Presentation is loading. Please wait.

Presentation is loading. Please wait.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Published byBriana Georgiana Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security."— Presentation transcript:

1 17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security and Standards Mark Sawyer EPCC (with material from Joris Claessens (EMIC), and Mike Surridge and Thomas Leonard (IT Innovation)

2 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 2 Talk Overview Presented from a NextGRID POV Brief outline of project NextGRID security requirements Overview of relevant standards

3 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 3 NextGRID overview Three-and-a-half year FP6 Integrated Project Objective: design an architecture for Next Generation Grids Target user community: business and commerce Flexible business models Economically sustainable grid

4 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 4 NextGRID overview Not a middleware implementation  Some software was developed to test and demonstrate architectural principles Main project output is a set of specifications which define the architecture. Build on existing standards where possible. www.nextgrid.org

5 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 5 Security in Grid application use cases Recurring scenario: secure relationship between customer and service provider needs to be established and used  Derivative Pricing and Implied Volatility  Supply Chain Management (hosted SAP)  Digital Media  EDR Processing Interaction between customer and service provider must be secure; for example:  Authenticity and confidentiality of inputs and processed results  Well-defined relationship for regulatory compliance  Applicability of software licensing terms  Correct accounting and billing  Fine-grained resource allocation to protect against over- consumption  Fine-grained access control to customer database 5

6 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 6 NextGRID Security Objectives Provide security model for  ensuring dynamic authentication and confidentiality of Grid service message exchanges  within a specified and established (federation) context  in a coherent way with dynamic service access authorisation Focus essentially on secure interaction in Service- Oriented Architectures (SOAs)  service and message authentication  message confidentiality  service access authorisation 6

7 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 7 NextGRID Security Use Cases Cross-organizational vs. intra- organizational security interactions Create and manage “federation context”  Includes configuration related client and service policies Securely invoke target service  Retrieve metadata relevant to federation context  Contextualize service interaction Obtain and validate “token” to secure contextualized service interaction  Includes checking of client and service policies 7

8 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 8 Web Services Landscape Follow this URL to see a diagram showing the WS Landscape. http://preview.tinyurl.com/2b6lmh

9 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 9 Security Standards Relevant to NextGRID WS-Security: a set of SOAP extensions to provide messages with integrity and confidentiality features. WS-Policy: a standard for expressing constraints (including constraints on the security of SOAP messages). WS-Trust: a specification (protocol) for exchanging security tokens, e.g. to convert one type of security token for another. WS-Federation: a specification for using WS-Trust services to translate security tokens between different security domains. SAML: a standard for tokens expressing identity or authorisation attributes. XACML: a standard for expressing authorisation policies based on expressed attributes. WS-SecureConversation: a specification for using WS-Trust services to establish a shared secret key that could then be used for encrypting messages via WS-Security.

10 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 10 NextGRID Generalised Specifications NextGRID aims to build on existing standards as much as possible Major output is a set of ‘Generalised Specifications’ – profiles of and extensions to existing standards Security Generalised Specification has been authored by EMIC and IT Innovation. Available via NextGRID website.

11 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 11 NextGRID GS Security Profile scope Contextualized SOAP Message Security  Introduce FederationContext SOAP header  Mandate “WS-Security”, with context header covered by signature  Suggest use of X.509 cert to sign message  Suggest use of SAML token carrying required claims giving access to FederationContext, and referring to X.509 cert  Suggest relying on transport level encryption Cross-organizational security management and metadata  Define FederationContext type as EPR  But does not specify how EPR is created  Introduce management operations to add and remove “policy rules”  Describe policy rule type which maps ‘token match rule’ to ‘role’  Suggest use of WS-PolicyAttachment for exposing federation metadata Security token issuance and validation  Use WS-Trust for token issuance/validation, in WS-Federation model  Provide Sign-on STS and Membership STS profiles 11

12 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 12 Relation to other WS-* security specs OASIS WS-SecureConversation  Defines “mechanisms for establishing and sharing security contexts” which can be used to exchange multiple messages  For message sequence in same federation context, recommend to establish lightweight security scope referring to initially authenticated context  NextGRID GS does not explicitly cover composability profile with WS- SecureConversation, but this should be perfectly possible OASIS WS-SecurityPolicy  Defines assertions describing how to secure messages  Can e.g. express message signature must cover context header  Note that NextGRID GS defines new WS-Policy primitive assertion to indicate that such a header is required OGF OGSA Security Profile 2.0  OGSA Security Profile 1.0 focuses on transport layer security  OGSA Security Profile 2.0 is including profile for WS-Security  But it does not cover NextGRID “contextualization” aspect through a separate header, and does not cover support for policy management operations across trust boundaries 12

13 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 13 NextGRID security component model NextGRID security architecture is leveraging WS-* security standards, and is adopting claims-based security model Service requestors must obtain appropriate security token(s) asserting certain claims, from so-called security token service(s) Service request is secured using this token(s) At service side, specific access request (incl. specified context) is granted or denied based on claims asserted in tokens, and based on trust in token issuer(s), all according to authorization policy at service provider’s side © 2008 NextGRID Consortium 13

14 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 14 NextGRID Current Status Project ends March 31 2008 Security Generalised Specification (Profile). Security components have been developed and used in experiments and demonstrations.

15 17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 15 NextGRID Security Model and Standards Mark Sawyer EPCC (with material from Joris Claessens (EMIC), Mike Surridge and Thomas Leonard (IT Innovation)

Download ppt "17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security."

Similar presentations

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
WS – Security Policy Prabath Siriwardena Director, Security Architecture.

WS – Security Policy Prabath Siriwardena Director, Security Architecture.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

Similar presentations

Ads by Google