Trust and Security for Next Generation Grids, Fine-grained Continuous Usage Control of Service based Grids – The GridTrust Approach Philippe Massonet CETIC ServiceWave Madrid, 10-13/12/2008

Trust and Security for Next Generation Grids, GridTrust Framework Objectives General Objective: definition and management of security and trust in dynamic virtual organisations Expected results – « framework » composed of: – environnement and analysis method at all levels of the NGG architecture – A reference security architecture for Grids – An open source reference implementation of the architecture, validated by some innovative business scenarios. GRID Service Middleware Layer NGG Architecture GRID Application Layer GRID Foundation Middleware Layer Network Operating System GridTrust

Trust and Security for Next Generation Grids, Trust and Security in Grids (Outsourcing) Res. Service Provider (SP) Service Requestor (SR) VO Service Request Shared resources Infrastructure Provider (IP) Service Instance Can I trust the SR and SP? Is SP using my resources with malicious intent? Is the selected IP secure?

Trust and Security for Next Generation Grids, Trust: Reputation based on Resource Usage Gather low level resource usage information – SLA violations – Successful performance – Compliance with security policies Based on utility functions – Modelling feedback on an entity behaviour Update VO level reputation – Reputation at different levels User Service VO member VO as a whole – Reputation based on past behaviour ( history, performance) Reputation Service User Resource Usage Monitoring Service Resource Provider Resources User-Resource Interaction

Trust and Security for Next Generation Grids, Secure Brokering of Resources Issue: how to determine if resources returned by a resource broker are secure? Secure resource broker – It implements all the authorisation logic needed for the VO creation – Performing policy matching (XACML policies) between VO sec policy and service provider’s sec policy VO sec policy and VO users’ sec policy

Trust and Security for Next Generation Grids, Usage Control Service Enforce usage control policies at both VO level and computational (node) level – Building Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) for POLPA and XACML languages Monitor the actions executed on behalf of the grid users – VO level Global VO policies – Service level Policy describes behaviour of the user in the local service invocation – Computational level Highly detailed description of the correct behaviour of the application being executed

Trust and Security for Next Generation Grids, From Access Control to Usage Control Before usage Pre decision Ongoing usage After usage Ongoing update Post update Mutability of attributes Ongoing decision Continuity of decision Time Pre update Usage Decision still valid ? Can you revoke access ?

Trust and Security for Next Generation Grids, Design Decisions Use of Globus Toolkit 4.0.x Services as Globus Services Resources are casted as services Use of the Globus CA (even if we extended certificates format) for authentication We address only authorization

Trust and Security for Next Generation Grids, General Architecture PPM Service SRB Service VBE Service TRS Service Globus Service Providers C-UCON Service VO Manager Enforcer VO

Trust and Security for Next Generation Grids, Usage Control Services Monitor the actions executed on behalf of the grid users and enforce a UCON security policy – Computational level (C-UCON) The policy consists of a highly detailed description of the correct behaviour of the application being executed Only the applications whose behaviour is consistent with the security policy are executed on the computational resource – VO level (Enforcer) Policy evaluation point that support UCON policies The usage control service will be integrated into the Globus middleware GRID Service Middleware Layer GRID Foundation Middleware Layer WP3/WP4

Trust and Security for Next Generation Grids, Secure Resource Broker Service Integrate access control with resource/service scheduling Both resource owners and VO define their resource access and usage policies  The resource broker schedules a user request only within the set of resources whose policies match the user credentials (and vice-versa) Scalability and efficiency It will be integrated into the Globus middleware GRID Service Middleware Layer GRID Foundation Middleware Layer WP3/WP4

Trust and Security for Next Generation Grids, Trust and Reputation Service Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to produce a rating about the entities  Entities could be either users, resources/ services, service providers or VOs The reputation service is based on ideas of utility computing Can be used in both centralised and distributed settings The reputation service will be also integrated into the Globus middleware GRID Service Middleware Layer WP2/WP4

Trust and Security for Next Generation Grids, VBE: Virtual Breeding Environment Service It manages the Virtual Breeding Environment composed of users and service providers (user, service provider registration, certificate management, etc.)

