Grid Security

A central security requirement for grid computing can be referred to as behaviour conformity. This is an assurance that ad hoc related principals (users, platforms or instruments) forming a grid virtual organisation (VO) must each act in conformity with the rules for the VO constitution. Existing grid security practice has little means to enforce behaviour conformity and consequently falls short of satisfactory solutions to a number of problems.

What is Computational Grid

A computational grid can be regarded as a next generation distributed computing system comprising a number of physically separated resources, each subject to their own various security, management and usage policies, to combine to a federated computing environment called virtual organisation (VO). The name of grid follows analogously from tapping electricity supplied by the power grid, meaning that computational resources nowadays can and should also be tapped from super computers and data centres elsewhere. Early versions of computational grids were more or less confined to a high performance computing setting in which a grid VO comprises of one user plus a number of computational resource providers and/or data centres. Grid computing has now evolved to a more general setting of federated computing which supports sharing of resources and data not only for high performance computing but also involving science collaborations. In the general federated computing model, a VO of principals who are (may be plural number of) users, computing platforms or devices may be working on a number of common tasks and therefore having similar requirements on resource utilities.

Challenges of Grid Security

In the general setting of a grid VO, principals are distributed in different trust and management domains which can span governmental, industrial and academic organisations. These principals are also ad hoc related to one another. This is because (i) a VO usually does not have a reliable control over a principal as a real organisation does over its employees and assets, (ii) these principals need not maintain a responsible relationship to one another as ones should in a real organisation, and (iii) a VO is dynamic, usually comes up into being, grows, diminishes or terminates, in a un-predetermined manner.

Despite the ad hoc and dynamic properties, grid computing needs strong security services. In addition to usual security services for conventional distributed computing to protect mainly owned or organisationally controlled assets against external adversaries, a principal in grid computing also has interest on a platform which is out of the principal's ownership or organisational control, and the needed protection is often against the very owner of the platform.

Here are a few typical grid security problems:

• Security for grid user

Most grid applications entail code written in one place being executed in another. A host platform's owner should not be able to compromise a guest user's security. For example, a guest algorithm running on a host may need protection, in data confidentiality and integrity, for the guest's input to the algorithm and the output result to be returned back to the guest. The protection may need to have a strength against even a privileged entity (e.g., superuser) at the host.

• Security for grid resource provider

A guest user should not be able to compromise security, e.g., to cause damage to data or devices, at a resource provider. The protection may need to be sufficiently strong against a collusion among a group of VO users.

• Conformable VO policy

However ad hoc a VO may be, it still needs conformable policy. For example, a VO policy may be that, any participant must not be able to disseminate certain VO owned data outside the VO. The difficulty here is the conformity of the policy to be maintained despite the ad hoc nature of the VO. For example, even with little control over its members, a VO must still be able to remove a member without letting VO data be taken away.

• Auditability

Any misuse of resource by users, and compromise to users' data and/or computations possibly by a privileged entity at a resource provider, must be detected in a undeniable manner.

Thus, to protect a user's interest on a platform which maybe beyond the user's organisational control is the distinct nature of grid security. We can summarise here a threat model for grid security.

• Threat Model for Grid Security ---- partner-and-adversary

VO participants are collaboration partners as well as potential adversaries to one another. A participant has interest needing protection in computing environments which are under the control of the other participants.

Grid Security Infrastructure (GSI)

Existing and mainstream grid security practice, in fact, mainly that supported by Grid Security Infrastructure (GSI) for a standard grid middleware Globus Toolkit, is essentially a result of direct applications of the standard public-key authentication infrastructure (PKI). Fig 1 depicts a typical VO structure in GSI. This VO is initiated by a user Alice who is assumed to have an identity certificate issued by a system-wide known grid certification authority (CA). Alice creates the VO by recruiting a member (named Proxy 1 in Fig 1). Further enlargement of the VO, if necessary, is proxy-authorised to be carried out by Proxy 1 (i.e., without Alice's involvement), and likewise with respect to subsequent proxies until the VO becomes sufficiently large (e.g., with n + 1 members in the case of Fig 1). In order for the enlargement to be performed in a streamline fashion without complex interactions among many members, GSI applies PKI to form a proxy certification chain: Alice creates a key pair and certifies the public part for Proxy 1 who in turn creates a key pair and certifies the public part for Proxy 2 (recruited by Proxy 1), ..., and so on. This way, a new member can verify, without interaction with Alice, that it is indeed Alice who has authorised the organisation of the VO.

The implied trust model in the direct application of PKI for the VO in Fig 1 is the following. An unknown principal will be deemed trustworthy if it has been introduced by a trusted third party (TTP). It is hoped that the introduced principal will behave in a responsible manner since it should try its best effort to honor the introduction of the TTP. Note, however, this is a hope. We remark that in this introduction based trust model a TTP is usually positioned outside the system of partners. For example, if a protocol involves Alice and Bob who needs a TTP's service, the TTP is usually not an active or inline participant in the protocol; in particular, the TTP is usually not placed inside the platforms of the protocol participants. Unfortunately, the introduction based trust model actually does not suit grid security (including the typical case in Fig 1) very well. Clearly, for grid security facing partner-and-adversary threats, Alice can have little control whether or not the proxy credentials will be misused. In order to mitigate the potential loss or misuse of the proxy credentials, GSI stipulates a policy that a proxy credential has a short lifetime of 12 hours. This is obviously a rather coarse policy and greatly limits the power of grid computing. We can say that the VO constructed in Fig 1 is only suitable for a collegial environment in which partners are colleagues or friends alike.

Then what is exactly a desirable security mechanism we need for a computing environment with a partner-and-adversary threat model? We will need to place a TTP right inside the computing platform owned by the participant to protect the interest of the other participant(s).

Solution with Trusted Computing

We consider that Trusted Computing (TC) technology developed by Trusted Computing Group (TCG) forms a practical and readily available technical means to serving our need for countering partner-and-adversary threats in grid security. TCG is an important industrial initiative for improving computer security by means of a hardware supported security architecture. TCG uses a tamper-protection hardware module called Trusted Platform Module (TPM) which is integrated into a computing platform. With the tamper-protection property of the TPM, TCG in fact assumes a platform owner a potential adversary with respect to the rule of a federated computing system in which the platform is involved, and tries to prevent this party from by-passing or breaching the rule. In contrast to the conventional security mechanisms against external, or less privileged, adversaries, the owner of a platform usually is in a privileged position, i.e., a stronger adversary and thereby it is harder to prevent it from wrongdoing.

With hardware protected cryptographic capabilities, the TPM which is integrated into a computing platform is effectively an inplatform TTP which is there to protect the rule of fair play for all participants, whether the owner of the platform or a guest user. For a federated computing system, the TCG technology can not only improve security in a conventional sense (because of the enhancement with hardware) such as strong protection on cryptographic key material, but also with more innovation to allow conformed behaviour of a platform and the owner/users to be measured by the rest of the participants in the federated computing system.

External Links

• Globus Alliance
• NextGRID

Comments