230 likes | 379 Views
Tutorial Usage Control for Next Generation Grids Introduction. Philippe Massonet et al CETIC OGF-25-Tutorial Catania, 02-06/02/2009. Tutorial Agenda. Usage Control for Grids (25 minutes) An Architecture for Usage Control in Grids (20 minutes) Usage Control Policies in XACML (45 minutes)
E N D
TutorialUsage Control for Next Generation GridsIntroduction Philippe Massonet et al CETIC OGF-25-Tutorial Catania, 02-06/02/2009 Trust and Security for Next Generation Grids, www.gridtrust.eu
Tutorial Agenda • Usage Control for Grids (25 minutes) • An Architecture for Usage Control in Grids (20 minutes) • Usage Control Policies in XACML (45 minutes) • Usage Control in Action: Controlling Service Usage in a Grid-Based Content Management System (20 minutes) • PolPA: A Usage Control Policy Language for Grids (45 minutes) • Usage Control in Action: Controlling Resource Usage in a Grid-Based Supply Chain (25 minutes) Trust and Security for Next Generation Grids, www.gridtrust.eu
Security Virtual Organisations Trust and Security for Next Generation Grids, www.gridtrust.eu
Security throughout the VO Lifecycle Trust and Security for Next Generation Grids, www.gridtrust.eu
Plan • Introduction to virtual organisations • Introduction to access control and usage control • Examples Trust and Security for Next Generation Grids, www.gridtrust.eu
Dynamic 6 3’ Dynamic Virtual Organisations “ Virtual organizations: a temporary or permanent coalition of geographically dispersed individuals, groups, organisational units or entire organisations that pool resources, capabilities and information in order to achieve common goals” 2 Services 1 4 5 3 Trust and Security for Next Generation Grids, www.gridtrust.eu
Trust in Virtual Organisations “Since VOs are based on sharing information and knowledge, there must be a high amount of trust among the partners. Especially since each partner contribute with their core competencies” • Threats: • Bad service (contract not respected) • Attacks – loss of information • Attacks – disruption of service • Vulnerability to attacks (low level of security at one of the partners) • … Collaboration 2 1 4 5 3 How do you maintain Trust and Security properties in dynamic VO? Need for Trust and security mechanisms Trust and Security for Next Generation Grids, www.gridtrust.eu
VO policy rules: 3 • If trust of node x < Min trust threshold • Then tighten security for node x 3’ • If trust of node x < Min trust threshold • Then replace node x Desired Self-Organization/Self-Protection Behavior User Trust requirement: always all nodes sufficiently trusted 2 1 4 5 3 Dynamic Business Processes -> Self-organization <-> Self-protection Avoid/Minimize intervention of human operators Trust and Security for Next Generation Grids, www.gridtrust.eu
Monitoring Enforcing policies Maintenance of reputation Establishment of security policies, following governing rules discovery of potential trustworthy partners termination of trust relationships maintenance of reputation membership and policy adaptation Issues: Policy Based Trust and Security Management in VOs • VO = set of users that pool resources in order to achieve common goals - Rules governing the sharing of the resources • Trust and security policies are derived following the goals of the VO and rules for sharing resources • Access to resources can be updated according to the behaviour of users (reputation) Trust and Security for Next Generation Grids, www.gridtrust.eu
Infrastructure Provider (IP) Service Instance Shared resources Trust and Security in Grids (Outsourcing) Is the selected IP secure? Can I trust the SR and SP? Service Requestor (SR) Service Provider (SP) VO Res. Res. Is SP using my resources with malicious intent? Service Request Trust and Security for Next Generation Grids, www.gridtrust.eu
Current State of the Art in Grid Authorization • GridTrust focuses on authorization • OGSA/Globus default autorisation mechanism: GridMap is coarse Grained and static • Extended authorization mechanisms • Akenti (fine grained distributed access control) • PERMIS (RBAC) • Shibboleth (cross-domain single sign-on and attribute-based authorization) • Basic limitation: once you receive access to a resource, you are free to use it without any control. • Need for finer grained and continuous control Trust and Security for Next Generation Grids, www.gridtrust.eu
Usage Control Model: Beyond Ac. Control UCON [Park04] Privacy Protection DRM Intellectual Property Rights Protection TraditionalAccess Control TrustMangt. Sensitive Information Protection Usage Control Server-sideReference Monitor (SRM) Client-sideReference Monitor (CRM) SRM & CRM Trust and Security for Next Generation Grids, www.gridtrust.eu
