260 likes | 461 Views
Parallel. Distributed. Computing Centre. A Disciplined Security Specification for a High-Assurance Grid. by Ning Zhu, Jussipekka Leiwo, and Stephen John Turner. Parallel and Distributed Computing Center, School of Computer Engineering , Nanyang Technological University , Singapore 639798.
E N D
Parallel Distributed Computing Centre A Disciplined Security Specification for a High-Assurance Grid by Ning Zhu, Jussipekka Leiwo, and Stephen John Turner Parallel and Distributed Computing Center, School of Computer Engineering, Nanyang Technological University, Singapore 639798
0. Outline • Introduction • Background & Methodology • A Common Criteria CompliantGeneric Security Framework for the Grid • Security Environment and Objectives for the Grid • Security Requirements for the Grid • Conclusions and Future Work
1. Introduction • Grid Computing Overview • Grid is a hardware and software infrastructure that provides dependable, consistent, pervasive and inexpensive access to heterogeneous high-end computing capabilities, knowledge bases and services. • It aims to provide flexible, secure, coordinated resource sharing and problem solving among dynamic distributed collections of individuals, institutions, and resources. • Security=Functionality + Assurance
1. Introduction • Problems of Current Grid Security Solutions • GSI, UNICORE, CAS, PERMIS • Inadequate functionality • Non-systematic implementation without considering security assurance • Our work • A disciplined security specification toward a generic security framework for the Grid • Follow the generic framework to implement highly assured trustworthy Grid security solution
2. Background & Methodology • Security Assurance • Security can not be considered appropriate even if the security techniques used are known to be theoretically highly resistant to attacks. • The extent of trustworthiness, the means of providing evidence of the appropriateness of security designs and for demonstrating that implementations meet the security objectives, must be considered.
2. Background & Methodology • Assurance Methods • Assessment of the TOE (Target of Evaluation) directly • Assessment of the processes to develop the TOE • Assessment of the environment where the TOE is developed • ISO/IEC 15408, the Common Criteria • An internationally recognized standard for specifying and evaluating security properties of IT products and systems • Comparison with process assurance methods and environment assurance methods
2. Background & Methodology • ClearingHouse Project • A typical Grid platform providing a generic Grid-based application execution and information sharing engine • Resource management, automatic resource discovery, and economy management of resources in a service-oriented environment are main issues addressed by ClearingHouse currently
3. A Common Criteria CompliantGeneric Security Framework for the Grid • Systematically devised and highly assured based on the Common Criteria • Specific Grid security solutions are instantiated from the framework in a manner that preserves all dependencies between design artifacts and brings assurance that all relevant TOE and environmental elements are considered
4. Security Environment and Objectives for the Grid • Security environment: It describes the security aspects of the environment in which the TOE is intended to be used and the manner in which it is expected to be employed. • Security objectives: They reflect the stated intent to counter identified threats and/or comply with any organizational security policies and usage assumptions.
4.1 Security Environment for the Grid • Assets to be protected • Subjects within the set of interactions occurring with or within the TOE that causes operations to be performed • Assumptions that cannot be enforced by technical means to be met by the environment in order for the TOE to be considered secure • Organizational security policies • Threats to security:
4.2 Security Objectives for the Grid • Security objectives for the TOE:
4.2 Security Objectives for the Grid • Security objectives for the IT-environment of the TOE • Security objectives rationale • Demonstrating that the security objectives address all of the environmental aspects identified and the objectives are effective and provide complete coverage • Security environment to security objectives mapping for generating tracings:
5. Security Requirements for the Grid • Security requirements are the refinement of the security objectives and if met, will ensure that the TOE can meet its security objectives. • Security functional requirements are levied on those functions of the TOE that are specifically in support of IT security and define the desired security behavior. • Security assurance requirements specify a minimum strength level consistent with the security objectives.
5.1 Security Functional Requirements for the Grid • A systematically drawn set of Grid security functional requirements conforming to the Common Criteria: • FAU (Security Audit) • FDP (User Data Protection) • FIA (Identification and Authentication) • FMT (Security Management) • FPR (Privacy) • FPT (Protection of the TSF) • FTA (TOE Access)
5.1 Security Functional Requirements for the Grid • Each class consists of class introduction and functional families. • Functional components plus family behavior, component leveling, management requirements and audit requirements constitute a family specification. • Each component specification includes functional elements and the dependencies among functional components.
5.1 Security Functional Requirements for the Grid • A sample security functional requirement: • User Data Protection: This class specifies requirements for TOE security functions and TOE security function policies related to protecting user data. It includes six families: Access control policy (FDP_ACC), Access control functions (FDP_ACF), Data authentication (FDP_DAU), Import from outside TSF control (FDP_ITC), Residual information protection (FDP_RIP), and Stored data integrity (FDP_SDI). • FDP_ACC identifies the access control SFPs and defines the scope of control of the policies that form the identified access control portion of the TSP. This family has only one component FDP_ACC.1 Subset access control. No management activities or auditable events are foreseen.
5.1 Security Functional Requirements for the Grid • FDP_ACC.1 has only one element FDP_ACC.1.1: The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]. It has the dependency on FDP_ACF.1 Security attribute based access control.
5.1 Security Functional Requirements for the Grid • We may make further operations on the security functional requirements including assignment, selection, refinement and iteration, to address different aspects of the security needs of the TOE in more detail. • Security requirements for the IT environment of the TOE can also be defined such as those for communication, cryptographic support, resource utilization and trusted path/channels.
5.2 Security Assurance Requirements for the Grid • Security assurance requirements are expressed as evaluation assurance levels (EALs). • EAL 2 - structurally tested, EAL 3 - methodically tested and checked, and EAL 4 - methodically designed, tested, and reviewed can be adopted as a basis to guide implementing and evaluating assurance of a Grid system/application.
5.3 Security Requirements Rationale • Demonstrating that the security requirements are suitable to meet and traceable to the IT security objectives • Mapping table can still be utilized to help express the rationale intuitively and clearly:
5.3 Security Requirements Rationale • Different subsets of the security functional requirements can be defined and tailored for different strengths of the security functionality. • Different original or augmented EALs can also be imposed to ensure the achievement of such different level security respectively. • Thus more flexible trustworthy Grid security solutions will be provided following the generic Grid security framework, to fulfill their specific security objectives correctly and effectively.
6. Conclusions and Future Work • A disciplined approach to specify and model security for the high-assurance Grids • A TOE summary specification to provide a high-level definition of the security functions and assurance measures • Accomplish a specific TOE implementation for Grid security