Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids...

Trust and Security for Next Generation Grids, www.gridtrust.eu

TutorialTutorialUsage Control for Next Generation GridsUsage Control for Next Generation Grids

IntroductionIntroduction

Philippe Massonet et al

CETIC

OGF-25-Tutorial

Catania, 02-06/02/2009


Tutorial AgendaTutorial Agenda

1.1. Usage Control for Grids (25 minutes)Usage Control for Grids (25 minutes)

2.2. An Architecture for Usage Control in Grids (20 An Architecture for Usage Control in Grids (20 minutes)minutes)

3.3. Usage Control Policies in XACML (45 minutes)Usage Control Policies in XACML (45 minutes)

4.4. Usage Control in Action: Controlling Service Usage in Usage Control in Action: Controlling Service Usage in a Grid-Based Content Management System (20 a Grid-Based Content Management System (20 minutes)minutes)

5.5. PolPA: A Usage Control Policy Language for Grids PolPA: A Usage Control Policy Language for Grids (45 minutes)(45 minutes)

6.6. Usage Control in Action: Controlling Resource Usage Usage Control in Action: Controlling Resource Usage in a Grid-Based Supply Chain (25 minutes)in a Grid-Based Supply Chain (25 minutes)


Security Virtual OrganisationsSecurity Virtual Organisations


Security throughout the VO LifecycleSecurity throughout the VO Lifecycle


PlanPlan

• Introduction to virtual organisationsIntroduction to virtual organisations

• Introduction to access control and usage Introduction to access control and usage controlcontrol

• ExamplesExamples


Dynamic Virtual OrganisationsDynamic Virtual Organisations

“ “ Virtual organizations: Virtual organizations: a temporary or permanent coalition of a temporary or permanent coalition of geographically dispersed individuals, groups, organisational geographically dispersed individuals, groups, organisational units or entire organisations that pool resources, capabilities units or entire organisations that pool resources, capabilities and information in order to achieve common goalsand information in order to achieve common goals””

1 54

3

2

Services

3’

Dynamic

Dynamic

6


Trust in Virtual OrganisationsTrust in Virtual Organisations

““Since VOs are based on sharing information and knowledge, Since VOs are based on sharing information and knowledge, there must be a high amount of trust among the partners. there must be a high amount of trust among the partners. Especially since each partner contribute with Especially since each partner contribute with their core their core competenciescompetencies””

1 54

3

2

Collaboration

Threats:• Bad service (contract not respected)• Attacks – loss of information• Attacks – disruption of service• Vulnerability to attacks (low level of security at one of the partners)• …

How do you maintain Trust and Security properties in dynamic VO?Need for Trust and security mechanisms


Desired Self-Organization/Self-Desired Self-Organization/Self-Protection BehaviorProtection Behavior

1 54

3

2User Trust requirement: always all nodes sufficiently trusted

Dynamic Business Processes -> Self-organization <-> Self-protection

Avoid/Minimize intervention of human operators

3’•If trust of node x < Min trust threshold Then replace node x

VO policy rules:3 •If trust of node x < Min trust threshold

Then tighten security for node x


Issues: Policy Based Trust and Issues: Policy Based Trust and Security Management in VOsSecurity Management in VOs

• VO = set of users that pool resources in order to achieve VO = set of users that pool resources in order to achieve common goals - common goals - Rules governing the sharing of the resourcesRules governing the sharing of the resources

• Trust and security policies are derived following the Trust and security policies are derived following the goals of the VO and rules for sharing resourcesgoals of the VO and rules for sharing resources Access to resources can be updated according to the behaviour of users

(reputation)

discovery of potential

trustworthy partners

Establishment of security policies, following governing

rules

MonitoringEnforcing policies

Maintenance of reputation

membership and policy adaptation

termination of trust relationshipsmaintenance of reputation


Trust and Security in Grids (Outsourcing)Trust and Security in Grids (Outsourcing)

Res. Res.

