Trust and Security for Next Generation Grids, www.gridtrust.eu
Securing Grid-Based Supply ChainsSecuring Grid-Based Supply Chains
Marco Di GirolamoMarco Di Girolamo
HP Italy Innovation Center, ItalyHP Italy Innovation Center, Italy
On behalf of the GridTrust ConsortiumOn behalf of the GridTrust Consortium
EGEE Conference 2008, Business Track, EGEE Conference 2008, Business Track, Istanbul, September 23Istanbul, September 23rdrd, 2008, 2008
Trust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust VisionGridTrust Vision
• VOs operated over Service-Oriented ArchitecturesVOs operated over Service-Oriented Architectures
• Trust handled through security and reputation Trust handled through security and reputation managementmanagement
• ““Continuous Usage Control” concept permeating Continuous Usage Control” concept permeating design and operation of VOs:design and operation of VOs:Continuous Usage Control expressed at level of
security requirementsVOs managed by policies derived from security
requirementsSecurity policies enforced by means of GridTrust
servicesReputation monitoring and dynamic update
Trust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust: Objectives andGridTrust: Objectives andExpected ResultsExpected Results
• General Objective: definition and management of General Objective: definition and management of security and trust in dynamic Virtual Organizations security and trust in dynamic Virtual Organizations Improve Access Control – Authorization Introduce usage control for Grids
• Expected results – “framework” composed of:Expected results – “framework” composed of: Tools for reasoning about security at all levels
of the NGG architecture
A reference security architecture for Grids Including UCON authorization service,
secure-aware broker, reputation management service, among others
An open source reference implementation of the architecture, validated by several innovative business scenarios.
GRID Service Middleware Layer
NGG Architecture
GRID Application Layer
GRID Foundation Middleware Layer
Network Operating System
Grid
Tru
st
Trust and Security for Next Generation Grids, www.gridtrust.eu
Project PartnersProject Partners5 countries4 companies3 research institutes1 university
Duration: 3 years (06/2006-05/2009)Global budget: 3 856 135 eurosCETIC budget: 540 697 euros
Trust and Security for Next Generation Grids, www.gridtrust.eu
A Grid-Based Transportation Supply ChainA Grid-Based Transportation Supply Chain
• ScenarioScenarioContext is logistics services:
Moving customers’ goods from one place to another
Competitive driving factors: Delivery time
Service price
Gap to bridge - transporter’s side : Only big service providers can afford optimization tools (scale
reasons)
Availability of optimization services could foster market competition (SME inclusion)
Gap to bridge - customer’s side: Wanting to find the best transporter for each transportation task
Trust and Security for Next Generation Grids, www.gridtrust.eu
The business caseThe business case
• Solution pillars:Solution pillars:Use of an auctioning system,
Exploit competition between transporters
Allow customers to find the best provider for each task
Use of route computing services, Computational services providing maps and libraries to
execute applications solving the logistic optimization problem
Enable small transporters to perform routing optimization
Hosted on GRID resources!
Trust and Security for Next Generation Grids, www.gridtrust.eu
The business case – VO modelThe business case – VO model
The VBE modelThe VBE model
• Association of organizations Association of organizations adhering to common operating adhering to common operating principles and infrastructureprinciples and infrastructure
• Main objective: participating in Main objective: participating in potential VOs.potential VOs.
• Organizations participating to a Organizations participating to a VO are selected from the VBEVO are selected from the VBE
VBE Manager service provider provider
user
VBE
VO Manager
VO Owner
VO
Trust and Security for Next Generation Grids, www.gridtrust.eu
Auction based supply chainAuction based supply chain
• Fist-Price Sealed-Bid reverse auction modelFist-Price Sealed-Bid reverse auction model• Producers (auction proponents) produce RfQs for transportation tasksProducers (auction proponents) produce RfQs for transportation tasks• Transporters can recalculate routing exploiting routing computational Transporters can recalculate routing exploiting routing computational
services running on GRID resourcesservices running on GRID resources• Offer selection based on customer requirements: time, price, transporter’s Offer selection based on customer requirements: time, price, transporter’s
reputationreputation• Producers create a Producers create a Delivery VODelivery VO (auction and delivery management) (auction and delivery management)• Transporters create Routing VOs to compute best routes for answering the Transporters create Routing VOs to compute best routes for answering the
auctionauction
Trust and Security for Next Generation Grids, www.gridtrust.eu
Computational problem overviewComputational problem overview
• Find a set of NV vehicle routes, originating from and Find a set of NV vehicle routes, originating from and terminating at the depot, such thatterminating at the depot, such that Each vehicle services one route Each vertex vi i=1..N is visited only once Quantity of goods on each vehicle never exceeds its capacity
C Start time of each route is >= r0
End time of each route is <= d0
Time of beginning of service at vertex i is >= ri (ready time) If arrival time ti at vertex i is < ri then the vehicle waits for a
waiting time wi= (ri - ti) Time of ending of service at vertex i is <= di (due date)
• VRPTW: Vehicle Routing Problem with Time WindowsVRPTW: Vehicle Routing Problem with Time Windows
• Usually algorithms minimize NV and then the total distance Usually algorithms minimize NV and then the total distance TDTD
Trust and Security for Next Generation Grids, www.gridtrust.eu
Securing the Grid-Based Securing the Grid-Based Supply ChainSupply Chain
• ObjectiveObjective Identify security challenges presented by Grid-based
supply chainDefine security components helping to solve such
challenges• MethodologyMethodology
Perform a security analysis to define security requirements for the application, using a goal-oriented requirements-engineering methodology
Identify and develop architecture components that could contribute to meet the main identified security challenges.
