Grid Security Requirements

For better exposition of the security requirements for grid environments, we con- sider an example grid application. Our example concerns a scientific experiment called Compact Muon Solenoid [88, 162]. In the experiment, conducted at the Large Hadron Collider in the CERN Laboratory, Switzerland, the collected data is to be analysed by more than 2,000 physicists at more than 150 universities and labora- tories located in 34 countries. Clearly, the security challenges mainly come from dissemination, processing and sharing of the data.

Before the data is transmitted from one domain to another, the authenticity of the requestor must be verifiable so that only an authorized requestor is able to access the available resources. When dealing with dissemination and access of data across many different resource centres in different countries, integration of security mecha- nisms and policies becomes a requirement. Also in many cases, data confidentiality and integrity can be vital to safeguard the physicists’ research findings. When it comes to processing data, high-end computational resources generally require high investment and thus it is desirable that their usage can be tightly controlled, possibly through access control mechanisms. This is essential in balancing the resource usage between users from the physical organisations and the physicists from the virtual organisations. While, in certain circumstances, some research laboratories may have long-term trust relationships with each other, in most cases, remote resource access is anticipated to be short-term, typically on the order of hours or days. These trust relationships can be defined in the policies targeted at virtual organisations as well as hosting resources. From the data sharing aspect, trust establishment between entities of various universities and laboratories plays a crucial part in grid security.

2.2 Grid Security

Policy enforcement can be rather complicated, as expressing and exchanging policies within a virtual organisation involves remote entities with different security mecha- nisms and access privileges. All these security challenges must be considered when designing a sound grid security architecture.

With a rough idea of what security requirements might be expected in a grid ap- plication, we now compile a more formal list of grid security requirements deemed to be essential for supporting scalable, dynamic and distributed virtual organisa- tions [69, 103, 104, 162, 173] .

• Entity authentication. In a grid environment, there are several types of entities

that need to be authenticated. The most common are individual users who utilise grid resources and hosts which provide resources and services. Some- times, a system administrator or an organisation can be thought of as an entity in his own right.

• Single sign-on. Participants in a grid environment often need to co-ordinate

and communicate with multiple resources to accomplish a single job. It may be overly burdensome to the participants if they have to manually authenticate with each resource, e.g. by typing in a passphrase. Therefore, they should only need to perform an authentication process once to the first resource when a job is initiated, and not have to perform any further authentication with other resources.

• Delegation. The constantly changing size and membership of a virtual or-

ganisation encourages delegation of credentials and access rights from a job requestor to an intermediary such as a grid gateway or a resource broker, or directly to a target resource. This helps to achieve unattended authentica- tion, i.e. authentication without any physical intervention from the requestor. This is particularly useful when a job takes a relatively long period of time to complete. Also, by delegating authority from the requestor to another entity, remote execution of the job becomes transparent to the requestor. This augurs well for the realisation of the grid vision in which computational grids are seen as uniform resources by the users regardless of the users’ physical locations.

• Credential life-span and renewal. To limit the risk of compromising a user’s

2.2 Grid Security

services, the credential must be limited to a reasonable lifetime. In many cases, it may be difficult to predict accurately the credential lifetime required for a specific job. In those cases where the job takes a longer execution time than the lifetime of the issued credential, the user needs to be notified before the credential expires so that it can be renewed by the user.

• Data confidentiality and integrity. As with other standard distributed systems,

protection of sensitive information from exposure to unintended parties can be critical. For example, this may be the case for health care applications, intel- lectual property oriented experiments, digital rights protected content delivery and so forth. Many modern security mechanisms which provide data privacy also offer data integrity protection, preventing unauthorized and undetectable modification of data by malicious parties.

• Authorization and access control. Grid applications require access to resources

which may be located in different organisational domains with different owners. The access rights of a user should be based on authorization policies defined by his virtual organisation, the resource owners and local system administrators. This process is usually complementary to entity authentication so that policy enforcement can be targeted at a specific user.

• Integration and inter-operability. Each organisational domain has its own se-

curity infrastructure which supports a set of security mechanisms. These may be different from other domains or hosting environments. These mechanisms are typically based on existing security technologies which have been well- established, some of which will be discussed in Section 2.2.2. Hence, a practical grid security architecture must be able to support and integrate with current security mechanisms. Similarly, adoption of new standards or technologies should place high emphasis on solving potential integration issues that may arise. In addition, inter-operability between communicating parties should be achievable at various levels such as transport-level, message-level and service- level [71].

• Trust relationships. Establishing trust relationships between entities within a

grid environment is arguably one of the most important security requirements. Trust can be expressed in the form of policies. For example, users or system administrators can decide whether or not to trust their Certificate Authority

2.2 Grid Security

(CA) based on the Certificate Policy and Certification Practices Statement (CP/CPS) issued by the CA. Trust relationships between CAs can be estab- lished through a Policy Management Authority (PMA)8_{. At the user level, a}

job requestor who has delegated his credential to a remote resource has to trust the resource to not misuse the delegated authority that it possesses.

• Miscellaneous. There are additional security requirements which need to be

considered when designing a grid security solution, such as firewall traversal, security assurance, accounting, auditing, user privacy, security management, policy management and so forth. Among these, mechanisms capable of al- lowing data to cleanly traverse firewalls without compromising local control of firewall policy is crucial for implementing cross-domain grid systems. This has partly driven the adoption of SOAP message security (which we will dis- cuss in Section 2.2.3). For more details about other security requirements and a more comprehensive discussion of grid security requirements in general, see [162, 173].

In this thesis, our focus will be on the first five items from the above list, namely: (i) entity authentication; (ii) single sign-on; (iii) delegation; (iv) credential life-span and renewal; and (v) data confidentiality and integrity. Furthermore, we will look at the integration of our proposals with current grid security architectures.