Trust and Security for Next Generation Grids, PPM: Profile and Policy Management Service The policy and profile management service is a database service that keeps information about security policies of all the entities of the system. Support several types of query – Service ID, Type, Name, attribute (OS, Memory, CPU type, Library, Certificate)

Trust and Security for Next Generation Grids, VO Library To be used by the VO Manager to use and interface with GridTrust services Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…) Manage access at communication and authentication level from applications to GridTrust Services. Hides complexity of certificates management between users and GridTrust CA

Trust and Security for Next Generation Grids, GridTrust Framework - Components service providers users PKI GridTrust Services TRS VBE SRB PPM C-UCON ENFORCER VO Library

Trust and Security for Next Generation Grids, Secure VO Lifecycle: Formation VBE Manager PKI TRS PPM SRB C-UCON VO VO Manager

Trust and Security for Next Generation Grids, Secure VO Lifecycle: VO Operation Application VO ENFORCER Virtual Breeding Environment TRS Policy: Service 1 ; Service 2 VO user Service1 Service3 Service2 Denied Service 1 Done Service 2

Trust and Security for Next Generation Grids, Fine Grained Continous Usage Control Shared resources Hosting Environment Service Program … OpenFile() … ReadFile() … OpenFile() … CloseFile() … Res. Service Provider (SP) Service Instance Monitor Start Opened Reading Closed Policy Enforcement Point Violation Local Policy

Trust and Security for Next Generation Grids, Supply Chain Case Study: Business Context Transporters Small transporters, to avoid being crushed between raising oil prices and competitive pressure – must increase the optimization level of their business The Transporters' Association proposes to its members a common Grid system that can optimize the routes of their whole vehicles' fleets Daily optimization is already a big leap forward for most transporters, but a Grid allows more than that: – to re-optimize the allocation of tasks every time that a quotation for a new one has to be produced, thus calculating the lowest possible price for each offer

Trust and Security for Next Generation Grids, Supply Chain Demo

Trust and Security for Next Generation Grids, Application... open(HPlibfile,..)‏... read(HPlibfile,..)‏... read(HPlibfile,..)‏... close(HPlibfile,..)‏... Security Policy... OpenHPlibs:=false. HPLibs:={/usr/local/libs/HPLibs/*} tryaccess(u,fs,open(fname, flags, mode, res)). [(fname ∈ HPlibs),(Attribute(u,reputation)>0.7)]. OpenHPlibs:=true. fdlib:=res. permitaccess(u,fs,open(fname, flags, mode, res)). endaccess(u,fs,open(fname, flags, mode, res)) tryaccess(u,fs,open(fname, flags, mode, res)). [(fname ∈ userHome)]. permitaccess(u,fs,open(fname, flags, mode, res)). endaccess(u,fs,open(fname, flags, mode, res)) DENIED!! Applications can open the HP libs if the user reputation is more than 0.7 Applications can open files in the user home directory Bad Behavior Example

Trust and Security for Next Generation Grids, Supply Chain Case Study Service Deployment SRB C-UCON VO MGT GridTrust CA TRS PPM

Trust and Security for Next Generation Grids, Conclusions - GridTrust Framework Introduces usage control into Grids Integrates many existing concepts into a single model Key innovations: – mutable attributes, continuous decision – Server, user side usage control Provides trust and security services VO Level: Secure resource broker, Service level usage control, Reputation management service, Security aware VO management Node level: Computational usage control Provides policy refinement tools: Usage Control Policy editor, Usage control refinement tool Will be Released in open source

Trust and Security for Next Generation Grids, Conclusions - Innovation UCON for Grids (improves state of the art: mutable attributes, obligations, continuous enforcement) Computational level Service level Combining Brokering and security Combining security with reputation Globus reputation used for service discovery and selection Here we wanto to use reputation for authorization decision Derivation of Business trust and security requirements to policies VO management integrated with GridTrust services