Service Provider

(SP)

Service Requesto

r (SR)

VO

Service Request

Shared resource

s

Infrastructure Provider (IP)

Service Instance

Can I trust the SR and SP?

Is SP using my resources with malicious

intent?

Is the selected IP secure?


Current State of the Art in Grid Current State of the Art in Grid AuthorizationAuthorization

• GridTrust focuses on authorizationGridTrust focuses on authorization

• OGSA/Globus default autorisation mechanism: GridMap is OGSA/Globus default autorisation mechanism: GridMap is coarse Grainedcoarse Grained and and staticstatic

• Extended authorization mechanismsExtended authorization mechanisms Akenti (fine grained distributed access control) PERMIS (RBAC) Shibboleth (cross-domain single sign-on and attribute-based

authorization )• Basic limitation: once you receive access to a resource, you Basic limitation: once you receive access to a resource, you

are free to use it without any controlare free to use it without any control..

• Need for Need for finer grainedfiner grained and and continuouscontinuous control control


Usage ControlUsage Control Model: Beyond Ac. Model: Beyond Ac. ControlControl

Usage Control

DRM

TrustMangt.

TraditionalAccessControl

Server-sideReference Monitor

(SRM)

Client-sideReference Monitor

(CRM)

SRM & CRM

SensitiveInformationProtection

IntellectualProperty RightsProtection

PrivacyProtection

UCON [Park04]


Example of UCON ModelExample of UCON Model

• PreAuthorization without update (PreA0)PreAuthorization without update (PreA0)• Temporal logic specificationTemporal logic specification

permitaccess(s, o, r) → • (tryaccess(s, o, r) (p1 ∧ ∧ ・・・∧ pi))

where p1, . . . , pi are predicates built from subject and/or object attributes, which are pre-authorization predicates.

• Polpa EncodingPolpa Encoding tryaccess(s, o, r).pA(s, o, r).permitaccess(s, o, r).endaccess(s, o, r)


Another Example of UCON ModelAnother Example of UCON Model

• OnAuthorization with preUpdate (OnA1)OnAuthorization with preUpdate (OnA1)

• Temporal logic specificationTemporal logic specification (1) permitaccess(s, o, r) →•tryaccess(s, o, r)

•preupdate(attribute)∧ (2) ( ￢ (p1 ∧ ・・・∧ pi) (state(s, o, r) = ∧

accessing) → revokeaccess(s, o, r))

• Polpa EncodingPolpa Encoding tryaccess(s, o, r).update(s, o, r).permitaccess(s, o, r). (endaccess(s, o, r) or (pA(s, o, r).revokeaccess(s, o, r)))


Applications of Usage ControlApplications of Usage Control

• With UCON we can express policies such as With UCON we can express policies such as Mandatory Access Control (MAC), History based access control in general, Resource usage limitation, Chinese wall (CWSP),

• With UCON integrated with RTML, credential based-trust With UCON integrated with RTML, credential based-trust management, we can also enforcemanagement, we can also enforce Role Based Access Control, Attribute Based Access Control policies, or Other credential-based policies

• Other …Other …


From Access Control to Usage From Access Control to Usage ControlControl

Before usageBefore usage

Pre decisionPre decision

Pre updatePre update

OngoingOngoing usageusage After usageAfter usage

Ongoing updateOngoing update Post updatePost update

Mutability of attributesMutability of attributes

Ongoing decisionOngoing decision

Continuity of decisionContinuity of decision

TimeTime

Usage Decision still valid ?Usage Decision still valid ?

Can you revoke access ?Can you revoke access ?


