Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics

Military Technical Academy Bucharest, 2006

SECURITY FOR GRID SECURITY FOR GRID INFRASTRUCTURESINFRASTRUCTURES

- Grid Trust Model -- Grid Trust Model -

ADINA RIPOSANADINA RIPOSANDepartment of Applied InformaticsDepartment of Applied Informatics

Military Technical Academy BucharMilitary Technical Academy Bucharest, 2006est, 2006

Introduction Introduction

to to

Grid SecurityGrid Security


The users of the Grid can be organized The users of the Grid can be organized dynamically into a number of dynamically into a number of

Virtual Organizations (VOs)Virtual Organizations (VOs), ,

consisting of consisting of resources, services, and peopleresources, services, and people

collaborating across collaborating across institutional, geographical, and political institutional, geographical, and political

boundaries,boundaries,

each with different each with different Policy RequirementsPolicy Requirements..


This sharing is, necessarily, This sharing is, necessarily, highly protectedhighly protected, , with resource providers and consumers with resource providers and consumers

defining clearly and carefully defining clearly and carefully

whatwhat is shared, is shared, whowho is allowed to share, is allowed to share, the conditionsthe conditions under which sharing under which sharing

occurs.occurs.


Security ModelsSecurity Models


In order to achieve this goal in a trustworthy In order to achieve this goal in a trustworthy manner, manner,

two common solutionstwo common solutions were identified, and were identified, and

two basic concepts & modelstwo basic concepts & models were defined: were defined:

• ““Virtual OrganisationsVirtual Organisations (VO)” Model (VO)” Model • ““Federated Trust” ModelFederated Trust” Model

In practice it is often hard to distinguish the In practice it is often hard to distinguish the boundaries between the VO Model and the boundaries between the VO Model and the Federated Trust Model.Federated Trust Model.


The The trust anchorstrust anchors in the VO Model are: in the VO Model are: • the the Certification AuthoritiesCertification Authorities (which govern the (which govern the

authentication infrastructure) and authentication infrastructure) and • the the VOsVOs themselves (who self-govern the use of the themselves (who self-govern the use of the

resources that have been made available to them)resources that have been made available to them)

The The trust anchorstrust anchors in the Federated Trust Model in the Federated Trust Model are:are:• the the organisationsorganisations themselves themselves

The Federated Trust Model typically materialises as a The Federated Trust Model typically materialises as a more formal collaboration than that of Virtual more formal collaboration than that of Virtual Organizations. Organizations.

Here, an enumerable set of organisations join and Here, an enumerable set of organisations join and agree on common policies and processes. agree on common policies and processes.


We further chose the We further chose the VO Trust ModelVO Trust Model, this , this offering the most appropriate features for the offering the most appropriate features for the Grid infrastructure according to the real-life Grid infrastructure according to the real-life requirements. requirements.

Besides the trust model, Grid computing has Besides the trust model, Grid computing has traditionally honored a golden rule of thumb: traditionally honored a golden rule of thumb:

““Always retain local control” – Always retain local control” –

for example, any for example, any locally definedlocally defined access control access control policy takes precedence over any policy takes precedence over any “external” or “external” or centralisedcentralised policy. policy.


VO Trust ModelVO Trust Model


Security tools are concerned with:Security tools are concerned with:

establishing the establishing the identityidentity of of usersusers or or servicesservices (authentication)(authentication), ,

protecting protecting communicationscommunications, and , and determining determining whowho is allowed to perform is allowed to perform whatwhat

actions actions (authorization),(authorization),

as well as with supporting functions such as:as well as with supporting functions such as:

managing managing user credentialsuser credentials,, and and maintaining maintaining group membershipgroup membership information. information.


Grid computing research has produced Grid computing research has produced security security technologiestechnologies based based

not on direct inter-organizational trust not on direct inter-organizational trust relationships relationships

but rather on the use of the but rather on the use of the VO (Virtual Organisation)VO (Virtual Organisation)

as a as a bridgebridge among the entities participating in a among the entities participating in a particular community or function.particular community or function.

