implementing grid security concepts eu fp6 projects assessgrid & gridtrust

Implementing Grid Security Concepts

EU FP6 Projects

AssessGrid & GridTrustSyed Naqvi

[email protected]

07 September 2007, Budapest -

Hungary

07 Sep. 2007 CoreGRID Summer School 2007, Budapest, Hungary

2

Acknowledgements Acknowledgements

AssessGrid Project Consortium

• Particularly

- Stéphane Mouton

- Karim Djemame

GridTrust Project Consortium

• Particularly

- Chritophe Ponsard

- Philippe Massonet


3

Security ArchitectureSecurity Architecture

SecurityFeatures

orServices

AssetsAssets

Attackers/Intruders/Malfeasors

Requirements& Policies

SecurityMechanisms

Security Architecture


4

Security FundamentalsSecurity Fundamentals

AuthenticationVerification of the identity of a person or process

AuthorizationDetermination of what an entity is allowed to doDetermination of what an entity is allowed to do

ConfidentialityPrevention of unauthorized disclosure of information

IntegrityPrevention of data from being inappropriately changed

AvailabilityAssuring the disposition of resources to the users


5

Security FundamentalsSecurity Fundamentals

AuthenticationChallenge-response, biometric, certificates, tickets, UID

AuthorizationAccess Control, RBAC, CAS, …Access Control, RBAC, CAS, …

ConfidentialityBell-LaPadula Model

IntegrityBiba Model, Clark-Wilson Model

AvailabilitySecurity Policy


6

Grid Security - Specific Aspects

Grid-specificHuge bunch of nodes, dynamic creation of VOs, …

Virtual ParadigmAbstraction, Implementation Independent, …

Adaptable FeaturesVision of OGSA Security Model

Standard Security PracticesRisks analysis, evaluation criteria, simulations, …


7

Some Some MisunderstandingsMisunderstandings

Login/password is sufficientIn-depth Security

Cryptography is a silver bulletAvailability, Denial of Service, …

No security for non-confidential dataIntegrity, Availability, …

Ideal Security is the Pre-condition of UseeBusiness Applications


8

Trust RequirementsTrust Requirements

Identification, Access Control, Privacy, …

User-based Trust RelationshipsIf a user has the right to use sites A and B, the user should be able to use sites A and B together without requiring the security administrators from sites A and B to interact.Conflict of Interests may arise – Data isolation is to be assured

Distributed Trust EvaluationThe decentralized nature of administration makes it difficult to establish and propagate trust.


9

Non-History-based Trust EstablishmentIf there is no trust among parties and there is no mechanism to build some trust based on a history of previous interactions.

Delegation of trustDecentralized hierarchical administration, scalability of certificate issuing capacity, …



10

Continuous monitoring of the changes to the trust level of each node

Dynamic evaluation of the trust relationships, broadcast the presence of a malicious node in the environment, …

Consideration of context and stateDetermination of the access control on the basis of user’s location and the state of the user’s environment.



11

Analyses

Requirements AnalysisFunctional requirements

Non-functional requirements

Goal-based

Business AnalysisStrategy

Organisational capabilities

Return on Investment


12

Risks AnalysisProbability of loss(es)

Associated costs (compensations etc.)

Threats AnalysisPotential threats/attacks

Countermeasures

Forensic AnalysisPost-accident analysis

Digital fingerprinting

Analyses


13

Risk Management in Grids

Grid technologies reached high level of development

Large-scale Grid deployment needsCommercial Grid providers and services

Working demonstrators in different areas

Standardisation efforts for access and interoperability

Early adopters underline core shortcomings Quality of Service guaranteed resource usage over time

Security, Trust, and Dependability

Service Level Agreements (SLAs) address shortcomings

Definition of business relationship

Forces development of QoS-aware middleware/OS


14

Service Level AgreementsSpecified amount and quality of resources over certain time mandatory to reach desired performance

Delegation of particular resource capabilities over a defined time interval from resource owner to requesterSLA as explicit statement of expectations and obligations in a business relationship between service provider and customer

Se

rvic

e L

ev

el A

gre

eme

nt

Terms R-Type: HW, OS, Compiler, Software Packages, …R-Quantity: Number CPUs, main memory, …R-Quality: CPU>2GHz, Network Bandwidth, … Deadline: Date, Time,…Policies: Demands on Security and Privacy, …

Price for Resource Consumption (fulfilled SLA)Penalty Fee in case of SLA violation

Contract Parties, Responsible Persons

ID or Description of SLAName

Context

Se

rvice

Le

vel A

gre

eme

nt


15

Grid Providers and SLAs

SLAs needed, but providers are cautious about adoptionWhy? Business case risk

Missing indicators QoS level to be

offered?