Example of UCON Model • PreAuthorization without update (PreA0) • Temporal logic specification • permitaccess(s, o, r) → • (tryaccess(s, o, r) ∧ (p1 ∧ ・・ ・∧ pi)) • where p1, . . . , pi are predicates built from subject and/or object attributes, which are pre-authorization predicates. • Polpa Encoding • tryaccess(s, o, r). • pA(s, o, r). • permitaccess(s, o, r). • endaccess(s, o, r) Trust and Security for Next Generation Grids, www.gridtrust.eu
Another Example of UCON Model • OnAuthorization with preUpdate (OnA1) • Temporal logic specification • (1) permitaccess(s, o, r) →•tryaccess(s, o, r) ∧•preupdate(attribute) • (2) (¬(p1 ∧ ・・ ・∧ pi) ∧ (state(s, o, r) = accessing) → revokeaccess(s, o, r)) • Polpa Encoding • tryaccess(s, o, r). • update(s, o, r). • permitaccess(s, o, r). • (endaccess(s, o, r) or (pA(s, o, r).revokeaccess(s, o, r))) Trust and Security for Next Generation Grids, www.gridtrust.eu
Applications of Usage Control • With UCON we can express policies such as • Mandatory Access Control (MAC), • History based access control in general, • Resource usage limitation, • Chinese wall (CWSP), • With UCON integrated with RTML, credential based-trust management, we can also enforce • Role Based Access Control, • Attribute Based Access Control policies, or • Other credential-based policies • Other … Trust and Security for Next Generation Grids, www.gridtrust.eu
Continuity of decision Ongoing decision Ongoingusage After usage Post update Ongoing update Mutability of attributes From Access Control to Usage Control Usage Decision still valid ? Can you revoke access ? Pre decision Before usage Pre update Time Trust and Security for Next Generation Grids, www.gridtrust.eu
GridTrust Objective: Bring Usage Control To The Grid • Integrate usage control into Grid • Supports many existing access control models • New models of trust and security • Usage control model: policy language Rights Usage Decision Objects Subjects Attributes Attributes Authorizations Obligations Conditions Trust and Security for Next Generation Grids, www.gridtrust.eu
Examples of UCON concepts • Subject attributes • Immutable: subject.identity • Mutable: subject.credit = subject.credit – resource.cost • Object attributes • Immutable: Object.identity • Mutable: r.availableSpace = r.availableSpace – s.assignedSpace • Mutable attribute update • Pre-update: s. balance = s. balance - r.cost • Ongoing-update: . balance = s. balance - r.costunit • Post-update: s.totalUsage = s.totalUsage + r.resourceUsage • Authorization • Pre-authorization: s.balance >= r.cost • Ongoing-authorization: s.reputation > r.reputationMinimum • Post-authorization: socket.remoteDomain Є AcceptableDomains • Conditions • Pre-conditions: 08:00 <= currentTime <= 18:00 • Ongoing-conditions: 08:00 <= currentTime <= 18:00 (long duration access can be revoked) • Obligations • Pre-obligations: accepted(s, r.licenseAgreement) • Ongoing-obligations: read(s, r.publicity) Trust and Security for Next Generation Grids, www.gridtrust.eu
Service Provider (SP) Local Policy Opened Start Service Instance Maps Monitor Closed Reading Policy EnforcementPoint Violation How Continous Usage Control Works Hosting Environment Service Program … OpenFile() … ReadFile() … OpenFile() Shared resources … CloseFile() … Trust and Security for Next Generation Grids, www.gridtrust.eu
Collaborates on Allocated to Owned By Conflict of Interest Collaborates on Example: Managing Conflicts of Interest in Virtual Organisations Trust and Security for Next Generation Grids, www.gridtrust.eu
access Example: The Chinese Wall • Based on the notion of conflict of interest class • Need a history Conflict of interest class Client 1 Client 2 Resource 1 Resource 2 Resource 3 Resource 4 Trust and Security for Next Generation Grids, www.gridtrust.eu
Example: Chinese Wall Security Policy Usage Control Policy Language gvar[1]:=0. gvar[2]:=0. ([eq(gvar[2],0),eq(x1,”/home/paolo/SetA/*”),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[1]:= 1. i([eq(x1,lvar[1])].read(x1,x2,x3)). [eq(x1,lvar[1])].close(x1,x2) ) Par ([eq(gvar[1],0),eq(x1,”/home/paolo/SetB/*”),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[2]:=1. i([eq(x1,lvar[1])].read(x1,x2,x3)). [eq(x1,lvar[1])].close(x1,x2) ) History of System Calls
Secure VO Req Editor Trust and SecurityGoals … Self-* 1. Global Policies VO Mngt VO-level Policies Usage Cont. service Enforcer Sec Res Broker Usage Control Policies 2. Local Policies Computational usage control +TM Fine grained Continuous VO Model and Refinement Tool GridTrust Framework: Tools and Policy-based Services NGG Architecture GRID Application Layer OGSA compliant Dynamic VO Services GRID Service Middleware Layer Reputation Mgtservice … VO Members GRID Foundation Middleware Layer Network Operating System … Resources Trust and Security for Next Generation Grids, www.gridtrust.eu