security requirements analysis for large-scale distributed systems
DESCRIPTION
Security Requirements Analysis for Large-scale Distributed Systems. Syed Naqvi 1 , Olivier Poitou 1 , Philippe Massonet 1 , Alvaro Arenas 2 1 Centre of Excellence in Information and Communication Technologies (CETIC) {syed.naqvi, olivier.poitou, philippe.massonet}@cetic.be - PowerPoint PPT PresentationTRANSCRIPT
Managed by
Security Requirements Analysis for Large-scale Distributed Systems
Syed Naqvi1, Olivier Poitou1, Philippe Massonet1, Alvaro Arenas2
1Centre of Excellence in Information and Communication Technologies (CETIC){syed.naqvi, olivier.poitou, philippe.massonet}@cetic.be
2CCLRC Rutherford Appleton [email protected]
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 2
Outline
• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 3
Outline
• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 4
Location based ondata attributes
Location of one ormore physical replicas
State of grid resources, performance measurements and predictions
Metadata Service
Application
Replica LocationService
Information Services
Planner:Data location, Replica selection,Selection of compute and storage nodes
Security and Policy
Executor:Initiates data transfers and computations
Data Movement
Data Access
Compute Resources Storage Resources
Functional View of Grid Data Management taken from www.twgrid.org
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 5
Decentralized multi-writer file system– Based on a Peer-to-Peer technology– Self managing data storage location
FileStamp – Distributed File System
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 6
FileStamp Architecture
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 7
File Redundancy
Dynamic replica regeneration
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 8
BitTorrent Technology
Moreover transfers can be interrupted and restarted from the last transferred bytes
FileStamp – File Transfer
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 9
Outline
• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 10
Generic Requirements
• Authentication– Each party establishes a level of trust in the identity of
the other party– Authentication protocol sets up a secure communication
channel between the authenticated parties
• Authorization– Allows access to resources based on policies attached
to each service.– VOs introduce challenging management & policy issues
• Complex relationships between local site policies and the goals of VO
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 11
Generic Requirements
• Availability– Legitimate users have access when they need it – Replication: well-known technique for improving availability
in distributed systems• Total network load is also decreased if replicas & requests are
reasonably distributed
• Confidentiality– Assures that information does not reach unauthorized
individuals, entities, or processes.– Achievable by a mechanism for ensuring access control– Confidentiality requirements include point-to-point transport
as well as store-and-forward mechanisms.
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 12
Generic Requirements
• Integrity– Assurance that information can only be accessed or modi-
fied by those authorized to do so.– Nontrivial problem
• especially when storage hardware and networks are not perfect
• Traceability– Mechanism of observing the various actions taken by the
different actors– Used to develop audit trails– Events are recorded in log files– Can be used to determine the responsibility of incidents
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 13
Specific Requirements
• Resilience – Provides an abstraction layer to hide the architectural
changes from the overall security architecture– Security architecture should remain intact and should
deliver the promised level of security even if its composition changes over time.
• Grid links and nodes are very dynamic in nature and may change over the time.
• Data Lifecycle Management (DLM)– Lifecycle is the time from the moment data is created until
it is deleted or stored indefinitely.– Security assurances require spanning the entire lifecycle
of data.
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 14
Specific Requirements
• Fault-tolerance – Highly desirable feature especially for large data files transfer.– Overlay networks provide caching of transfers.– But caching reduces performance of the overall data transfer.
• Amount of data that can be cached is dependent on the storage policies at the intermediate network points.
– The caching and other techniques do not consider security parameters
– Appropriate negotiations protocol is indispensable to negotiate the terms and conditions of security before moving or (temporarily) storing data.
– Negotiations process should not take its toll on the system’s performance.
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 15
Outline
• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 16
Authentication
• Current authentication mechanism– File owner issues a certificate for the write
access to the file.– Authentication of the certificate is performed
by the DHT (Distributed Hash Table) nodes and FS (File System) clients.
• Both signatures are verified when storing/ retrieving a UCB (User Certificate Block)
– This certificate has some major problems:• It always gives write permission even if the
user only requires read permission.
• It’s format is not standardized!
• It renders compatibility problem with existing standard credentials (X.509, Kerberos, etc.)
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 17
Authentication
X.509X.509version 3version 3CertificateCertificate
x509 v3 Bodypartx509 v3 Bodypart
VersionVersion
Serial NumberSerial Number
Signature AlgorithmSignature Algorithm
Issuer NameIssuer Name
ValidityValidity
Subject NameSubject Name
Subject Public KeySubject Public Key
Issuer Unique ID (v2)Issuer Unique ID (v2)
Subject unique ID (v2)Subject unique ID (v2)
Extensions (v3)Extensions (v3)
Signature AlgorithmSignature Algorithm
Signature of CASignature of CA
DigitalDigitalSignatureSignature
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 18
Authorization
FileStamp employ local mapping of the user– Like UNIX authorization matrix
The mapping serves as an access control check– Access to the resource is denied if the user is not listed in
the local mapping configuration– local policy management and enforcement mechanisms
constrain the user’s actions to those allowed by local policy
Easy for site administrators to understand and configure– Shortcomings: scalability, lack of expressiveness,
consistency of policies
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 19
Authorization (through CAS)
CAS Server
What rights does the community
grant to this user?
ClientResource Server
CAS-maintainedcommunity policy
database
User proxy
Local policyinformation
User proxy
Does the policy statement authorize the request?
What local policy applies to this user?
Is this request authorized for the community?
Policy statementCommunitySignature
Policy statementCommunitySignature
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 20
Availability, Confidentiality, Integrity
Simple yet fragile solutionSimple yet fragile solution Complex but strong solutionComplex but strong solution
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 21
Resilience & Fault-tolerance (through WS Agreement)
Application Instance
FactoryPolicycreate()
foo()
create()Agreement
Ops:terminate(limits)inspect(query)...
SDEs:
Terms RelatedStatusAgrmts.
inspect()
Factory
Consumer Provider
Manager
Negotiation
Ops:terminate(limits)negotiate(...)...
SDEs:
Terms RelatedStatusAgrmts.
Factorycreate()
negotiate()
Negotiator
Target is to maintain an optimal number of replicas of a data set
Key issues:• Determine optimal number of replicas•How efficiently the system recognizes faulty nodes• How transparent data is migrated
FileStamp should be able to negotiate the terms of security parameters with the nodes
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 22
Data Lifecycle Management (through HSM)
VO security policy should explicitly mention the desired lifecycle of the data being managed by the FileStamp
• FileStamp should indicate the stage where the data generated by the VO operations should be destroyed from the storage devices
FileStamp should also employ some secure storage management technique such as HSM (Hierarchical Storage Management)
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 23
Outline
• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 24
Conclusions• Global connectivity of computing and storage resources
opens up the possibility of misusing information to a degree never seen before
• The objective to facilitate use of these resources by protecting them against any misuse must, however, be realistic given the current technical infrastructure
• Security technologies be integrated from the inception stage rather than considering them as add-on optional features
• The risk and threat pictures are always changing, and their analysis needs to be continuously updated
REMEMBERSecurity is not a product – Security is a process!
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 25
Future Work
• Formalising the FileStamp Security Requirements using the KAOS methodology– Obstacle model– Extending KAOS with templates for security
requirements
• Deriving Security Policies from the Security Requirements
• Policy Refinement– Exploiting againg features from KAOS (e.g. goal
refinement)