Security and Certification Issues in Grid Computing Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer Science The University of Chicago International Workshop on Certification and Security in E-Services (CSES 2002), Montreal, Canada, Aug 28

2 ARGONNE  CHICAGO Partial Acknowledgements l Grid computing, Globus Project, and OGSA u Carl USC/ISI, Steve u Talented team of scientists and engineers at ANL, USC/ISI, elsewhere (see l Open Grid Services Architecture (OGSA) u Karl USC/ISI, Jeff Nick, Steve Graham, Jeff IBM, l Grid security, OGSA Security, CAS u Frank Siebenlist, Von Welch, Laura Pearlman l Support from DOE, NASA, NSF, IBM, Microsoft

3 ARGONNE  CHICAGO Overview l What is the Grid anyway? u And what’s it got to do with e-services? l Grid security & certification issues u Demands of virtual organizations—and Grid approach to addressing these demands l Implementation approach u Globus Toolkit & Grid Security Infrastructure u Open Grid Services Architecture (OGSA) u OGSA security architecture l Summary

4 ARGONNE  CHICAGO Overview l What is the Grid anyway? u And what’s it got to do with e-services? l Grid security & certification issues u Demands of virtual organizations—and Grid approach to addressing these demands l Implementation approach u Globus Toolkit & Grid Security Infrastructure u Open Grid Services Architecture (OGSA) u OGSA security architecture l Summary

5 ARGONNE  CHICAGO E-Science: The Original Grid Driver l Pre-electronic science u Theorize &/or experiment, in small teams l Post-electronic science u Construct and mine very large databases u Develop computer simulations & analyses u Access specialized devices remotely u Exchange information within distributed multidisciplinary teams  Need to manage dynamic, distributed infrastructures, services, and applications

6 ARGONNE  CHICAGO And Thus: The Grid “ Resource sharing & coordinated problem solving in dynamic, multi- institutional virtual organizations”

7 ARGONNE  CHICAGO Lift Capabilities Drag Capabilities Responsiveness Deflection capabilities Responsiveness Thrust performance Reverse Thrust performance Responsiveness Fuel Consumption Braking performance Steering capabilities Traction Dampening capabilities Crew Capabilities - accuracy - perception - stamina - re-action times - SOPs Engine Models Airframe Models Wing Models Landing Gear Models Stabilizer Models Human Models Grids at NASA: Aviation Safety

8 ARGONNE  CHICAGO NETWORK IMAGING INSTRUMENTS COMPUTATIONAL RESOURCES LARGE DATABASES DATA ACQUISITION PROCESSING, ANALYSIS ADVANCED VISUALIZATION Life Sciences: Telemicroscopy

9 ARGONNE  CHICAGO Size distribution of galaxy clusters? Galaxy cluster size distribution Chimera Virtual Data System + GriPhyN Virtual Data Toolkit + iVDGL Data Grid (many CPUs) Sloan Digital Sky Survey Analysis

10 ARGONNE  CHICAGO Data Grids for High Energy Physics Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPS France Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec or Air Freight (deprecated) Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4 1 TIPS is approximately 25,000 SpecInt95 equivalents

11 ARGONNE  CHICAGO Resource Sharing within “VOs” is Not Unique to Science! l Fragmentation of enterprise infrastructure u Driven by cheap servers, fast nets, ubiquitous Internet, eBusiness workloads u Need to configure distributed collections of services to deliver specified QoS l Virtualization u Emerging service infrastructure, utility computing models, economies of scale u Services dynamically instantiated across device spectrum l B2B, B2C, C2C interactions

12 ARGONNE  CHICAGO Virtualization and Distributed Service Management Less capable, integrated Less connected User service locus Larger, more integrated More connected Dynamically provisioned Device Continuum Resource & service aggregation Delivery of virtualized services with QoS guarantees Dynamic, secure service discovery & composition Distributed service management

13 ARGONNE  CHICAGO Grid Computing By M. Mitchell Waldrop May 2002 Hook enough computers together and what do you get? A new kind of utility that offers supercomputer processing on tap. Is Internet history about to repeat itself?

14 ARGONNE  CHICAGO Challenging Technical Requirements l Dynamic formation and management of virtual organizations l Discovery & online negotiation of access to services: who, what, why, when, how l Configuration of applications and systems able to deliver multiple qualities of service l Management of distributed state within infrastructures, services, and applications l Open, extensible, evolvable infrastructure

15 ARGONNE  CHICAGO Challenging Technical Requirements l Dynamic formation and management of virtual organizations l Discovery & online negotiation of access to services: who, what, why, when, how l Configuration of applications and systems able to deliver multiple qualities of service l Management of distributed state within infrastructures, services, and applications l Open, extensible, evolvable infrastructure Security and Certification Issues

16 ARGONNE  CHICAGO Overview l What is the Grid anyway? u And what’s it got to do with e-services? l Grid security & certification issues u Demands of virtual orgs—and Grid approach to addressing these demands l Implementation approach u Globus Toolkit & Grid Security Infrastructure u Open Grid Services Architecture (OGSA) u OGSA security architecture l Summary

17 ARGONNE  CHICAGO Grid Security & Certification l Challenges include u Dynamic group membership and trust relationships within virtual organizations u Complex computational structures extending beyond client-server: delegation u Mission-critical apps and valuable resources l Issues include u Cross-certification u Mechanisms and credentials u Distributed authorization u Secure logging and audit

18 ARGONNE  CHICAGO Trust Mismatch Cross “Certification” Issue Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust

19 ARGONNE  CHICAGO Cross-Certification l Cross-certification at corporate level difficult u Legal implications, liability, bureaucracy ðAddress trust at user/resource level! u Many business relationships do not require involvement of President/CEO … l Virtual organization as bridge u Federate through mutually trusted services u Local policy authorities rule … l Assertions language for trust relationships u WS-Trust, WS-Federation, WS-Policy

20 ARGONNE  CHICAGO Grid Solution: Use Virtual Organization as Bridge Certification Domain A common mechanism Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust

21 ARGONNE  CHICAGO Mechanism and Credential Issue l Different mechanisms & credentials u X.509 vs Kerberos, SSL vs GSSAPI, X.509 vs. X.509 (different domains) u X.509 attribute certs vs SAML assertions l Need for common mechanism u GSI-SecureConversation l Need for credential federation services u Obtain X.509 creds with Kerberos ticket u Obtain Kerberos ticket with X.509 creds u Cross X.509 or Kerberos domains/realms

22 ARGONNE  CHICAGO Example: Kerberos-X.509 Federation l Requestor: Kerberos realm l Server: X.509-based domain (only authenticates requestors with X.509 creds) l VO provides Kerberos-CA federation service u Has Kerberos identity within requestor’s realm u Kerb-CA cert is trusted within server-side VO l Kerb-CA issues (short-lived) X.509-certs that assert requestor’s Kerberos principal name l Requestor’s runtime is “X.509-enabled” l Server’s access control policy within the VO is based on requestor’s Kerberos principal name

23 ARGONNE  CHICAGO Kerberos-X.509 Federation Service Kerberos Realm Requestor X.509 Domain X.509 secured protocol Virtual Organization Domain Kerberos-CA Svc X.509 cert Kerberos Ticket trusts Krb-CA issued certs Server Policy Authority enforcement on requestor's principal name

24 ARGONNE  CHICAGO Grid Authorization/Policy Issue l Resources may not know foreign requestors u Impairs fine-grained policy admin l Outsource policy admin to req’s sub-domain u Enables fine-grained policy u “Community Authorization Service” (CAS) l Resource owner sets course-grained policy rules for foreign domain on “CAS-identity” l CAS sets policy rules for its local users l Requestors obtain capabilities from their local CAS that get enforced at the resource

25 ARGONNE  CHICAGO Community Authorization Service Domain A Policy Authority Domain B Sub-Domain A1 Sub-Domain B1 CAS identity "trusted" Requestor Server request + CAS assertions Virtual Organization Domain capability assertions Community Authorization Svc enforcement on CAS-identity and requestor's capabilities

26 ARGONNE  CHICAGO Security Services & VO Requestor Application VO Domain Credential Validation Service Authorization Service Requestor's Domain Service Provider's Domain Audit/ Secure-Logging Service Attribute Service Trust Service Provider Application Bridge/ Translation Service Privacy Service Credential Validation Service Authorization Service Audit/ Secure-Logging Service Attribute Service Trust Service Privacy Service Credential Validation Service Authorization Service Attribute Service Trust Service Credential Validation Service Authorization Service Attribute Service Trust Service WS-Stub Secure Conversation

27 ARGONNE  CHICAGO Secure Logging and Audit l Robust, secure audit infrastructure is essential for commercial Grid deployment l Natural audit “code-points” in OGSA runtime u User’s credentials, authorization decisions, invoked portTypes, parameter values, etc. u Allows for secure logging transparent and independent from applications l Standard call-outs to external security services u More relevant audit code-points l XML facilitates audit-entry filtering & mgmt

28 ARGONNE  CHICAGO Transparent Audit Code-Points All service invocations and policy decisions within stubs are “natural” audit code-points

29 ARGONNE  CHICAGO Overview l What is the Grid anyway? u And what’s it got to do with e-services? l Grid security & certification issues u Demands of virtual organizations—and Grid approach to addressing these demands l Implementation approach u Globus Toolkit, Grid Security Infrastruct. u Open Grid Services Architecture (OGSA) u OGSA security architecture l Summary

30 ARGONNE  CHICAGO The Grid World: Current Status l Many major Grid projects in scientific & technical computing/research & education l Open source Globus Toolkit™ a de facto standard for major protocols & services u Simple protocols & APIs for authentication, discovery, access, etc.: infrastructure u Information-centric design u Large user and developer base u Multiple commercial support providers l Global Grid Forum: community & standards l Emerging Open Grid Services Architecture

31 ARGONNE  CHICAGO Grid Security Infrastructure l Uniform authentication & authorization mechanisms in multi-institutional setting l Single sign-on, delegation, identity mapping l Public key tech, SSL/TLS, X.509, GSS-API u Internet/GGF drafts document extensions l Supporting infrastructure u Certificate Authorities u Online credential repository u Kerberos-X.509 federation server u Etc., etc., etc.

32 ARGONNE  CHICAGO Site A (Kerberos) Site B (Unix) Site C (Kerberos) Computer User Single sign-on via “grid-id” & generation of proxy cred. Or: retrieval of proxy cred. from online repository User Proxy Proxy credential Computer Storage system Communication* GSI-enabled FTP server Authorize Map to local id Access file Remote file access request* GSI-enabled GRAM server GSI-enabled GRAM server Remote process creation requests* * With mutual authentication Process Kerberos ticket Restricted proxy Process Restricted proxy Local id Authorize Map to local id Create process Generate credentials Ditto GSI in Action: “Create Processes at A and B that Communicate & Access Files at C”

33 ARGONNE  CHICAGO Grid Evolution: Open Grid Services Architecture l Goals u Refactor Globus protocol suite to enable common base and expose key capabilities u Service orientation to virtualize resources and unify resources/services/information u Embrace key Web services technologies for standard IDL, leverage commercial efforts l Result = standard interfaces & behaviors for distributed system mgmt: the Grid service u Standardization within Global Grid Forum u Open source & commercial implementations

34 ARGONNE  CHICAGO The Grid Service = Interfaces/Behaviors + Service Data Service data element Service data element Service data element Implementation GridService (required) Service data access Explicit destruction Soft-state lifetime … other interfaces … (optional) Standard: - Notification - Authorization - Service creation - Service registry - Manageability - Concurrency + application- specific interfaces Binding properties: - Reliable invocation - Authentication Hosting environment/runtime (“C”, J2EE,.NET, …)

35 ARGONNE  CHICAGO WS Security Architecture Current/Proposed Specifications Composable architecture “only use what you need” SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-SecureConversationWS-FederationWS-Authorizatn time today

36 ARGONNE  CHICAGO Grid Security and OGSA l OGSA security roadmap defines a set of required services and indicates for each if u Is provided by WS Security specs u May be provided by WS Security specs u Requires standardized profile/mechanisms and/or extensions for WS Security specs l Addresses, for example u GSISecureConversation u Standardized policy services u Standardized audit services u Etc., etc., etc.

37 ARGONNE  CHICAGO Bindings Security (transport, protocol, message security) Credential and Identity Translation ( Single Logon ) User Management Key Management Intrusion Detection Service/End-point Policy Audit & Non-repudiation Anti-virus Management Secure Logging Trust Model Authorization Policy Privacy Policy Secure Conversations Policy Expression and Exchange Policy Management (authorization, privacy, federation, etc) Mapping Rules Access Control Enforcement OGSA Security Components

38 ARGONNE  CHICAGO Overview l What is the Grid anyway? u And what’s it got to do with e-services? l Grid security & certification issues u Demands of virtual organizations—and Grid approach to addressing these demands l Implementation approach u Globus Toolkit & Grid Security Infratructure u Open Grid Services Architecture (OGSA) u OGSA security architecture l Summary

39 ARGONNE  CHICAGO Summary l The Grid: resource sharing & coordinated problem solving in virtual organizations l Challenging security & cert. requirements l OGSA security architecture addresses Grid certification, federation, bridging issues u Leverages WS Security standards & OGSA u Standardized security services, profiles, and mechanisms l Open source Globus Toolkit and commercial implementations

40 ARGONNE  CHICAGO l The Globus Project™ u l Technical articles u l Open Grid Services Arch. u l Global Grid Forum u u Chicago, Oct For More Information