Evaluate how the architecture helps in solving security challenges
Trust and Security for Next Generation Grids, www.gridtrust.eu
Security Issues in the Transportation Security Issues in the Transportation Supply ChainSupply Chain
• Auction:Auction: Secure identification of auction participants Secrecy of offers at least until auction closure Data integrity and non-repudiation of both offers and RfQs
• Routing services:Routing services: Execution of unknown applications on behalf of potentially
unknown or untrusted users Need to prevent these applications from
performing bad actions stealing valuable data gaining unauthorized accesses
Reputation combined with security to increase trust Transporters’ reputation measured based on their compliancy with
global and local security policies defined for Grid resources
Trust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust Services GridTrust Services Securing the Supply ChainSecuring the Supply Chain
Policy and Profile Manager
Service
VO
Management
Service
Reputation
Management
Service
Security-Aware
Resource
Broker ServiceUCON
Service
Trust and Security for Next Generation Grids, www.gridtrust.eu
VO Management ServiceVO Management Service
• The VO manager is responsible for setting up, operating and terminating the VO
• The VO membership manager service is responsible for managing the different members of the VO and their users
• The workflow management service is responsible for transforming job requests into workflows that are then managed
• The global VO policies apply to all VO members and describe their correct behaviour during the lifetime of the VO
GRID Service
Middleware Layer
Trust and Security for Next Generation Grids, www.gridtrust.eu
Reputation Management ServiceReputation Management Service
• Collect, distribute and aggregate feedbacks about Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to entities' behaviour in a particular context in order to produce a rating about the entitiesproduce a rating about the entities Entities could be either users, resources / services, service
providers or VOs
• The reputation service is based on ideas of utility The reputation service is based on ideas of utility computingcomputing
• It can be used in both centralised and distributed It can be used in both centralised and distributed settings settings
• Using reputation with securityUsing reputation with security Maintaining users’ reputation according to their usage of
resources
GRID Service
Middleware Layer
Trust and Security for Next Generation Grids, www.gridtrust.eu
Usage Control ServiceUsage Control Service
• Enforcement of Usage Control policies at both VO level and Enforcement of Usage Control policies at both VO level and computational (node) levelcomputational (node) level Building Policy Decision Points (PDPs) and Policy Enforcement
Points (PEPs) for POLPA and XACML languages
• Monitor the actions executed on behalf of the grid users and Monitor the actions executed on behalf of the grid users and enforce a UCON security policyenforce a UCON security policy
VO level Global VO policies
Service level The policy describes behaviour of the user in the local service invocation
Computational level The policy consists of a highly detailed description of the correct
behaviour of the application being executed Only the applications whose behaviour is consistent with the security
policy are executed on the computational resource
GRID Service
Middleware Layer
GRID Foundation Middleware
Layer
Trust and Security for Next Generation Grids, www.gridtrust.eu
Secure–Aware Resource Broker Secure–Aware Resource Broker ServiceService
• Integrate access control with resource/service Integrate access control with resource/service schedulingscheduling
• Both resource owners and users define their Both resource owners and users define their resource access and usage policiesresource access and usage policiesThe resource broker schedules a user request only
within the set of resources whose policies match the user credentials (and vice-versa)
• Support of UCON at VO levelSupport of UCON at VO level
• Scalability and efficiencyScalability and efficiency
GRID Service
Middleware Layer
GRID Foundation Middleware
Layer
Trust and Security for Next Generation Grids, www.gridtrust.eu
Policy and Profile Manager ServicePolicy and Profile Manager Service
• The policy manager is responsible for managing policies at the global (VO level) and local levels (node level)
• The profile manager is responsible for managing profiles. Profiles allow users to specify personal default values
GRID Service
Middleware Layer
GRID Foundation Middleware
Layer
Trust and Security for Next Generation Grids, www.gridtrust.eu
ConclusionsConclusions
• Grid-based supply chains can be secured by Grid-based supply chains can be secured by associating them with trust and security associating them with trust and security management services management services
• The solution proposed, called GridTrust Security The solution proposed, called GridTrust Security Framework (GSF), incorporates these services in Framework (GSF), incorporates these services in a manner that is a manner that is Interoperable: we are re-using an existing Grid
infrastructure (Globus middleware) Our system components are interoperable with other Globus-
based components Security-aware: the proposed design tackles security
issues potentially arising in any Grid-based system The security requirements were elicited using a requirements-
engineering methodology that has been tailored for Grid systems
Trust and Security for Next Generation Grids, www.gridtrust.eu
More InformationMore Information
• Visit us atVisit us at
http://www.gridtrust.eu
Thanks!
Top Related