SLA violation and penalties due failures, DoS attacks, overloading

Enough resources for

Grid jobs?

Fault tolerance available?

Actions to be initiated?

What is the risk of accepting an SLA?


16

Grid Brokers, Users and SLAs

Reliability as selection criterion

Trustable QoS level

information?

QoS?

Reliability with respect to utilisation?

QoS information service?

Decision-support for job assignment?

What is the risk of assigning an SLA?


17

Trust and Security for Next Generation Grids


18

GRIDTRUST Project

Funded by the EU Framework Programme 6 (FP6)

Specific Targeted Research Project (STREP)

Coordinator: CETIC

Project Reference: 033817

Project Cost: 3.86 M€

Project Funding: 2.2 M€

Start date: 01 June 2006

Duration: 36 months

www.gridtrust.eu


19

Project PartnersProject Partners

5 countries4 companies3 research institutes1 university


20

Partner RolesPartner RolesPartnerName

PartnerCountry

Partner Expertise

CETICBelgium

Grid dissemination, Grid Applications Engineering, Security requirements

STFCUnited

Kingdom

VO Management, Trust and reputation management, Grid Security, Grid

Middleware

IIT-CNRItaly

Security, Usage control, Grid fabric and resource management

VUA NetherlandsSecurity, Fine grained access control, Grid,

Distributed systems, privacy and forensic computing

INTItaly

Grid technology adaptor, P2P and distributed systems

HP-EIC Italy Grid technology adaptor, End user

AGOS Italy End user

MOVSpain

Distributed system technology provider, end user


21

GridTrust: Objectives and GridTrust: Objectives and Expected ResultsExpected Results

General Objective: definition and management of security and trust in dynamic virtual organisations

Expected results – « framework » composed of:

environnement et analysis method at all levels of the NGG architecture A reference security architecture for GridsAn open source reference implementation of the architecture, validated by several innovative business scenarios.

GRID Service Middleware

Layer

NGG Architecture

GRID Application

Layer

GRID Foundation Middleware

Layer

Network Operating

System


22

Dynamic VOsDynamic VOs

“ Virtual organizations are distributed business processes”

1 54

3

2

3’

Examples Supply chain (ex: Airbus) Distributed authoring Knowledge management

Services

Centralised or decentralised VO ManagementAvoid manual reconfiguration


23

Trust in Virtual Trust in Virtual OrganisationsOrganisations

“Since VOs are based on sharing information and knowledge, there must be a high amount of trust among the partners. Especially since each partner contribute with their core competencies”

1 54

3

2

CollaborationThreats:• Bad service (contract not respected)• Attacks – loss of information• Attacks – disruption of service• Vulnerability to attacks (bad level of security at one of the partners)• …

Need for Trust and security mechanisms


24

Desired Self-Organization/ Self -Protection Behavior

VO policy rules:1 54

3

2

Trust requirement: always all nodes sufficiently trusted

Security should adapt -> avoid manual intervention of operator

3’ •If trust of node x < Min trust threshold Then replace node x

3 •If trust of node x < Min trust threshold Then tighten security for node x


Trust and Security for Dynamic Virtual Organisations

GRID Service

Middleware Layer

NGG Architecture

GRID Application

Layer


Layer

Network Operating

System

Trust and SecurityGoals

Self-* …

…

GridTrust Framework Services and Tools

Resources

OGSA

Fine grained Continuous computational usage control

UsageControl Policies

Framework:Framework:

-Method and -Method and policy refinement policy refinement toolstools

-Security -Security architecturearchitecture

-Reference -Reference implementationimplementation

VO Policies

Dynamic VO VO Mngt

…Secure res. broker

Reputationservice

Usage Cont. service


26

Innovation in GridTrustInnovation in GridTrust

UCON (improves state of the art: mutable attributes, obligations, continuous enforcement)

