Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
High Performance Computing Course Notes Grid Computing.
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Trust Establishment in Pervasive Grid Environments Syed Naqvi, Michel Riguidel TÉLÉCOM PARIS ÉNST É cole N ationale S upérieur des T élécommunications.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Globus Computing Infrustructure Software Globus Toolkit 11-2.
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Project guide Dr. G. Sudha Sadhasivam Asst Professor, Dept of CSE Presented by C. Geetha Jini (07MW03)
Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.
1 4/23/2007 Introduction to Grid computing Sunil Avutu Graduate Student Dept.of Computer Science.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation.
Grid technology Security issues Andrey Nifatov A hacker.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, Security Expert, NIKHEF EGEE 1.
EGEE is a project funded by the European Union under contract IST EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Grid Computing Security Mechanisms: the state-of-the-art
Grid Security.
THE STEPS TO MANAGE THE GRID
Gonçalo Borges, Mário David, Jorge Gomes
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
HIMSS National Conference New Orleans Convention Center
Presentation transcript:

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics

Military Technical Academy Bucharest, 2006 Introductionto Grid Security

Military Technical Academy Bucharest, 2006 The users of the Grid can be organized dynamically into a number of Virtual Organizations (VOs), consisting of resources, services, and people collaborating across institutional, geographical, and political boundaries, each with different Policy Requirements.

Military Technical Academy Bucharest, 2006 This sharing is, necessarily, highly protected, with resource providers and consumers defining clearly and carefully  what is shared,  who is allowed to share,  the conditions under which sharing occurs.

Military Technical Academy Bucharest, 2006 Security Models

Military Technical Academy Bucharest, 2006 In order to achieve this goal in a trustworthy manner, two common solutions were identified, and two basic concepts & models were defined: “Virtual Organisations (VO)” Model“Virtual Organisations (VO)” Model “Federated Trust” Model“Federated Trust” Model In practice it is often hard to distinguish the boundaries between the VO Model and the Federated Trust Model.

Military Technical Academy Bucharest, 2006  The trust anchors in the VO Model are: the Certification Authorities (which govern the authentication infrastructure) andthe Certification Authorities (which govern the authentication infrastructure) and the VOs themselves (who self-govern the use of the resources that have been made available to them)the VOs themselves (who self-govern the use of the resources that have been made available to them)  The trust anchors in the Federated Trust Model are: the organisations themselvesthe organisations themselves The Federated Trust Model typically materialises as a more formal collaboration than that of Virtual Organizations. Here, an enumerable set of organisations join and agree on common policies and processes.

Military Technical Academy Bucharest, 2006 We further chose the VO Trust Model, this offering the most appropriate features for the Grid infrastructure according to the real-life requirements. Besides the trust model, Grid computing has traditionally honored a golden rule of thumb: “Always retain local control” – for example, any locally defined access control policy takes precedence over any “external” or centralised policy.

Military Technical Academy Bucharest, 2006 VO Trust Model

Military Technical Academy Bucharest, 2006 Security tools are concerned with:  establishing the identity of users or services (authentication),  protecting communications, and  determining who is allowed to perform what actions (authorization), as well as with supporting functions such as:  managing user credentials, and  maintaining group membership information.

Military Technical Academy Bucharest, 2006 Grid computing research has produced security technologies based not on direct inter-organizational trust relationships but rather on the use of the VO (Virtual Organisation) as a bridge among the entities participating in a particular community or function. VO (Virtual Organisation) = BRIDGE

Military Technical Academy Bucharest, 2006 Grid Solution: Use Virtual Organization as Bridge

Military Technical Academy Bucharest, 2006 Grid Security Challenges are driven by the need to support scalable, dynamic, distributed virtual organizations (VOs) – collections of diverse and distributed individuals that seek to share and use diverse resources in a coordinated fashion. We cannot, in general, assume trust relationships between the classical organization andthe classical organization and the VO or its external members.the VO or its external members.

Military Technical Academy Bucharest, 2006 Grid security mechanisms address these challenges by allowing a VO to be treated as a policy domain overlay VO = POLICY DOMAIN OVERLAY

Military Technical Academy Bucharest, 2006 Complicating Grid security is the fact that new services (i.e., resources) may be deployed and instantiated DYNAMICALLY over a VO’s lifetime

Military Technical Academy Bucharest, 2006 Dynamic creation of services

Military Technical Academy Bucharest, 2006 Dynamic creation of services – Users must be able to create new services (e.g., “resources”) dynamically, without administrator intervention. These services must be coordinated and must interact securely with other services. => We must be able to DINAMICALLY name the service with an assertable identity and to grant rights to that identity without contradicting the governing local policy.

