Presentation is loading. Please wait.

Presentation is loading. Please wait.

INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation.

Published byChloe Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation."— Presentation transcript:

1 INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE

2 INSA LYON2 Outline  1.Introduction  2.Security policy in Grid computing environments  3.Security policies review  4.Security policy configuration issues  5.Conclusions

3 INSA LYON3 Outline  1.INTRODUCTION  2.Security policy in Grid computing environments  3.Security policies review  4.Security policy configuration issues  5.Conclusions

4 INSA LYON4 1.Introduction  A computational Grid is a hardware and software infrastructure that provides dependable, consistent, pervasive, and inexpensive access to high-end computational capabilities  Along with the positive impact, there are also a new set of security concerns and issues  The purpose of this paper : To review a number of the security policies that have already been configured in existing Grid environments, identify the deficiencies and introduce a collection of all the issues that should be taken under consideration while building an integrated security policy in a Grid computing environment

5 INSA LYON5 Outline  1.Introduction  2.SECURITY POLICY IN GRID COMPUTING ENVIRONMENTS  3.Security policies review  4.Security policy configuration issues  5.Conclusions

6 INSA LYON6 2.Security policy in grid computing environments  A multi-user environment and A dynamic user population  A large and dynamic resource pool  The most important and complicated factor : the interoperability of security policies ( multiple authentication and authorization mechanisms )  The security of the entire Grid and the security of individual institutions

7 INSA LYON7 Outline  1.Introduction  2.Security policy in Grid computing environments  3.SECURITY POLICIES REVIEW  4.Security policy configuration issues  5.Conclusions

8 INSA LYON8 3.Security policies review  Globus  Legion  WebOS & CRISIS  UNICORE  NASA IPG  DataGRID

9 INSA LYON9 Globus http://www.globus.org/  The security component of the Globus Toolkit : the Grid Security Infrastructure (GSI)  Characteristics : Focus of GSI : Authentication  User proxy : Created by the user on his local Globus host, to act on behalf of the user for authentication purposes  Resource proxy : Responsible for scheduling access to a resource, to enable authentication on the resource side GSI is based on X.509 certificates Public Key Infrastructure (PKI) mechanism, and SSL and TLS communication protocol Useful services : Mutual authentication and single sign-on  Deficiencies : The problem of preserving autonomy of local security policies

10 INSA LYON10 Legion http://www.cs.virginia.edu/~legion/  An project developed at University of Virginia  Characteristics : An object-based software Resources and users identified by a unique Legion Object Identifier (LOID) Security based on a PKI for authentication and Access Control Lists (ACLs) for authorization  Deficiencies : Difficult incorporation of new standards Legion certificates do not have a time-out, therefore the certificate is vulnerable to attack during the period of time Multiple-sign-on

11 INSA LYON11 WebOS & CRISIS http://www.cs.duke.edu/ari/issg/webos/  CRISIS is the security subsystem of WebOS  Characteristics : To emphasize design principles for highly secure system  Redundancy to eliminate single points of attack  Timing-out identity certificates for security … Authentication : Public keys signed by a CA Authorization : To use the security manager approach  Deficiencies : Inflexibility : Not to support development of new policies and not to modify existing security policies Nonautonomy : Not to allow local administrators to choose the security mechanism used Multiple-sign-on

12 INSA LYON12 UNICORE http://www.unicore.org/index.htm  Originally developed by Fujitsu  Characteristics : A key feature of the security model : confidentiality and integrity of the transmitted data and workflow Based upon a PKI who is implemented with a single CA and multiple Registration Agents (RAs) The PKI architecture described can also be extended to cover authorization issues in UNICORE  Deficiencies : The existence of a common single CA The lack of further authentication procedures

13 INSA LYON13 NASA IPG http://www.ipg.nasa.gov/  Information Power Grid (IPG) is the name of NASA’s project  Characteristics : Choose Globus for some underlying infrastructures Single-sign-on End-to-end encrypted communication channels provided by X.509 Authorization and access control Infrastructure security like IPSec and secure network devices management and configuration etc.  Still in an early experimental phase and too early to have high expectations