GridTrust Objective: Bring GridTrust Objective: Bring Usage Control Usage Control

To The GridTo The Grid• Integrate usage control into Integrate usage control into

GridGrid

• Supports many existing Supports many existing access control modelsaccess control models

• New models of trust and New models of trust and securitysecurity

• Usage control model: policy Usage control model: policy languagelanguage

Rights

Authorizations

Obligations

Conditions

Subjects Objects

Attributes Attributes

Usage Decision


Examples of UCON conceptsExamples of UCON concepts• Subject attributesSubject attributes

Immutable: subject.identity Mutable: subject.credit = subject.credit – resource.cost

• Object attributesObject attributes• Immutable: Object.identity• Mutable: r.availableSpace = r.availableSpace – s.assignedSpace

• Mutable attribute updateMutable attribute update Pre-update: Pre-update: s. balance = s. balance - r.costs. balance = s. balance - r.cost Ongoing-update: Ongoing-update: . balance = s. balance - r.costunit. balance = s. balance - r.costunit Post-update: Post-update: s.totalUsage = s.totalUsage + r.resourceUsages.totalUsage = s.totalUsage + r.resourceUsage

• AuthorizationAuthorization Pre-authorization: s.balance >= r.cost Ongoing-authorization: s.reputation > r.reputationMinimum Post-authorization: socket.remoteDomain Є AcceptableDomains

• ConditionsConditions Pre-conditions: 08:00 <= currentTime <= 18:00 Ongoing-conditions: 08:00 <= currentTime <= 18:00 (long duration access

can be revoked)• ObligationsObligations

Pre-obligations: accepted(s, r.licenseAgreement) Ongoing-obligations: read(s, r.publicity)


How Continous Usage Control WorksHow Continous Usage Control Works

Shared resource

s

Hosting Environme

ntService Program

…

OpenFile()…

ReadFile()…

OpenFile()

…CloseFile()

…

Maps

Service Provider

(SP)

Service Instance

Monitor

Start Opened

ReadingClosed

Policy EnforcementPoint

Violation

Local Policy


Example: Managing Conflicts of Example: Managing Conflicts of Interest in Interest in

Virtual OrganisationsVirtual Organisations

Conflict of Interest

Collaborates on

Collaborates onAllo

cate

d t

o

Ow

ned B

y


Example: The Chinese WallExample: The Chinese Wall

• Based on the notion of conflict of interest classBased on the notion of conflict of interest class

• Need a historyNeed a history

Client 1

Resource 1Resource 2

Client 2

Resource 3Resource 4

Conflict of interest class

access

Example: Chinese Wall Security Example: Chinese Wall Security PolicyPolicy

gvar[1]:=0. gvar[2]:=0.gvar[1]:=0. gvar[2]:=0.

([eq(gvar[2],0),eq(x1,”/home/paolo/SetA/*”),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= ([eq(gvar[2],0),eq(x1,”/home/paolo/SetA/*”),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[1]:= 1.x3.gvar[1]:= 1.

i([eq(x1,lvar[1])].i([eq(x1,lvar[1])].readread(x1,x2,x3)).(x1,x2,x3)).[eq(x1,lvar[1])].close(x1,x2)[eq(x1,lvar[1])].close(x1,x2)))

ParPar

([eq(gvar[1],0),eq(x1,”/home/paolo/SetB/*”),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= ([eq(gvar[1],0),eq(x1,”/home/paolo/SetB/*”),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[2]:=1.x3.gvar[2]:=1.

i([eq(x1,lvar[1])].i([eq(x1,lvar[1])].readread(x1,x2,x3)).(x1,x2,x3)).[eq(x1,lvar[1])].close(x1,x2)[eq(x1,lvar[1])].close(x1,x2)))

Usage Control Policy Language

History of System Calls


GridTrust Framework: GridTrust Framework: Tools and Policy-based ServicesTools and Policy-based Services

GRID Service

Middleware Layer

NGG Architecture

GRID Application

Layer

GRID Foundation Middleware

Layer

Network Operating

System

Trust and SecurityGoals Self-* …

Dynamic VO

…

Reputation Mgtservice

VO Mngt

…Resources

VO Members

Services

Computational usage control +TM Fine grained

Continuous

OGSAcompliant

Usage Cont. service

Secure VO Req Editor

UsageControl Policies

VO-level Policies

VO Model and Refinement

Tool

2. Local

Policies

1. Global Policies

Sec Res Broker

Enforcer

Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids...

Documents

Transcript of Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids...