SecPAL*: A security policy language to support grid on demand

Jason Hogg (jason.hogg@microsoft.com)Program ManagerGrid SecurityAdvanced Technology Incubation GroupMicrosoft Corp.

*Security Policy Assertion Language

Agenda

• Introduction• Research motivation• SecPAL Syntax and Semantics• Walkthrough securing a simple scenario• Demonstration• Next steps

3

Introduction• SecPAL developed to address security challenges in large-scale

distributed systems such as computing grids– Comprehensive solution with uniform semantics– Flexibility to support different operational models– Fine-grained trusts and constrained delegation

• SecPAL is Research – It is not a product and is not officially supported– The .NET research release has been made available to encourage

organizations with complex security requirements to establish proof-of-concept applications and provide feedback which can be used to improve SecPAL should it be incorporated into a product at a future point in time

• Joint research being developed by the Advanced Technology Incubation Group and Microsoft Research in Cambridge

January 9, 2007 Private & Confidential

Utility Computing• TeraGrid is one example of how this model is used for scientific

computing. – TeraGrid aims to build the world's largest, most comprehensive grid

computing cyber-infrastructure for open scientific research. – Scientific Gateway solutions are being developed combining portals

and desktop applications as gateways to access computational resources, information, and instruments.

– Gateways provide communities of like-minded scientists access to a variety of capabilities including workflows, visualization, resource discovery and job execution services.

• Software as a Service model for accessing compute / grid resources is also gaining mainstream popularity – Sun Grid, Amazon S3, Microsoft all have utility computing offerings.

TeraGrid Network

Motivation for SecPAL• Existing approaches are complex to manage, fail to meet

important customer needs – especially in federated environments, are hard to maintain, and impossible to analyze

• Existing policy mechanisms a major contributor– Disjoint, often ad hoc approaches for establishing Trust, attribute

binding, authZ, delegation, audit, … and almost certainly many different semantics

– Can’t express some customer needs (distributed mgt, fine-gained trusts, delegations, revocation etc)

– Composition of policies is problematic• Token<->Policy semantic differences exacerbate the situation

– Mapping tables often needed for attribute translation or binding to local attributes

– Typically support only limited name/attribute formats

6January 9, 2007 Private & Confidential

7

What is SecPAL?

• Declarative, logic-based, security policy language– Easily read as English sentences with a restricted grammar – Simple syntactic checks ensure evaluation safety– XML-based: serializes as XML, uses standard parsers, schema,

XMLDSIG, XMLENC

• Complete solution for Grid access control requirements – Trust, authorization, delegation policies, auditing, PKI for

identity management– Can work with existing identity management mechanisms

January 9, 2007 Private & Confidential

• Assertion (Token, Policy, AuthorizationQuery)– A says claim

• Claim (conditional fact)– fact [if fact1, fact2, … , factn, constraint]

• Fact– P can verb resource [qual] (action)– P possess attrib=value [qual] (possession)– P can say fact (delegation)– P can act as P’ (alias)– P can revoke [ClaimId] (revocation)

Example:ResourceGuard says Bob can read http://foo.com/

if Bob can write http://foo.com/

January 9, 2007 8Private & Confidential

Facts, Claims and Assertions

Variables

• SecPAL assertions can include variables – allowing generic policies to be authored

• Variables are substituted for concrete values at evaluation-time

• Example:CHPCAdmin says VO-ReseachGrid-STS can say %p possesses %a where

%a matches rfc822Name:".*@contoso\.edu"

Canonical Grid Environment

10

`

File Repository

ResGrid STS

CHPC STS

Bob

Master Scheduler

Birch STS

`

` `

`

`

` `

`

Research Grid VO

Birch University

Center for HPC

ClusterC

ClusterB

ClusterA

fabrikam.com

contoso.edu

Scenario: User Schedules a Job

• User from within a virtual organization (called Research Grid VO) wants to submit grid jobs to a computational cluster in an external organization (called the Center for High-Performance Computing).

• Requires two types of policies:– Trust relationship– Resource access policy

Step 1: Establish a trust relationship

• Master Scheduler could establish a trust-relationship directly with our end-user Bob; however, this interaction quickly becomes unmanageable for any sizable environment. Rather, the common practice is for CHPC to establish a trust relationship with an authority, such as the Research Grid Security Token Service (STS), responsible for certifying grid users.

CHPCAdmin says VO-ReseachGrid-STS can say %p possesses %a (from %t1 until %t2) where %t2 - %t1 <= "366.00:00:00", %t1 <= CurrentTime() <= %t2, %a matches rfc822Name:".*@contoso\.edu"

Step 2: Define resource access policy

• The CHPC master scheduler would have a local authorization policy controlling who may use the job management services. This will typically rely on the organizational trust policy since the scheduler service administrator won’t typically be responsible for cross-organizational relationships.

CHPCAdmin says %p can execute service:"http://www.chpc.org/scheduleJob" if %p possesses %a where %a matches rfc822Name:" .*@contoso\.edu "

Step 3: User requests an identity token

• For our user Bob to schedule a job, he first needs to obtain an identity token from the Research Grid STS which contains his email name. This might require he authenticate using a Contoso supplied authentication credential (such as an X.509 certificate, Kerberos token, SAML token or another SecPAL token) which is accepted by grid services.

• The grid token obtained from the STS would contain the assertion:

VO-ReseachGrid-STS says Bob possesses rfc822Name:"Bob@contoso.edu" (from "2007-01-01" until "2007-12-31")

Step 4a: User submits a job

• Now Bob can submit a request to initiate a job on the CHPC cluster by sending an authenticated message containing his SecPAL token along with the job information needed by the CHPC master scheduler.

• The scheduler can then formulate a SecPAL query similar to:

CHPCAdmin says Bob can execute service:"http://www.chpc.org/scheduleJob"?

Step 4b: Authorization Decision• SecPAL evaluation engine evaluates the authorization query based on

relevant policies and tokens• Positive authorization decisions include a proof graph showing relevant

policies and tokens that lead to the authorization decision• Critical for auditing / compliance requirements

Step 6: User delegates rights

• Bob can also take advantage of SecPAL to formulate a delegation of his rights to access a data file on a server at Birch University where the job data may reside.

Bob says Scheduler can say %p read file://BirchFileShare/jobData (from %t1 tio %t2) if %t2-%t1<5 days

Scheduler says Bob-Job can read file://BirchFileShare/jobData [from 2007-04- 28 to 2007-05-01]

Demonstration

SummarySecPAL was designed to solve challenges such as:• How does an organization establish a fine-grained trust relationship with

another organization across organizational boundaries?• How does a user delegate a subset of a user’s rights (constrained

delegation) to another user residing either in the same organization or in a different organization?

• How can access control policy be authored and reviewed in a manner that is human readable - allowing auditors and non-technical people to understand such policies?

• How does an organization support compliance regulations requiring that a system be able to demonstrate exactly why it was that a user was granted access to a resource?

• How can policies be authored, composed and evaluated in a manner that is efficient, deterministic and tractable?

Research Availability

• Public Availability– SecPAL Formal Model and Whitepaper– SecPAL Preview Binaries and Developer Documentation– SecPAL Schema and Schema Specification– http://research.microsoft.com/projects/secpal

• Community Workspace– Additional scenarios– API questions– Additional downloads – query editor available shortly– http://www.codeplex.com/secpal

January 9, 2007 Private & Confidential 20

Call to Action• Evaluate

– Download the .NET Research Release– Look at the 15 authorization patterns– Follow the tutorial in the developmer docs– Build a prototype to meet your requirements

• Provide feedback – This work is currently research – perfect time to have your feedback incorporated

• What other patterns does your organization use? • How successful were you at solving these with SecPAL?• …

– Feedback can be submitted to http://www.codeplex.com/secpal or directly to myself at jason.hogg@microsoft.com

• Tell your colleagues – especially those responsible for planning your long-term security strategy!

Questions?