VO (Virtual Organisation) = BRIDGEVO (Virtual Organisation) = BRIDGE


Grid Solution: Grid Solution: Use Virtual Organization as BridgeUse Virtual Organization as Bridge


Grid Security ChallengesGrid Security Challenges are driven by the need are driven by the need to support to support scalable, dynamic, distributedscalable, dynamic, distributed virtual organizations (VOs) virtual organizations (VOs)

– – collections of diverse and distributed collections of diverse and distributed individuals that seek to share and use diverse individuals that seek to share and use diverse resources in a resources in a coordinated fashioncoordinated fashion. .

We We cannotcannot, in general, assume , in general, assume

trust relationships between trust relationships between • the classical organization and the classical organization and • the VO or its external members. the VO or its external members.


Grid security mechanismsGrid security mechanisms address these address these challenges by allowing a challenges by allowing a VOVO to be treated as to be treated as a a

policy domain overlaypolicy domain overlay

VO = POLICY DOMAIN OVERLAYVO = POLICY DOMAIN OVERLAY


Complicating Grid security is the fact that Complicating Grid security is the fact that

new services (i.e., resources) new services (i.e., resources)

may be deployed and instantiatedmay be deployed and instantiated

DYNAMICALLYDYNAMICALLY

over a VO’s lifetimeover a VO’s lifetime


Dynamic creation of servicesDynamic creation of services


Dynamic creation of services –Dynamic creation of services –

Users must be able to create new Users must be able to create new servicesservices (e.g., “resources”)(e.g., “resources”) dynamicallydynamically, ,

without administrator intervention. without administrator intervention.

These services must be These services must be coordinatedcoordinated and must and must interact securelyinteract securely with other services. with other services.

=> We must be able to DINAMICALLY name the => We must be able to DINAMICALLY name the service with an service with an assertable identityassertable identity and to and to grant grant rightsrights to that identity without contradicting the to that identity without contradicting the governing local policy.governing local policy.


Dynamic establishment of Dynamic establishment of

Trust DomainsTrust Domains


Dynamic establishment of trust domains –Dynamic establishment of trust domains –

In order to In order to coordinate resourcescoordinate resources, ,

=> VOs need to => VOs need to establish trust :establish trust : • among among users and resourcesusers and resources in the VO, and also in the VO, and also• among among the VO’s resourcesthe VO’s resources, so that they can be , so that they can be

coordinated.coordinated.

These These trust domainstrust domains • can can span multiple organizationsspan multiple organizations, and , and • must must adapt dynamicallyadapt dynamically as participants as participants

join, join, are created, or are created, or leave the VOleave the VO


Overview of the Overview of the

Security Architecture servicesSecurity Architecture services


Overview of the Overview of the componentscomponents in the security in the security architecture and their architecture and their interactionsinteractions: : (typical request flow)(typical request flow)


Logging and AuditingLogging and Auditing

Ensures: Ensures: monitoringmonitoring of system activities, and of system activities, and accountabilityaccountability in case of a security event in case of a security event


AuthenticationAuthentication

Credential storageCredential storage ensures proper security of ensures proper security of

(user-held) credentials(user-held) credentials Proxy certificatesProxy certificates enable single sign-on enable single sign-on TLS, GSI, WS-SecurityTLS, GSI, WS-Security and possibly other and possibly other

