Embed Size (px)
DESCRIPTION
Fletcher Liverance, 5 May 2009. Grid Computing Security. A Taxonomy. IEEE Security & Privacy, 2007 Anirban Chakrabarti Anish Damodaran Shubhashis Sengupta. Overview. What is Grid Computing? Pie in the sky Host-level issues and solutions Architecture-level issues and solutions - PowerPoint PPT Presentation
Citation preview
Grid Computing SecurityGrid Computing Security
A TaxonomyA Taxonomy
Fletcher Liverance, 5 May 2009
IEEE Security & Privacy, 2007 Anirban ChakrabartiAnish DamodaranShubhashis Sengupta
OverviewOverview
What is Grid Computing?What is Grid Computing?
Pie in the skyPie in the sky
Host-level issues and solutionsHost-level issues and solutions
Architecture-level issues and solutionsArchitecture-level issues and solutions
Credential-level issuesCredential-level issues
What is Grid Computing?What is Grid Computing?
““geographically distributed heterogeneous geographically distributed heterogeneous resources are virtualized as a unified whole.”resources are virtualized as a unified whole.”
• Web 2.0• Scalable Link Interface (SLI)• Virtualization• Software as a service• Folding@home• Peer to peer• Cluster computing• Cloud computing• Distributed computing
Computing ComparisonComputing Comparison
Pie in the skyPie in the sky
IBM RoadrunnerIBM Roadrunner 6,480 AMD dual core6,480 AMD dual core 12,960 IBM PowerXCell12,960 IBM PowerXCell
Hewlett-PackardHewlett-Packard 300,000 employees300,000 employees 600,000 processors600,000 processors 600 TB of RAM600 TB of RAM 120,000 TB of Storage120,000 TB of Storage
World wideWorld wide One billion PCsOne billion PCs 95 million consoles95 million consoles Two billion cell phonesTwo billion cell phones
Host-level issues and solutionsHost-level issues and solutions
Data ProtectionData Protection Application-level sandboxingApplication-level sandboxing
Proof-carrying codeProof-carrying code Rules guaranteeing safe executionRules guaranteeing safe execution Code producer responsible for safetyCode producer responsible for safety Does not scaleDoes not scale
VirtualizationVirtualizationVMware GSX/ESX/WorkstationVMware GSX/ESX/WorkstationParavirtualizationParavirtualization
XenXen IA-32 architecture is non-virtualizableIA-32 architecture is non-virtualizable
Host-level issues and solutionsHost-level issues and solutions
Data Protection Data Protection User-space sandboxingUser-space sandboxing
TRON – Process-level discretionary access control systemTRON – Process-level discretionary access control system
Simple, but requires system call reimplementationSimple, but requires system call reimplementation
Call chaining issuesCall chaining issues
Incomplete contextIncomplete context Flexible kernels (Kernel-level sandboxing)Flexible kernels (Kernel-level sandboxing)
Exokernel OS, MITExokernel OS, MIT
Zones, Sun Solaris 10Zones, Sun Solaris 10
Application containersApplication containers
Host-level issues and solutionsHost-level issues and solutions
Job starvationJob starvation Advanced reservation techniquesAdvanced reservation techniques
Request resources from grid schedulerRequest resources from grid scheduler
Non-transparentNon-transparent
Requires advanced scheduling techniquesRequires advanced scheduling techniques Priority-reduction techniquesPriority-reduction techniques
Local priority reductionLocal priority reduction
Sun Grid engineSun Grid engine
Ad hoc mechanismAd hoc mechanism
Unpredictable behaviour, lower QoS performanceUnpredictable behaviour, lower QoS performance
Example: Peer to peerExample: Peer to peer
Architecture-level issues and Architecture-level issues and solutionssolutions
Information securityInformation security Grid Security Infrastructure (GSI)Grid Security Infrastructure (GSI) Secure communicationSecure communication
Transport level security - SSL/TLSTransport level security - SSL/TLSMessage level security – Web Services Security (WSS) via Message level security – Web Services Security (WSS) via SOAPSOAP
AuthenticationAuthenticationCA CertificatesCA CertificatesUser/password over SOAP with WSSUser/password over SOAP with WSSGSI-to-Kerberos gatewayGSI-to-Kerberos gateway
Single sign-on and delegationSingle sign-on and delegationTimed proxyTimed proxy
Architecture-level issues and Architecture-level issues and solutionssolutions
Policy-mapping issuesPolicy-mapping issues Resource levelResource level
Akenti – Distributed access control mechanismAkenti – Distributed access control mechanism Use-condition certificatesUse-condition certificates Attribute certificatesAttribute certificates
Virtual Organization levelVirtual Organization levelCommunity Authorization Service (CAS)Community Authorization Service (CAS)Role based access controlRole based access control
DoSDoS Preventative solutionsPreventative solutions
Application filteringApplication filteringSnort - Intrusion Detection SystemSnort - Intrusion Detection System
Reactive solutionsReactive solutionsLink testingLink testingLoggingLogging
Credential-level issuesCredential-level issues
Credential repositoriesCredential repositories Take responsibility for credential storageTake responsibility for credential storage MyProxy OnlineMyProxy Online
Credential federation systemsCredential federation systems ““Manage credentials across multiple systems, Manage credentials across multiple systems,
domains, and realms.”domains, and realms.” KX.509KX.509 Circle of trustCircle of trust ShibbolethShibboleth
ConclusionsConclusions
““Grid security’s ultimate goal is to make the Grid security’s ultimate goal is to make the grid infrastructure seamless and protect it grid infrastructure seamless and protect it against both known and unknown security against both known and unknown security attacks.”attacks.”
1.1. Identify vulnerabilitiesIdentify vulnerabilities2.2. Develop threat modelsDevelop threat models3.3. Develop countermeasures to threat modelsDevelop countermeasures to threat models4.4. Evaluate counter measuresEvaluate counter measures5.5. (repeat ad nauseam)(repeat ad nauseam)
