Trust and Security for Next Generation Grids, Fine-grained Continuous Usage Control of Service based Grids – The GridTrust Approach Philippe.

Trust and Security for Next Generation Grids, www.gridtrust.euTrust and Security for Next Generation Grids, www.gridtrust.eu

Fine-grained Continuous Usage Control of Service based Grids –

The GridTrust ApproachPhilippe Massonet

CETIC

ServiceWave

Madrid, 10-13/12/2008


GridTrust Framework Objectives

• General Objective: definition and management of security and trust in dynamic virtual organisations

• Expected results – « framework » composed of:– environnement and analysis method

at all levels of the NGG architecture – A reference security architecture for

Grids– An open source reference

implementation of the architecture, validated by some innovative business scenarios.

GRID Service Middleware

Layer

NGG Architecture

GRID Application

Layer

GRID Foundation Middleware

Layer

Network Operating

System

Grid

Tru

st


Trust and Security in Grids (Outsourcing)

Res. Res.

Service Provider

(SP)

Service Requesto

r (SR)

VO

Service Request

Shared resource

s

Infrastructure Provider (IP)

Service Instance

Can I trust the SR and SP?

Is SP using my resources with malicious

intent?

Is the selected IP secure?


Trust: Reputation based on Resource Usage

• Gather low level resource usage information

– SLA violations– Successful performance– Compliance with security policies

• Based on utility functions– Modelling feedback on an entity

behaviour

• Update VO level reputation– Reputation at different levels

• User• Service• VO member• VO as a whole

– Reputation based on past behaviour (history, performance)

Reputation Service

User

Resource UsageMonitoring Service

ResourceProvider

Resources

User-Resource Interaction


Secure Brokering of Resources• Issue: how to determine if

resources returned by a resource broker are secure?

• Secure resource broker– It implements all the

authorisation logic needed for the VO creation

– Performing policy matching (XACML policies) between

• VO sec policy and service provider’s sec policy

• VO sec policy and VO users’ sec policy


Usage Control Service• Enforce usage control policies at both VO level and computational

(node) level– Building Policy Decision Points (PDPs) and Policy Enforcement

Points (PEPs) for POLPA and XACML languages

• Monitor the actions executed on behalf of the grid users– VO level

• Global VO policies– Service level

• Policy describes behaviour of the user in the local service invocation

– Computational level • Highly detailed description of the correct behaviour of the

application being executed


From Access Control to Usage Control

Before usageBefore usage

Pre decisionPre decision

OngoingOngoing usageusage After usageAfter usage

Ongoing updateOngoing update Post updatePost update

Mutability of attributesMutability of attributes

Ongoing decisionOngoing decision

Continuity of decisionContinuity of decision

TimeTime

Pre updatePre update

Usage Decision still valid ?Usage Decision still valid ?

Can you revoke access ?Can you revoke access ?


Design Decisions

• Use of Globus Toolkit 4.0.x• Services as Globus Services• Resources are casted as services• Use of the Globus CA (even if we

extended certificates format) for authentication

• We address only authorization


General Architecture

PPMService

SRBService

VBEService

TRSService

Globus

Service Providers

C-UCONService

VO Manager

Enforcer

VO


Usage Control ServicesUsage Control Services

• Monitor the actions executed on behalf of the grid users and enforce a UCON security policy– Computational level (C-UCON)

• The policy consists of a highly detailed description of the correct behaviour of the application being executed

• Only the applications whose behaviour is consistent with the security policy are executed on the computational resource

– VO level (Enforcer)• Policy evaluation point that support UCON

policies

• The usage control service will be integrated into the Globus middleware

GRID Service

Middleware Layer


Layer

WP3/WP4


Secure Resource Broker Secure Resource Broker ServiceService

• Integrate access control with resource/service scheduling

• Both resource owners and VO define their resource access and usage policiesThe resource broker schedules a user

request only within the set of resources whose policies match the user credentials (and vice-versa)

• Scalability and efficiency• It will be integrated into the Globus

middleware

GRID Service

Middleware Layer


Layer

WP3/WP4


Trust and Reputation ServiceTrust and Reputation Service

• Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to produce a rating about the entities Entities could be either users, resources/

services, service providers or VOs

• The reputation service is based on ideas of utility computing

• Can be used in both centralised and distributed settings

• The reputation service will be also integrated into the Globus middleware

GRID Service

Middleware Layer

WP2/WP4


VBE: Virtual Breeding VBE: Virtual Breeding Environment ServiceEnvironment Service

• It manages the Virtual Breeding Environment composed of users and service providers (user, service provider registration, certificate management, etc.)