X.509 based transport or message-level X.509 based transport or message-level

security protocols ensure integrity, security protocols ensure integrity,

authenticity and (optionally) confidentialityauthenticity and (optionally) confidentiality EU GridPMAEU GridPMA establishes a common set of trust establishes a common set of trust

anchor for the authentication infrastructureanchor for the authentication infrastructure PseudonymityPseudonymity services addresses anonymity services addresses anonymity

and privacy concernsand privacy concerns


AuthorizationAuthorization

Attribute authoritiesAttribute authorities enable VO managed enable VO managed

access controlaccess control Policy assertion servicesPolicy assertion services enable the enable the

consolidation and central administration of consolidation and central administration of

common policycommon policy Authorization frameworkAuthorization framework enables for local enables for local

collection, arbitration, customisation and collection, arbitration, customisation and

reasoning of policies from different reasoning of policies from different

administrative domains, as well as integration administrative domains, as well as integration

with service containers and legacy serviceswith service containers and legacy services


DelegationDelegation

Allows for an Allows for an entityentity (user or resource)(user or resource)

to empower another to empower another entityentity (local or remote)(local or remote)

with the necessary with the necessary permissionspermissions

=> to act on its behalf=> to act on its behalf


Data key managementData key management

Enables long-term distributed Enables long-term distributed

storage of datastorage of data

for applications with for applications with

privacyprivacy or or

confidentialityconfidentiality concerns concerns


Site proxySite proxy

Enables applications Enables applications to communicateto communicate

despite despite heterogenousheterogenous and and non-transparentnon-transparent

network accessnetwork access


SandboxingSandboxing

Isolates a resourceIsolates a resource from the from the local sitelocal site infrastructure hosting the resource, infrastructure hosting the resource,

mitigating mitigating attacksattacks and and malicious/wrongful usemalicious/wrongful use

In case of SCAVENGE existing desktops, In case of SCAVENGE existing desktops,

a a protective “SANDBOX”protective “SANDBOX” should be implemented on should be implemented on the Grid member-machines, so that:the Grid member-machines, so that:

• It cannot cause any disruption to the It cannot cause any disruption to the donating donating machinemachine if it encounters a problem during execution. if it encounters a problem during execution.

• Rights to accessRights to access files and other resources on the grid files and other resources on the grid machine from inside the Grid machine from inside the Grid may be restrictedmay be restricted..

=> The protection is ensured BOTH for the => The protection is ensured BOTH for the donating donating machinemachine and for the and for the Grid systemGrid system

(2-ways protection)(2-ways protection)


GSI Conceptual Details: GSI Conceptual Details:

Public Key Cryptography Public Key Cryptography Digital SignaturesDigital Signatures CertificatesCertificates Mutual AuthenticationMutual Authentication Confidential CommunicationConfidential Communication Securing Private KeysSecuring Private Keys Delegation and Single Sign-OnDelegation and Single Sign-On


The The Grid Security Infrastructure (GSI)Grid Security Infrastructure (GSI) provides provides security mechanisms i.e. authentication and security mechanisms i.e. authentication and communication over an open network. communication over an open network.

GSI supports a GSI supports a number of featuresnumber of features that a Grid user that a Grid user requires requires • Authenticate using a single sign-on mechanism Authenticate using a single sign-on mechanism • Delegation (through proxies) Delegation (through proxies) • Integration with local security systems Integration with local security systems • Trust-based relationships, using Trust-based relationships, using Certificate Certificate

Authority (CA)Authority (CA)

GSI is based on GSI is based on public-key encryptionpublic-key encryption (using X.509 (using X.509 certificates) and certificates) and SSL SSL

The GSI implementation in Globus adheres to the The GSI implementation in Globus adheres to the IETF GSS-API standardIETF GSS-API standard


CONCLUSION:CONCLUSION:

GSI Key features:GSI Key features:• Authenticate using a Authenticate using a single sign-onsingle sign-on

mechanism mechanism • DelegationDelegation (through proxies - my_proxy) (through proxies - my_proxy) • Trust-based relationships, using Trust-based relationships, using Certificate Certificate

Authority (CA)Authority (CA)

GSI is based on GSI is based on public-key encryptionpublic-key encryption (using (using X.509 certificates) and X.509 certificates) and SSLSSL

Documents

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics