Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

GT 4 Security Goals & Plans Sam Meder

VO Support and directions in OMII-UK Steven Newhouse, Director.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Lecture 23 Internet Authentication Applications

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Grid Security. Typical Grid Scenario Users Resources.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

Digital Object Architecture

Grid Computing Security A Taxonomy Fletcher Liverance, 5 May 2009 IEEE Security & Privacy, 2007 Anirban Chakrabarti Anish Damodaran Shubhashis Sengupta.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

CSC8320. Outline Content from the book Recent Work Future Work.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Module 9: Fundamentals of Securing Network Communication.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Presented by Edith Ngai MPhil Term 3 Presentation

Grid Computing Security Mechanisms: the state-of-the-art

Viet Tran Institute of Informatics Slovakia

NAAS 2.0 Features and Enhancements

Goals Introduce the Windows Server 2003 family of operating systems

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

HIMSS National Conference New Orleans Convention Center

Presentation transcript:

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine

2 Grid Security Issues Grid Security Issues can be partitioned into three main categories - Architecture level; - Infrastructure level; - Management level. Architecture security issues are related to the whole architecture of the Grid. They are referred to: Information security - data confidentiality and integrity Authorization - resource level authorization Service - service level security issues Infrastructure security issues are related to network and host components, which constitute the grid infrastructure. These problems can be divided into the next sub- categories: Host level - data protection, job starvation, and host availability Network - access control, secure routing and multicasting Management Security issues are related to the next categories Credential management Trust management Monitoring

3 Grid Security Issues. General picture

4 Architecture Related Issues 1/2 Information security This kind of security related to the information exchanged between different hosts or between hosts and users –Existing solutions  Grid Security Infrastructure (GSI) defines Security Standards for Grid and based on a concept of the Virtual Organization (VO) –Secure Communication: Based on PKI; assuming the existence of authorized CA; X.509 certificates; and SSL/TLS protocols for data encryption –Integration with Kerberos  Kerberos is one of the most popular authentication systems used in enterprises  Current version of GSI does not support Kerberos-based interaction –but Kerberos gateway can provide a bridge with GSI gateway and vice versa

5 Architecture Related Issues 2/2 Authorization –Particularly important for systems, where the resources are shared between multiple departments or organizations –Existing Solutions  VO Level Components: centralized authorization systems for an entire VO –Examples: Community Authorization Service (CAS) Virtual Organization Membership Service (VOMS), and Enterprise Authorization and Licensing System (EALS)  Resource Level Components: implements the decision to authorize the access to a set of resources –Examples: Akenti, Privilege and Role Management Infrastructure Standards Validation (PERMIS), and the GridMap solution

6 Infrastructure Related Issues 1/1 Host and Network level Solutions provides data protection via  virtualization – VM deployment on the physical machine  sandboxing – mechanism which traps system calls and sandboxes the applications to prevent them from accessing data and memory based on certain policies  Access Control & Isolation: Adaptive Grid Firewalls (AGF)

7 Management Related Issues 1/3 Credential Management –becomes very important in a grid context as there are multiple different systems which require varied credentials to access them Solutions –Credential Repositories: to move the responsibilities of credential storage from the user to these systems; examples include smart cards, virtual smart cards, and MyProxy Online Credential Repository –Credential Federation Systems: used for managing credentials across multiple systems, domains, and realms; examples include VCMan (a specific solution for grid and Community Authorization Service (CAS)), KX.509 is a protocol which provides interoperability between X.509 and Kerberos systems

8 Management Related Issues 2/3 Trust Management –crucial in a dynamic grid scenario where grid nodes and users join and leave the system Existing Solutions –Reputation Based: based on trust metrics derived from local and global reputation of a system or an entity; examples include PeerTrust, XenoTrust, NICE, Secure Grid Outsourcing (SeGO) systems –Policy Based: different entities or components constituting the system, exchange and manage credentials to establish the trust relationships based on certain policies; examples include PeerTrust Trust Negotiation and TrustBuilder

9 Management Related Issues 3/3 Monitoring –Essential in grid scenarios primarily for two reasons  different organizations or departments can be charged based on their usage  resource related information can be logged for auditing or compliance purposes Existing Solutions –System Level: open source and popular system monitoring tools include Orca, Mon, Aide, Tripwire, etc. –Cluster Level: include Ganglia from University of Berkeley and Hawkeye from University of Wisconsin Madison –Grid Level: R-GMA, Globus Monitoring and Discovery Systems (MDS), Management of Adaptive Grid Infrastructure (MAGI), and GlueDomains

10 Conclusions Grid is the middleware, which supports different and up-to-date security mechanisms: -Uses the digital certificates (X.509 and KX.509 (Kerberos)) -Supports delegation of the rights based on proxy certificates -Supports different level security mechanisms -Gives the VO possibilities -Provides Single Sign On registration -Supports encryption on the transport or message level (TLS/MLS protocols) -Can use different realizations of third parties security components