# NVIDIA FLARE Security Architecture

NVFLARE is an application running in the IT environment of each participating site. The total security of this application is the combination of the security measures implemented in this application and the security measures of the site’s IT infrastructure.

NVFLARE implements security measures in the following areas:

* **Identity Security**: the authentication and authorization of communicating parties

* **Site Policy Management**: the policies for resource management, authorization, and privacy protection defined by each site

* **Communication Security**: the confidentiality of data communication messages

* **Message Serialization**: techniques for ensuring safe serialization/deserialization process between communicating parties

* **Data Privacy Protection**: techniques for preventing local data from being leaked and/or reverse-engineered

* **Auditing**: techniques for keeping audit trails to record events (e.g. commands issued by users, learning/training related events that can be analyzed to understand the final results)

All other security concerns must be handled by the site’s IT security infrastructure. These include, but are not limited to:

Physical security

Firewall policies

Data management policies: storage, retention, cleaning, distribution, access, etc.

Security Trust Boundary and Balance of Risk and Usability

The security framework does not operate in vacuum; we assume that physical security is already in place for all participating server and client machines. TLS provides the authentication mechanism within the trusted environments.


--- 

## Terminologies and Roles

### Terminologies
NVIDIA FLARE uses the following terminologies, let's define them here: 

* Project -- A federated learning study with identified participants.
* Org -- An organization that participates in the study.
* Site -- The computing system that runs NVFLARE application as part of the study. There are two kinds of sites: Server and Clients. Each site belongs to an organization.
* FL Server -- An application running on a Server site responsible for client coordination based on federation workflows. 
* FL Client -- An application running on a client site that responds to Server’s task assignments and performs learning actions based on its local data.
* User -- A human that participates in the FL project.

### Roles

A role defines a type of users that have certain privileges of system operations. Each user is assigned a role in the project. There are four defined roles: Project Admin, Org Admin, Lead Researcher, and Member Researcher.

* Project Admin Role -- The Project Admin is responsible for provisioning the participants and coordinating personnel from all sites for the project. There is only one Project Admin for each project.

* Org Admin Role -- This role is responsible for the management of the sites of his/her organization.

* Lead Researcher Role -- This role can be configured for increased privileges for an organization for a scientist who works with other researchers to ensure the success of the project.

* Member Researcher Role -- This role can be configured for another level of privileges a scientist who works with the Lead Researcher to make sure his/her site is properly prepared for the project.

* FLARE Console -- A console application running on a user’s machine that allows the user to perform NVFLARE system operations with a command line interface.

Now let's dive into identity security, autentication and authorization [here](../06.2_authentication_and_authorization/site_specific_authentication_and_authorization.ipynb)



## Identity Security

   see [here](../06.2_identity_security/identity_security.ipynb) for NVFLARE’s authentication model

## Federated Policy

  see [here](../06.3_site_security_privacy_policy/site_policy.ipynb) for site-specific security and privacy polcies provided by NVIDIA FLARE
  
## Customized Security Plugins

  see [here](../06.4_customized_site_security/customized_site_security.ipynb) for site-specific customized security integration

## Communication Security

  see [here](../06.5_communition_security/communication_security.ipynb) for communication security & configuration

## Message Serialization
    todo 

## Auditing



