presentation : song weizhen professor : mr. jean-marc pierson mr. lionel brunie
DESCRIPTION
Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis. Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE. Outline. 1.Introduction - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/1.jpg)
INSA LYON 1
Security Policy Configuration Issues in Grid Computing Environments
George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis
Presentation : SONG Weizhen
Professor : Mr. Jean-Marc PIERSON
Mr. Lionel BRUNIE
![Page 2: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/2.jpg)
INSA LYON 2
Outline
1.Introduction
2.Security policy in Grid computing environments
3.Security policies review
4.Security policy configuration issues
5.Conclusions
![Page 3: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/3.jpg)
INSA LYON 3
Outline
1.INTRODUCTION 2.Security policy in Grid computing environments
3.Security policies review
4.Security policy configuration issues
5.Conclusions
![Page 4: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/4.jpg)
INSA LYON 4
1.Introduction A computational Grid is a hardware and software
infrastructure that provides dependable, consistent, pervasive, and inexpensive access to high-end computational capabilities
Along with the positive impact, there are also a new set of security concerns and issues
The purpose of this paper : To review a number of the security policies that have already been configured in existing Grid environments, identify the deficiencies and introduce a collection of all the issues that should be taken under consideration while building an integrated security policy in a Grid computing environment
![Page 5: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/5.jpg)
INSA LYON 5
Outline
1.Introduction
2.SECURITY POLICY IN GRID COMPUTING ENVIRONMENTS
3.Security policies review
4.Security policy configuration issues
5.Conclusions
![Page 6: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/6.jpg)
INSA LYON 6
2.Security policy in grid computing environments
A multi-user environment and A dynamic user population
A large and dynamic resource pool
The most important and complicated factor : the interoperability of security policies ( multiple authentication and authorization mechanisms )
The security of the entire Grid and the security of individual institutions
![Page 7: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/7.jpg)
INSA LYON 7
Outline
1.Introduction
2.Security policy in Grid computing environments
3.SECURITY POLICIES REVIEW
4.Security policy configuration issues
5.Conclusions
![Page 8: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/8.jpg)
INSA LYON 8
3.Security policies review
Globus
Legion
WebOS & CRISIS
UNICORE
NASA IPG
DataGRID
![Page 9: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/9.jpg)
INSA LYON 9
Globushttp://www.globus.org/
The security component of the Globus Toolkit : the Grid Security Infrastructure (GSI)
Characteristics :• Focus of GSI : Authentication
User proxy : Created by the user on his local Globus host, to act on behalf of the user for authentication purposes
Resource proxy : Responsible for scheduling access to a resource, to enable authentication on the resource side
• GSI is based on X.509 certificates Public Key Infrastructure (PKI) mechanism, and SSL and TLS communication protocol
• Useful services : Mutual authentication and single sign-on
Deficiencies : • The problem of preserving autonomy of local security policies
![Page 10: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/10.jpg)
INSA LYON 10
Legionhttp://www.cs.virginia.edu/~legion/
An project developed at University of Virginia Characteristics :
• An object-based software
• Resources and users identified by a unique Legion Object Identifier (LOID)
• Security based on a PKI for authentication and Access Control Lists (ACLs) for authorization
Deficiencies : • Difficult incorporation of new standards
• Legion certificates do not have a time-out, therefore the certificate is vulnerable to attack during the period of time
• Multiple-sign-on
![Page 11: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/11.jpg)
INSA LYON 11
WebOS & CRISIShttp://www.cs.duke.edu/ari/issg/webos/
CRISIS is the security subsystem of WebOS Characteristics :
• To emphasize design principles for highly secure system Redundancy to eliminate single points of attack Timing-out identity certificates for security …
• Authentication : Public keys signed by a CA• Authorization : To use the security manager approach
Deficiencies : • Inflexibility : Not to support development of new policies and not to
modify existing security policies• Nonautonomy : Not to allow local administrators to choose the secu
rity mechanism used• Multiple-sign-on
![Page 12: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/12.jpg)
INSA LYON 12
UNICOREhttp://www.unicore.org/index.htm
Originally developed by Fujitsu Characteristics :
• A key feature of the security model : confidentiality and integrity of the transmitted data and workflow
• Based upon a PKI who is implemented with a single CA and multiple Registration Agents (RAs)
• The PKI architecture described can also be extended to cover authorization issues in UNICORE
Deficiencies : • The existence of a common single CA• The lack of further authentication procedures
![Page 13: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/13.jpg)
INSA LYON 13
NASA IPGhttp://www.ipg.nasa.gov/
Information Power Grid (IPG) is the name of NASA’s project Characteristics :
• Choose Globus for some underlying infrastructures• Single-sign-on• End-to-end encrypted communication channels provided by X.509• Authorization and access control• Infrastructure security like IPSec and secure network devices manage
ment and configuration etc.
