Audit Control Environment Mike Smorul UMIACS. Issues surrounding asserting integrity Threats to Integrity of Digital Archives –Hardware/media degradation.

Slides:

Advertisements

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)

Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

VAMDC Registry Portal Proof of Concept. Registry VAMDC Registry is available at – ex.jsp

Background Chronopolis Goals Data Grid supporting a Long-term Preservation Service Data Migration Data Migration to next generation technologies Trust.

Software Certification and Attestation Rajat Moona Director General, C-DAC.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Chronopolis: Preserving Our Digital Heritage David Minor UC San Diego San Diego Supercomputer Center.

ADAPT An Approach to Digital Archiving and Preservation Technology Principal Investigator: Joseph JaJa Lead Programmers: Mike Smorul and Mike McGann Graduate.

PAWN: Producer-Archive Workflow Network University of Maryland Institute for Advanced Computer Studies Joseph Ja’Ja, Mike Smorul, Mike McGann.

May Archiving PAWN: A Policy-Driven Software Environment for Implementing Producer- Archive Interactions in Support of Long Term Digital.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

Producer-Archive Workflow Network (PAWN) Goals Consistent with the Open Archival Information System (OAIS) model Use of web/grid technologies and platform.

ACE: A Software Tool to Ensure the Integrity of Digital Archives Principal Investigator: Joseph JaJa Graduate Student: Sangchul Song Lead Programmer: Michael.

Supporting Customized Archival Practices Using the Producer-Archive Workflow Network (PAWN) Mike Smorul, Mike McGann, Joseph JaJa.

Robust Tools for Archiving and Preserving Digital Data Joseph JaJa, Mike Smorul, and Mike McGann Institute for Advanced Computer Studies Department of.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

Replication Monitoring University of Maryland Institute for Advanced Computer Studies.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

ACE: A Software Tool to Ensure the Integrity of Digital Archives Principal Investigator: Joseph JaJa Graduate Student: Sangchul Song Lead Programmers:

Mike Jackson EPCC OGSA-DAI Today Release 2.2 Principles and Architectures for Structured Data Integration: OGSA-DAI.

May 23, 2007 Archiving ACE: A Novel Software Platform to Ensure the Integrity of Digital Archives Sangchul Song and Joseph JaJa Institute for Advanced.

Robust Technologies for Automated Ingestion and Long-Term Preservation of Digital Information Principal Investigator: Joseph JaJa Lead Programmers: Mike.

PAWN: Producer-Archive Workflow Network University of Maryland Institute for Advanced Computer Studies Joseph JaJa, Mike Smorul, Mike McGann.

UMIACS PAWN, LPE, and GRASP data grids Mike Smorul.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

Archival Prototypes and Lessons Learned Mike Smorul UMIACS.

SAN DIEGO SUPERCOMPTER CENTERUC SAN DIEGO LIBRARIESNDIIPP PARTNERS MEETING David Minor SDSC Robert H. McDonald SDSC Sangchul Song UMIACS Bryan.

Web services security I

Live Meeting APIs Robert Devine Program Manager Microsoft Corporation.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Preserving Electronic Mailing Lists: The H-Net Archive H-Net Mapped to the OAIS Model Preservation AssessmentPreservation improvementsOverview How H-Net.

Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Cloud Integrity Monitoring Mike Smorul ADAPT Group University of Maryland, College Par.

Rule-Based Data Management Systems Reagan W. Moore Wayne Schroeder Mike Wan Arcot Rajasekar {moore, schroede, mwan, {moore, schroede, mwan,

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.

Production Data Grids SRB - iRODS Storage Resource Broker Reagan W. Moore

Hashing THEN AND NOW MIKE SMORUL – ADAPT PROJECT.

Practical Byzantine Fault Tolerance

E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.

Presented by: Sanketh Beerabbi University of Central Florida.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Partnerships in Innovation: Serving a Networked Nation Grid Technologies: Foundations for Preservation Environments Portals for managing user interactions.

1 A Scalable Distributed Data Management System for ATLAS David Cameron CERN CHEP 2006 Mumbai, India.

Managing live digital content with DuraSpace services Bill Branan PASIG Spring 2015.

Big Data Security Issues in Cloud Management. BDWG Big Data Working Group Researchers 1: Data analytics for security 2: Privacy preserving 3: Big data-scale.

IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.

CMSC 818J: Privacy enhancing technologies Lecture 2.