Computational levelService level

Combining Brokering and securityCombining security with reputation

Globus reputation used for service discovery and selectionHere we want to to use reputation for authorization decision

From Business security requirements to policies (NESSI-Grid challenge)Not innovation: Glue the separate VO management components together

VOMS, CAS


27

From Business level security requirements to operational

policies

Business Trust and Security

Requirements

Service Trust and Security Policies

Fine Grained Computational Usage

Control Policies

GRID Application

Layer

GRID Service Middleware

Layer


Layer

Network Operating

System Layer

Policy rule examples

Confidentiality of client data

Confidential data can only be used with a

service that provides encryption with

minimal key length

Confidential data can only be sent

over a secure socket to another trusted

domain

NGG Architecture

Traceability of requirements to policies

Derivation


28

GridTrust Framework Integrated in OGSA

Grid

Tru

st Fram

ewo

rkG

ridT

rust F

ramew

ork

ApplicationApplication


29

From Access Control to Usage Control

With access control technologyTrusted usage of resources

• Access control under responsibility of software• Correct usage under responsibility of service/resource

user

With usage control technologyTrusted Usage of resources

• Access control is part of usage control under responsibility of software agent

• Correct usage- Policies respected under responsibility of software- Correct usage under responsibility of user


30

Updating reputation based on resource usage

Gather low level resource usage informationSLA violationsSuccessful performance

Update VO level reputationReputation at different levels

• Service• VO member• VO as a whole

Reputation based on past behavior • History • Performance


31

Experimentation - Innovative Business Case

StudiesDistributed Supply chain application domain

Pharmacy

Fish (EU and national regulations)

Collaborative intra or inter-enterprise knowledge management

Distributed authoringHigh-quality massive data transfers

Many actors

Can be viewed as a virtual organisation which implements a complex and articulated supply chain.

Safe and reliable data transfer services, but the distant and virtual cooperation is limited


32

Advanced Risk Assessment and Management for Trustable Grids


33

AssessGrid AssessGrid Project

Funded by the EU Framework Programme 6 (FP6)

Specific Targeted Research Project (STREP)

Coordinator: University of Paderborn

Project Reference: 031772

Project Cost: 2.64 M€

Project Funding: 1.97 M€

Start date: 01 April 2006

Duration: 33 months

www.assessgrid.eu


34

Project PartnersProject Partners


35

Partner RolesPartner Roles

PartnerName

PartnerCountry

Partner Expertise

TU BerlinGermany

Fault-tolerant mechanisms, SLA negotiation, infrastructure analysis in the Grid Fabric

PC2

GermanyScheduling, SLAs, monitoring and data

gathering in the Grid fabric, risk management

ATOSOrigin

Spain

Exploitation, implementation end-user interface:

negotiation, workflows, connection to confidence service

CETICBelgium

Requirements, verification, software quality, exploitation/dissemination

ABO AKA Finland Methods for risk assessment

Uni. Leed

s

UnitedKingdom

Broker layer: monitoring, SLA brokerage, workflows, risk adjustments with

confidence service

WincorNixdorf

GermanyBusiness perspective, requirements,

validation


Project GoalsProject Goals

Risk indicators as core part of SLA assignment and acceptance

Customised risk presentation for improved usability and trust

Decision/planning/management-support for QoS-aware Grids

Grid provider evaluation and competition


Proposed ArchitectureProposed Architecture

Generic, customisable, and interoperable open-source software for risk assessment, risk management,

and decision-support in Grids

Planning-based RMS

Monitoring

Consultant /Confidence service

Risk assessment

and management

Ad-hoc risk management

Pro

vider/ B

roker/ E

nd

-user

persp

ective

Integration in Grid fabric

Integration in Grid service

Broker service

Integration in Grid middleware


Risk AssessmentRisk Assessment

Research ChallengesMethods and tools for monitoring, gathering, and aggregating relevant data

• Static and dynamic data utilisation• Network-condition, overall Grid activity• Specific business policies

Methods for risk assessmentCustomised presentation of risk-related indicators

Risk granularity

End user Broker Provider


Risk ManagementRisk Management

Research Challenges

Develop concepts for using risk

Estimate risk

Risk-indicators for self-organising fault tolerance

Risk-aware negotiations and SLAs

Risk-based decision-support for capacity planning and infrastructure management

Aggregation of risk-indicators for objective provider ranking and competition


40

System OverviewSystem OverviewAim

integrate a risk-aware Service Level Agreement (SLA) model into current Grid technology

