../06.2_identity_security/identity_security.ipynb) for NVFLARE’s authentication model\n",
+    "\n",
+    "## Federated Policy\n",
+    "\n",
+    "  see [here](../06.3_site_security_privacy_policy/site_policy.ipynb) for site-specific security and privacy polcies provided by NVIDIA FLARE\n",
+    "  \n",
+    "## Customized Security Plugins\n",
+    "\n",
+    "  see [here](../06.4_customized_site_security/customized_site_security.ipynb) for site-specific customized security integration\n",
+    "\n",
+    "## Communication Security\n",
+    "\n",
+    "  see [here](../06.5_communition_security/communication_security.ipynb) for communication security & configuration\n",
+    "\n",
+    "## Message Serialization\n",
+    "    todo \n",
+    "\n",
+    "## Auditing\n",
+    "\n",
+    "\n",
+    "\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "622581aa",
+   "metadata": {},
    "source": []
   }
  ],