PPM: Profile and Policy PPM: Profile and Policy Management ServiceManagement Service

• The policy and profile management service is a database service that keeps information about security policies of all the entities of the system.

• Support several types of query– Service ID, Type, Name, attribute (OS,

Memory, CPU type, Library, Certificate)


VO LibraryVO Library• To be used by the VO Manager to use and

interface with GridTrust services

• Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…)

• Manage access at communication and authentication level from applications to GridTrust Services.

• Hides complexity of certificates management between users and GridTrust CA


GridTrust Framework - GridTrust Framework - ComponentsComponents

service providers

users

PKI

GridTrust Services• TRS• VBE• SRB• PPM

C-UCON

ENFORCER VO Library


Secure VO Lifecycle: Secure VO Lifecycle: FormationFormation

VBE Manager

PKI

TRS

PPM

SRB

C-UCON

VO

VO Manager


Secure VO Lifecycle: Secure VO Lifecycle: VO OperationVO Operation

Application

VO

ENFORCER

Virtual BreedingVirtual BreedingEnvironmentEnvironment

TRS

Policy: Service1 ; Service2

VO user

Service1

Service3

Service2Service2

Denied

Service1

Done

Service2


Fine Grained Continous Usage Control

Shared resource

s

Hosting Environme

ntService Program

…

OpenFile()…

ReadFile()…

OpenFile()

…CloseFile()

…

Res.

Service Provider

(SP)

Service Instance

Monitor

Start Opened

ReadingClosed

Policy EnforcementPoint

Violation

Local Policy


Supply Chain Case Study: Business Context

Transporters• Small transporters, to avoid being crushed between raising

oil prices and competitive pressure– must increase the optimization level of their business

• The Transporters' Association proposes to its members a common Grid system that can optimize the routes of their whole vehicles' fleets

• Daily optimization is already a big leap forward for most transporters, but a Grid allows more than that:– to re-optimize the allocation of tasks every time that a

quotation for a new one has to be produced, thus calculating the lowest possible price for each offer


Supply Chain Demo


Application........................

open(HPlibfile,..)...

read(HPlibfile,..)...

read(HPlibfile,..)...

close(HPlibfile,..)...............

Security Policy...OpenHPlibs:=false.HPLibs:={/usr/local/libs/HPLibs/*}............tryaccess(u,fs,open(fname, flags, mode, res)).[(fname ∈ HPlibs),(Attribute(u,reputation)>0.7)]. OpenHPlibs:=true.fdlib:=res.permitaccess(u,fs,open(fname, flags, mode, res)).endaccess(u,fs,open(fname, flags, mode, res))................tryaccess(u,fs,open(fname, flags, mode, res)).[(fname ∈ userHome)]. permitaccess(u,fs,open(fname, flags, mode, res)).endaccess(u,fs,open(fname, flags, mode, res)).............

DENIED!!

Applications can open the HP libs if the user

reputation is more than 0.7

Applications can open files in the user home directory

Bad Behavior Example


Supply Chain Case Study Service Deployment

SRB

C-UCONVO MGT

GridTrust CA

TRS

PPM


Conclusions - GridTrust Framework

• Introduces usage control into Grids• Integrates many existing concepts into a single model • Key innovations:

– mutable attributes, continuous decision– Server, user side usage control

• Provides trust and security services• VO Level: Secure resource broker, Service level usage

control, Reputation management service, Security aware VO management

• Node level: Computational usage control

• Provides policy refinement tools: Usage Control Policy editor, Usage control refinement tool

• Will be Released in open source


Conclusions - Innovation• UCON for Grids (improves state of the art:

mutable attributes, obligations, continuous enforcement)

• Computational level• Service level

• Combining Brokering and security• Combining security with reputation

• Globus reputation used for service discovery and selection

• Here we wanto to use reputation for authorization decision

• Derivation of Business trust and security requirements to policies

• VO management integrated with GridTrust services

Trust and Security for Next Generation Grids, Fine-grained Continuous Usage Control of Service based Grids – The GridTrust Approach Philippe.

Documents

generation grids

security policies

reputation service w

secure resource broker

usage policies

usage control policies

management of security

vo users sec policy