Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Fine-grained Continuous Usage Control of Service based Grids –
The GridTrust ApproachPhilippe Massonet
CETIC
ServiceWave
Madrid, 10-13/12/2008
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust Framework Objectives
• General Objective: definition and management of security and trust in dynamic virtual organisations
• Expected results – « framework » composed of:– environnement and analysis method
at all levels of the NGG architecture – A reference security architecture for
Grids– An open source reference
implementation of the architecture, validated by some innovative business scenarios.
GRID Service Middleware
Layer
NGG Architecture
GRID Application
Layer
GRID Foundation Middleware
Layer
Network Operating
System
Grid
Tru
st
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Trust and Security in Grids (Outsourcing)
Res. Res.
Service Provider
(SP)
Service Requesto
r (SR)
VO
Service Request
Shared resource
s
Infrastructure Provider (IP)
Service Instance
Can I trust the SR and SP?
Is SP using my resources with malicious
intent?
Is the selected IP secure?
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Trust: Reputation based on Resource Usage
• Gather low level resource usage information
– SLA violations– Successful performance– Compliance with security policies
• Based on utility functions– Modelling feedback on an entity
behaviour
• Update VO level reputation– Reputation at different levels
• User• Service• VO member• VO as a whole
– Reputation based on past behaviour (history, performance)
Reputation Service
User
Resource UsageMonitoring Service
ResourceProvider
Resources
User-Resource Interaction
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Secure Brokering of Resources• Issue: how to determine if
resources returned by a resource broker are secure?
• Secure resource broker– It implements all the
authorisation logic needed for the VO creation
– Performing policy matching (XACML policies) between
• VO sec policy and service provider’s sec policy
• VO sec policy and VO users’ sec policy
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Usage Control Service• Enforce usage control policies at both VO level and computational
(node) level– Building Policy Decision Points (PDPs) and Policy Enforcement
Points (PEPs) for POLPA and XACML languages
• Monitor the actions executed on behalf of the grid users– VO level
• Global VO policies– Service level
• Policy describes behaviour of the user in the local service invocation
– Computational level • Highly detailed description of the correct behaviour of the
application being executed
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
From Access Control to Usage Control
Before usageBefore usage
Pre decisionPre decision
OngoingOngoing usageusage After usageAfter usage
Ongoing updateOngoing update Post updatePost update
Mutability of attributesMutability of attributes
Ongoing decisionOngoing decision
Continuity of decisionContinuity of decision
TimeTime
Pre updatePre update
Usage Decision still valid ?Usage Decision still valid ?
Can you revoke access ?Can you revoke access ?
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Design Decisions
• Use of Globus Toolkit 4.0.x• Services as Globus Services• Resources are casted as services• Use of the Globus CA (even if we
extended certificates format) for authentication
• We address only authorization
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
General Architecture
PPMService
SRBService
VBEService
TRSService
Globus
Service Providers
C-UCONService
VO Manager
Enforcer
VO
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Usage Control ServicesUsage Control Services
• Monitor the actions executed on behalf of the grid users and enforce a UCON security policy– Computational level (C-UCON)
• The policy consists of a highly detailed description of the correct behaviour of the application being executed
• Only the applications whose behaviour is consistent with the security policy are executed on the computational resource
– VO level (Enforcer)• Policy evaluation point that support UCON
policies
• The usage control service will be integrated into the Globus middleware
GRID Service
Middleware Layer
GRID Foundation Middleware
Layer
WP3/WP4
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Secure Resource Broker Secure Resource Broker ServiceService
• Integrate access control with resource/service scheduling
• Both resource owners and VO define their resource access and usage policiesThe resource broker schedules a user
request only within the set of resources whose policies match the user credentials (and vice-versa)
• Scalability and efficiency• It will be integrated into the Globus
middleware
GRID Service
Middleware Layer
GRID Foundation Middleware
Layer
WP3/WP4
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Trust and Reputation ServiceTrust and Reputation Service
• Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to produce a rating about the entities Entities could be either users, resources/
services, service providers or VOs
• The reputation service is based on ideas of utility computing
• Can be used in both centralised and distributed settings
• The reputation service will be also integrated into the Globus middleware
GRID Service
Middleware Layer
WP2/WP4
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
VBE: Virtual Breeding VBE: Virtual Breeding Environment ServiceEnvironment Service
• It manages the Virtual Breeding Environment composed of users and service providers (user, service provider registration, certificate management, etc.)