Military Technical Academy Bucharest, 2006 Dynamic establishment of Trust Domains

Military Technical Academy Bucharest, 2006 Dynamic establishment of trust domains – In order to coordinate resources, => VOs need to establish trust : among users and resources in the VO, and alsoamong users and resources in the VO, and also among the VO’s resources, so that they can be coordinated.among the VO’s resources, so that they can be coordinated. These trust domains These trust domains can span multiple organizations, andcan span multiple organizations, and must adapt dynamically as participantsmust adapt dynamically as participants  join,  are created, or  leave the VO

Military Technical Academy Bucharest, 2006 Overview of the Security Architecture services

Military Technical Academy Bucharest, 2006 Overview of the components in the security architecture and their interactions: (typical request flow)

Military Technical Academy Bucharest, 2006 Logging and Auditing Ensures:  monitoring of system activities, and  accountability in case of a security event

Military Technical Academy Bucharest, 2006 Authentication  Credential storage ensures proper security of (user-held) credentials  Proxy certificates enable single sign-on  TLS, GSI, WS-Security and possibly other X.509 based transport or message-level security protocols ensure integrity, authenticity and (optionally) confidentiality  EU GridPMA establishes a common set of trust anchor for the authentication infrastructure  Pseudonymity services addresses anonymity and privacy concerns

Military Technical Academy Bucharest, 2006 Authorization  Attribute authorities enable VO managed access control  Policy assertion services enable the consolidation and central administration of common policy  Authorization framework enables for local collection, arbitration, customisation and reasoning of policies from different administrative domains, as well as integration with service containers and legacy services

Military Technical Academy Bucharest, 2006 Delegation Allows for an entity (user or resource) to empower another entity (local or remote) with the necessary permissions => to act on its behalf

Military Technical Academy Bucharest, 2006 Data key management Enables long-term distributed storage of data for applications with privacy or confidentiality concerns

Military Technical Academy Bucharest, 2006 Site proxy Enables applications to communicate despite heterogenous and non-transparent network access

Military Technical Academy Bucharest, 2006 Sandboxing Isolates a resource from the local site infrastructure hosting the resource, mitigating attacks and malicious/wrongful use In case of SCAVENGE existing desktops, a protective “SANDBOX” should be implemented on the Grid member-machines, so that: It cannot cause any disruption to the donating machine if it encounters a problem during execution.It cannot cause any disruption to the donating machine if it encounters a problem during execution. Rights to access files and other resources on the grid machine from inside the Grid may be restricted.Rights to access files and other resources on the grid machine from inside the Grid may be restricted. => The protection is ensured BOTH for the donating machine and for the Grid system (2-ways protection)

Military Technical Academy Bucharest, 2006 GSI Conceptual Details:  Public Key Cryptography  Digital Signatures  Certificates  Mutual Authentication  Confidential Communication  Securing Private Keys  Delegation and Single Sign-On

Military Technical Academy Bucharest, 2006  The Grid Security Infrastructure (GSI) provides security mechanisms i.e. authentication and communication over an open network.  GSI supports a number of features that a Grid user requires Authenticate using a single sign-on mechanismAuthenticate using a single sign-on mechanism Delegation (through proxies)Delegation (through proxies) Integration with local security systemsIntegration with local security systems Trust-based relationships, using Certificate Authority (CA)Trust-based relationships, using Certificate Authority (CA)  GSI is based on public-key encryption (using X.509 certificates) and SSL  The GSI implementation in Globus adheres to the IETF GSS-API standard

Military Technical Academy Bucharest, 2006 CONCLUSION:  GSI Key features: Authenticate using a single sign-on mechanismAuthenticate using a single sign-on mechanism Delegation (through proxies - my_proxy)Delegation (through proxies - my_proxy) Trust-based relationships, using Certificate Authority (CA)Trust-based relationships, using Certificate Authority (CA)  GSI is based on public-key encryption (using X.509 certificates) and SSL

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.