Security Requirements Analysis for Large-scale Distributed Systems

Managed by

Security Requirements Analysis for Large-scale Distributed Systems

Syed Naqvi1, Olivier Poitou1, Philippe Massonet1, Alvaro Arenas2

1Centre of Excellence in Information and Communication Technologies (CETIC){syed.naqvi, olivier.poitou, philippe.massonet}@cetic.be

2CCLRC Rutherford Appleton [email protected]

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 2

Outline

• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 3

Outline

• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 4

Location based ondata attributes

Location of one ormore physical replicas

State of grid resources, performance measurements and predictions

Metadata Service

Application

Replica LocationService

Information Services

Planner:Data location, Replica selection,Selection of compute and storage nodes

Security and Policy

Executor:Initiates data transfers and computations

Data Movement

Data Access

Compute Resources Storage Resources

Functional View of Grid Data Management taken from www.twgrid.org

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 5

Decentralized multi-writer file system– Based on a Peer-to-Peer technology– Self managing data storage location

FileStamp – Distributed File System

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 6

FileStamp Architecture

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 7

File Redundancy

Dynamic replica regeneration

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 8

BitTorrent Technology

Moreover transfers can be interrupted and restarted from the last transferred bytes

FileStamp – File Transfer

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 9

Outline

• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 10

Generic Requirements

• Authentication– Each party establishes a level of trust in the identity of

the other party– Authentication protocol sets up a secure communication

channel between the authenticated parties

• Authorization– Allows access to resources based on policies attached

to each service.– VOs introduce challenging management & policy issues

• Complex relationships between local site policies and the goals of VO

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 11

Generic Requirements

• Availability– Legitimate users have access when they need it – Replication: well-known technique for improving availability

in distributed systems• Total network load is also decreased if replicas & requests are

reasonably distributed

• Confidentiality– Assures that information does not reach unauthorized

individuals, entities, or processes.– Achievable by a mechanism for ensuring access control– Confidentiality requirements include point-to-point transport

as well as store-and-forward mechanisms.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 12

Generic Requirements

• Integrity– Assurance that information can only be accessed or modi-

fied by those authorized to do so.– Nontrivial problem

• especially when storage hardware and networks are not perfect

• Traceability– Mechanism of observing the various actions taken by the

different actors– Used to develop audit trails– Events are recorded in log files– Can be used to determine the responsibility of incidents

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 13

Specific Requirements

• Resilience – Provides an abstraction layer to hide the architectural

changes from the overall security architecture– Security architecture should remain intact and should

deliver the promised level of security even if its composition changes over time.

• Grid links and nodes are very dynamic in nature and may change over the time.

• Data Lifecycle Management (DLM)– Lifecycle is the time from the moment data is created until

it is deleted or stored indefinitely.– Security assurances require spanning the entire lifecycle

of data.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 14

Specific Requirements

• Fault-tolerance – Highly desirable feature especially for large data files transfer.– Overlay networks provide caching of transfers.– But caching reduces performance of the overall data transfer.

• Amount of data that can be cached is dependent on the storage policies at the intermediate network points.

– The caching and other techniques do not consider security parameters

– Appropriate negotiations protocol is indispensable to negotiate the terms and conditions of security before moving or (temporarily) storing data.

– Negotiations process should not take its toll on the system’s performance.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 15

Outline

• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 16

Authentication

• Current authentication mechanism– File owner issues a certificate for the write

access to the file.– Authentication of the certificate is performed

by the DHT (Distributed Hash Table) nodes and FS (File System) clients.

• Both signatures are verified when storing/ retrieving a UCB (User Certificate Block)

– This certificate has some major problems:• It always gives write permission even if the

user only requires read permission.

• It’s format is not standardized!

• It renders compatibility problem with existing standard credentials (X.509, Kerberos, etc.)

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 17

Authentication

X.509X.509version 3version 3CertificateCertificate

x509 v3 Bodypartx509 v3 Bodypart

VersionVersion

Serial NumberSerial Number

Signature AlgorithmSignature Algorithm

Issuer NameIssuer Name

ValidityValidity

Subject NameSubject Name

Subject Public KeySubject Public Key

Issuer Unique ID (v2)Issuer Unique ID (v2)

Subject unique ID (v2)Subject unique ID (v2)

Extensions (v3)Extensions (v3)

Signature AlgorithmSignature Algorithm

Signature of CASignature of CA

DigitalDigitalSignatureSignature

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 18

Authorization

FileStamp employ local mapping of the user– Like UNIX authorization matrix

The mapping serves as an access control check– Access to the resource is denied if the user is not listed in

the local mapping configuration– local policy management and enforcement mechanisms

constrain the user’s actions to those allowed by local policy

Easy for site administrators to understand and configure– Shortcomings: scalability, lack of expressiveness,

consistency of policies

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 19

Authorization (through CAS)

CAS Server

What rights does the community

grant to this user?

ClientResource Server

CAS-maintainedcommunity policy

database

User proxy

Local policyinformation

User proxy

Does the policy statement authorize the request?

What local policy applies to this user?

Is this request authorized for the community?

Policy statementCommunitySignature

Policy statementCommunitySignature

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 20

Availability, Confidentiality, Integrity

Simple yet fragile solutionSimple yet fragile solution Complex but strong solutionComplex but strong solution

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 21

Resilience & Fault-tolerance (through WS Agreement)

Application Instance

FactoryPolicycreate()

foo()

create()Agreement

Ops:terminate(limits)inspect(query)...

SDEs:

Terms RelatedStatusAgrmts.

inspect()

Factory

Consumer Provider

Manager

Negotiation

Ops:terminate(limits)negotiate(...)...

SDEs:

Terms RelatedStatusAgrmts.

Factorycreate()

negotiate()

Negotiator

Target is to maintain an optimal number of replicas of a data set

Key issues:• Determine optimal number of replicas•How efficiently the system recognizes faulty nodes• How transparent data is migrated

FileStamp should be able to negotiate the terms of security parameters with the nodes

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 22

Data Lifecycle Management (through HSM)

VO security policy should explicitly mention the desired lifecycle of the data being managed by the FileStamp

• FileStamp should indicate the stage where the data generated by the VO operations should be destroyed from the storage devices

FileStamp should also employ some secure storage management technique such as HSM (Hierarchical Storage Management)

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 23

Outline

• Introduction• Grid Security Requirements• Solutions for these Requirements• Conclusions

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 24

Conclusions• Global connectivity of computing and storage resources

opens up the possibility of misusing information to a degree never seen before

• The objective to facilitate use of these resources by protecting them against any misuse must, however, be realistic given the current technical infrastructure

• Security technologies be integrated from the inception stage rather than considering them as add-on optional features

• The risk and threat pictures are always changing, and their analysis needs to be continuously updated

REMEMBERSecurity is not a product – Security is a process!

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies 25

Future Work

• Formalising the FileStamp Security Requirements using the KAOS methodology– Obstacle model– Extending KAOS with templates for security

requirements

• Deriving Security Policies from the Security Requirements

• Policy Refinement– Exploiting againg features from KAOS (e.g. goal

refinement)