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
PPM: Profile and Policy PPM: Profile and Policy Management ServiceManagement Service
• The policy and profile management service is a database service that keeps information about security policies of all the entities of the system.
• Support several types of query– Service ID, Type, Name, attribute (OS,
Memory, CPU type, Library, Certificate)
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
VO LibraryVO Library• To be used by the VO Manager to use and
interface with GridTrust services
• Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…)
• Manage access at communication and authentication level from applications to GridTrust Services.
• Hides complexity of certificates management between users and GridTrust CA
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust Framework - GridTrust Framework - ComponentsComponents
service providers
users
PKI
GridTrust Services• TRS• VBE• SRB• PPM
C-UCON
ENFORCER VO Library
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Secure VO Lifecycle: Secure VO Lifecycle: FormationFormation
VBE Manager
PKI
TRS
PPM
SRB
C-UCON
VO
VO Manager
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Secure VO Lifecycle: Secure VO Lifecycle: VO OperationVO Operation
Application
VO
ENFORCER
Virtual BreedingVirtual BreedingEnvironmentEnvironment
TRS
Policy: Service1 ; Service2
VO user
Service1
Service3
Service2Service2
Denied
Service1
Done
Service2
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Fine Grained Continous Usage Control
Shared resource
s
Hosting Environme
ntService Program
…
OpenFile()…
ReadFile()…
OpenFile()
…CloseFile()
…
Res.
Service Provider
(SP)
Service Instance
Monitor
Start Opened
ReadingClosed
Policy EnforcementPoint
Violation
Local Policy
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Supply Chain Case Study: Business Context
Transporters• Small transporters, to avoid being crushed between raising
oil prices and competitive pressure– must increase the optimization level of their business
• The Transporters' Association proposes to its members a common Grid system that can optimize the routes of their whole vehicles' fleets
• Daily optimization is already a big leap forward for most transporters, but a Grid allows more than that:– to re-optimize the allocation of tasks every time that a
quotation for a new one has to be produced, thus calculating the lowest possible price for each offer
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Supply Chain Demo
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Application........................
open(HPlibfile,..)...
read(HPlibfile,..)...
read(HPlibfile,..)...
close(HPlibfile,..)...............
Security Policy...OpenHPlibs:=false.HPLibs:={/usr/local/libs/HPLibs/*}............tryaccess(u,fs,open(fname, flags, mode, res)).[(fname ∈ HPlibs),(Attribute(u,reputation)>0.7)]. OpenHPlibs:=true.fdlib:=res.permitaccess(u,fs,open(fname, flags, mode, res)).endaccess(u,fs,open(fname, flags, mode, res))................tryaccess(u,fs,open(fname, flags, mode, res)).[(fname ∈ userHome)]. permitaccess(u,fs,open(fname, flags, mode, res)).endaccess(u,fs,open(fname, flags, mode, res)).............
DENIED!!
Applications can open the HP libs if the user
reputation is more than 0.7
Applications can open files in the user home directory
Bad Behavior Example
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Supply Chain Case Study Service Deployment
SRB
C-UCONVO MGT
GridTrust CA
TRS
PPM
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Conclusions - GridTrust Framework
• Introduces usage control into Grids• Integrates many existing concepts into a single model • Key innovations:
– mutable attributes, continuous decision– Server, user side usage control
• Provides trust and security services• VO Level: Secure resource broker, Service level usage
control, Reputation management service, Security aware VO management
• Node level: Computational usage control
• Provides policy refinement tools: Usage Control Policy editor, Usage control refinement tool
• Will be Released in open source
Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu
Conclusions - Innovation• UCON for Grids (improves state of the art:
mutable attributes, obligations, continuous enforcement)
• Computational level• Service level
• Combining Brokering and security• Combining security with reputation
• Globus reputation used for service discovery and selection
• Here we wanto to use reputation for authorization decision
• Derivation of Business trust and security requirements to policies
• VO management integrated with GridTrust services