Risk awareness incorporated across three layers

Therefore an architecture designed togive resource providers the capability to perform risk assessments prior to making offersgive the broker the ability to

• assess the reliability of provider risk assessments• rank offers from different resource providers, based on risk, price and

penalty


41

Usage ScenariosUsage Scenarios

Broker as a mediatorEnd-user submits SLA request to broker

Once end-user selects SLA offer• Broker’s responsibility ends

• End-user interacts directly with provider

Broker as a contractorActs as a virtual provider

End-user agrees SLA with broker

Broker agrees SLAs with provider(s)

Useful to map workflows to resources

Direct SLA negotiation end-user – providerEnd-user submits SLA request to provider

End-user can query broker’s confidence service


42

Scenario 1: User-Provider Neg.

Get Template

Fill Template- Job description- Max. PoF- Min. Penalty

Create Offer- Set Price

SLA Request

SLA Offer

CommitContract

RMS: Resource Management System PoF: Probability of Failure


43

Scenario 2a: Broker = Mediator

Template Subscription

Get Templates


44

SLA Request

SLA Offer

Evaluate Reliability



45

Commit



46

Scenario 2b: Broker=Contractor


47

Architectural Overview

End-userPortal

BrokerRisk Assessor

Confidence Service

Workflow Assessor

ProviderNegotiation Manager

Scheduler

Risk Assessor

Consultant Service


48

End-User Layer – Portal Architecture

Presentationof SLA templates, requests, offersof Probability of Failure (PoF) and reliability informationof status of executing and pending jobsSLA violations and compensation (penalties)specific to user role (end user, administrator)

Follows the MVC (Model View Controller) design patternBased on GridSphere portal architecture


49

Broker LayerBroker Layer

• SLA Processor: Agreement and AgreementFactory WebService

• Resource Filter:Find suitable resource providers that are likely to respond

• Offer Manager:Used if broker acts as provider


50

Broker layer: SLA OffersBroker layer: SLA Offers

Published risk enables End-users to compare different SLA offers

Risk of failure, price, and penalty fee

Broker’s Reliability measure classifies which offers are reliable


51

Grid Fabric LayerGrid Fabric Layer

• Negotiation Manager

- Checks whether request complies to template

- Initiation of file transfers

• Scheduler

- Creates tentative schedules for requests

- Planning-based scheduling

• Consultant Service

- Statistical data

- Data mining methods

• Risk Assessor

• Assesses PoF for SLA offers


52

Current Implementation Status

Grid PortalFirst prototype deployed at Atos (Spain)

Broker – Confidence ServiceQueries data which enables Risk Assessor to calculate the providers basic confidence measure (all SLAs)

Deployed as WSRF service on the White Rose Grid (UK)


53

Current Implementation Status

Resource Provider - Consultant ServiceFirst prototype of the consultant service uses monitoring information collected by Ganglia/Nagios

Deployed as WSRF service at PC2 (Germany)

WS-Agreement implementationAssessGrid – uses Globus 4

Fraunhofer Institute – based on Axis 2


54

SUMMARY


55

Security and Trust issues are of paramount importance for the success of Grid endeavour.

Comprehensive solutions are needed to cope with the challenges of providing security and trust assurances to the various actors of Grids.

These solutions should include both the conventional parameters (authentication, authorisation, …) as well as contemporary parameters (negotiations, assessments, …)

The intrinsic nature of Grid should always be kept in mind (loose coupling, scalability, heterogeneity, …) while designing security and trust architectures.


56

GridTrust project aims helping (business) users setup, operate, evolve dynamic VOs based on framework that provides tools and methodology to reason about trust, security and privacy properties along NGG architecture

AssessGrid project aims providing a framework for supporting risk assessment and management throughout the Grid infrastructure

There is always room for improving existing infrastructures and exploring novel frontiers.

We are working on these issues and are looking for partners to join hands with us.


57

Thank You

implementing grid security concepts eu fp6 projects assessgrid & gridtrust

Documents

ideal security

security administrators

trust level

based trust establishmentif

uidauthorizationaccess

users environment

evaluation criteria

nodedynamic evaluation