14 INSA LYON14 DataGRID http://web.datagrid.cnr.it/  The DataGRID is a European Community supported project  Characteristics : Goal of DataGRID : To enable next generation scientific exploration Choose Globus for some underlying infrastructures The authorization model suggests a role-based community Confidentiality based on encryption is also addressed in the security policy  Deficiencies : Anybody can load malicious data into another host’s storage areas The lack of easily operated and secure authorization technology

15 INSA LYON15 Outline  1.Introduction  2.Security policy in Grid computing environments  3.Security policies review  4.SECURITY POLICY CONFIGURATION ISSUES  5.Conclusions

16 INSA LYON16 4.Security policy configuration issues  Delegation  Identity mapping  Policies interoperability  Grid information services  Exportability  Resource selection  Firewalls and virtual private networks

17 INSA LYON17 Delegation  Creation of a user proxy credential who will act on behalf of the user  Be faced with more scepticism because of a non fully trusted environment  Delegating too many rights could lead to abuse  Delegating too few rights could prevent the task from being completed  Suggestion : What a security policy should do is to specify the rights that may be delegated, the principals to which these rights may be delegated, and care for the protection of the delegated credentials

18 INSA LYON18 Identity mapping  Mapping Grid identities to local userids is a way to enable a user to have a single-sign-on  In order to achieve identity mapping the user must have a local id at the sites to be accessed  May raise security implications  Suggestion : A security policy should prefer to incorporate a mechanism for allowing the local administrator to specify trust relations with various certificate Authorities (CA), rather than trying to directly map the ids

19 INSA LYON19 Policies interoperability  Grid security policy may provide interdomain security mechanisms  Access to local resources will typically be determined by a local security policy  Suggestion : The Grid security policy should respect and integrate with local security solutions

20 INSA LYON20 Grid information services  An information service allows potential users to locate resources and to query them about access and availability  Access to these services for query or update should be very carefully secured, and strictly controlled  Suggestion : The security policy should have defined the proper processes for this access with not only authentication and authorization procedures, but with confidentiality and integrity features in the answers to the users’ queries as will

21 INSA LYON21 Exportability  An issue mostly related to encryption features supported by a Grid security policy  A lot of encryption mechanisms, infrastructure and protocols, as well as algorithms so more complicated for a Security Policy to select and use an encryption  Suggestion : A standard is imperative to ensure uniformity

22 INSA LYON22 Resource selection  Users typically have little or no knowledge of the resources contributed by other participants, a significant obstacle to their use  The choice of the “best” suited resource depends on physical characteristics of the resource, of the connectivity, of the security, of the policy that governs access to this system, etc.  Suggestion : The common security approach must be intended to support a wide range of these local access control policies

23 INSA LYON23 Firewalls and virtual private networks  Existence of a firewall or VPN in front of an administrative domain can result in prohibition of access  Information services must also be informed about existence of firewalls  Suggestion : A Grid security policy should not oblige administrative domains to eliminate usage of their already configured firewalls

24 INSA LYON24 Outline  1.Introduction  2.Security policy in Grid computing environments  3.Security policies review  4.Security policy configuration issues  5.CONCLUSIONS

25 INSA LYON25 5.Conclusions The authors identified some major deficiencies of six existing Grid computing environments The authors presented a first full inventory of the most common security issues that have been experienced in the Grid computing environments, and how security policies should accommodate in order to address these The inventory can be used as a brief but complete reference guide for the Grid participant institutions which would like to enrich their security policy or build a new one from scratch  The authors have neglected some important points in introducing the problems of security of the 6 projects (security of Web Service, GSS-API)

26 INSA LYON26 MERCI BEAUCOUP

Download ppt "INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Similar presentations

Ads by Google