Still in an early experimental phase and too early to have high expectations
![Page 14: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/14.jpg)
INSA LYON 14
DataGRIDhttp://web.datagrid.cnr.it/
The DataGRID is a European Community supported project Characteristics :
• Goal of DataGRID : To enable next generation scientific exploration
• Choose Globus for some underlying infrastructures
• The authorization model suggests a role-based community
• Confidentiality based on encryption is also addressed in the security policy
Deficiencies :• Anybody can load malicious data into another host’s storage areas
• The lack of easily operated and secure authorization technology
![Page 15: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/15.jpg)
INSA LYON 15
Outline
1.Introduction
2.Security policy in Grid computing environments
3.Security policies review
4.SECURITY POLICY CONFIGURATION ISSUES
5.Conclusions
![Page 16: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/16.jpg)
INSA LYON 16
4.Security policy configuration issues
Delegation
Identity mapping
Policies interoperability
Grid information services
Exportability
Resource selection
Firewalls and virtual private networks
![Page 17: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/17.jpg)
INSA LYON 17
Delegation
Creation of a user proxy credential who will act on behalf of the user
Be faced with more scepticism because of a non fully trusted environment
Delegating too many rights could lead to abuse Delegating too few rights could prevent the task from being
completed Suggestion : What a security policy should do is to specify
the rights that may be delegated, the principals to which these rights may be delegated, and care for the protection of the delegated credentials
![Page 18: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/18.jpg)
INSA LYON 18
Identity mapping
Mapping Grid identities to local userids is a way to enable a user to have a single-sign-on
In order to achieve identity mapping the user must have a local id at the sites to be accessed
May raise security implications
Suggestion : A security policy should prefer to incorporate a mechanism for allowing the local administrator to specify trust relations with various certificate Authorities (CA), rather than trying to directly map the ids
![Page 19: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/19.jpg)
INSA LYON 19
Policies interoperability
Grid security policy may provide interdomain security mechanisms
Access to local resources will typically be determined by a local security policy
Suggestion : The Grid security policy should respect and integrate with local security solutions
![Page 20: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/20.jpg)
INSA LYON 20
Grid information services
An information service allows potential users to locate resources and to query them about access and availability
Access to these services for query or update should be very carefully secured, and strictly controlled
Suggestion : The security policy should have defined the proper processes for this access with not only authentication and authorization procedures, but with confidentiality and integrity features in the answers to the users’ queries as will
![Page 21: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/21.jpg)
INSA LYON 21
Exportability
An issue mostly related to encryption features supported by a Grid security policy
A lot of encryption mechanisms, infrastructure and protocols, as well as algorithms so more complicated for a Security Policy to select and use an encryption
Suggestion : A standard is imperative to ensure uniformity
![Page 22: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/22.jpg)
INSA LYON 22
Resource selection Users typically have little or no knowledge of the resources
contributed by other participants, a significant obstacle to their use
The choice of the “best” suited resource depends on physical characteristics of the resource, of the connectivity, of the security, of the policy that governs access to this system, etc.
Suggestion : The common security approach must be intended to support a wide range of these local access control policies
![Page 23: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/23.jpg)
INSA LYON 23
Firewalls and virtual private networks
Existence of a firewall or VPN in front of an administrative domain can result in prohibition of access
Information services must also be informed about existence of firewalls
Suggestion : A Grid security policy should not oblige administrative domains to eliminate usage of their already configured firewalls
![Page 24: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/24.jpg)
INSA LYON 24
Outline
1.Introduction
2.Security policy in Grid computing environments
3.Security policies review
4.Security policy configuration issues
5.CONCLUSIONS
![Page 25: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/25.jpg)
INSA LYON 25
5.Conclusions The authors identified some major deficiencies of six
existing Grid computing environments The authors presented a first full inventory of the most
common security issues that have been experienced in the Grid computing environments, and how security policies should accommodate in order to address these
The inventory can be used as a brief but complete reference guide for the Grid participant institutions which would like to enrich their security policy or build a new one from scratch
The authors have neglected some important points in introducing the problems of security of the 6 projects (security of Web Service, GSS-API)
![Page 26: Presentation : SONG Weizhen Professor : Mr. Jean-Marc PIERSON Mr. Lionel BRUNIE](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814c2b550346895db9315e/html5/thumbnails/26.jpg)
INSA LYON 26
MERCI BEAUCOUPMERCI BEAUCOUP