KEEPS – a system for UELMA preservation and security

KEEPS – a system for UELMA preservation and security

Joseph JaJa, Mike Smorul, and Sangchul Song

Complete 1z0-161 Exam Dumps - Pass In 24 Hours - Dumps4download.us

Chapter 19: Building Systems with Assurance

ACE – Auditing Control Environment

Presentation transcript:

Audit Control Environment Mike Smorul UMIACS

Issues surrounding asserting integrity Threats to Integrity of Digital Archives –Hardware/media degradation –Hardware/software malfunction –Operational errors –Security breaches, malicious alterations –Technology evolution –Object transformation (format obsolescence) –Infrequent access to most data

Using Hashes to Monitor Files Strong hashes can assert a file has not changed How to manage millions of hashes? How do you prove the hash value hasn’t changed? How do you prove a hash value was issued at a given time?

Audit Control Environment (ACE) Solves the problem of storing and verifying hashes. Secures hashes by issuing token for each file/hash to me monitored. Tokens contain a cryptographic proof that allows for 3 rd party auditing. One number stored externally is used to audit tokens and hashes.

Hash Authentication Hash 1Hash 6Hash 5Hash 3Hash 4Hash 2 Intermediate Hash Value Previous Round Hash CSI (one hash value) Challenge Hash IHV Gather Hashes During Round Create Merkel Tree For Supplied Hashes Link to previous roundGenerate proof for hash

Token Sample SHA SHA-256 /SRB3_2_1f.tar T11:03: e869e2ce41ede3ceb3af50f8aa b3e67055b5b3d2787e2c294a95a869 6a d7b4ff660d499416fd45a20dde161eb68e59fedc0f58208ad86cf a6a d24e99435e817511eeb89ddc03afbc6a30f23e404847cc06 1aeaf2d76976cf9759b0d63bc7acdf9c6df68875bfc9bcc0e22c19401aab0133

How to scale? Two layers of Merkel tree 1.Short rounds(seconds), that generate Cryptographic Summary Information(CSI). 2.Each successive round includes previous CSI 3.Second, daily rounds comprised of all CSI’s for previous day. Daily tree root, called Witness can validate all CSI’s for a day. –Only 365/year generated. Very manageable! Two components, an Integrity Management Service(IMS), and Audit Manager(AM) were developed.

Components Integrity Management Service (remote) –Runs all hash aggregation, round generation, witness publication. –Stores CSI values –Generate proofs from CSI to witness –ims.umiacs.umd.edu Audit Manager (local) –Monitors local files –Determines audit policy –One or more per archive –Locally stores hashes and tokens

ACE – System Architecture

ACE Audit  Audit Local Files: Audit Manager periodically scans all files and compares stored digests with computed digests.  Assume valid hashes in database  Audit Local Manager: Manager computes round summary for each digest using that digest and its token. This is compared to value stored on the IMS.  Assume IMS returns valid summary information, do not trust hashes in database  IMS Audit: Round summaries are used to compute witness values. These are compared with offsite witness values.  Do not trust IMS, force IMS to prove its CSIs link to a witness

Audit Manager Downloadable, one or more per archive Monitors local files Simple Requirements –Java 1.6+ –Tomcat –MySQL Managed by archivist/librarian after install Monitor multiple collections on different architectures Hides all the complexity you just saw!

ACE Audit Manager Dashboard for collection monitoring

Logging All events logged –Files offline, corrupt, re-available –Audit times, last seen

Error Reporting View all files that are not perfectly intact Remove files from monitoring. View events associated with files

Audit Manager Features Compare collections to hash list –Same/different names, same/differing digests Export collection details –Hash export, wget crawl export JSON interface for embedding statistics in 3 rd party websites Gateway to data

Fun with hashes Ensure everything was uploaded –Accepts a bag-it style manifest (hash + path) Extract all the duplicates –More exist than you think Ensure collection replicas are complete Locate renamed files

Performance Audit Manager (1.1beta3) 1.25 million false digests (no bytes read) –Registration: 3h, 6m (112 files/s) –Audit: 1h, 15m (277 files/s) 1.25 million false data files (1.25Tb data) –Registration: 5h, 7m (67.8 files/s, 67.8MBytes/s) –Audit: 4h, 30m (77.2 files/s, 77.2MBytes/s) In practice, bottleneck tends to occur at archival resource, not AM.

Chronopolis test Three sites –UMD, NCAR, SDSC Three ACE AM installations Independent monitoring at all sites 30 day audit policy Over 17Tb and 5.5 million files

Chronopolis Test ProviderFilesSize(GB)Time(h)Files/sMB/s CDL46,7624,29120: SIO-GDC197, : ICPSR4,830,6256,957122: NC-State608,4245,46532:

ACE Summary High performance, Scalable 3 rd party auditable Version 1.0 publically available –Support for local files, SRB, iRODS Standalone client available