CoreGrid Fellowship at CETIC

Securing the GRID

CoreGrid Fellowship at CETIC

Securing the GRID

Syed Naqvi has joined CETIC for the first part of his coregrid fellowship. During 9 month from January 2006, he will work on studying requirements and design for a more secure GRID. He will then spend the following 9 month in CCLRC (UK) for the implementation part.

Context

Computational grids, peer-to-peer systems, pervasive/ubiquitous computing, etc.) has become a mainstream operational concern. Establishment of in-depth security services and trust relationships are the most desirable features for such systems.

In the PhD he just finished, Syed Naqvi proposed a security architecture to address the comprehensive security needs of these systems. Extensive groundwork was carried out to determine the limitations and shortcomings of the existing security solutions for these systems and to establish the real needs of the security architecture in order to reduce performance overheads and to provide robust security. These include requirements analysis, risk analysis, threat modeling, and implementation feasibility.

The concept of virtualization of security services is introduced for the security services. It is needed to have the absolute freedom to choose the underlying security mechanisms. From the security point of view, the virtualization of a service definition encompasses the security requirements for accessing that service. The need arises in the virtualization of security semantics to use standardized ways of segmenting security components (e.g., authentication, access control, etc.) and to provide standardized ways of enabling the federation of multiple security mechanisms. Virtualization permits each participating end-point to express the policy it wishes to see applied when engaging in a secure conversation with another end-point.

Policies can specify supported authentication mechanisms, required integrity and confidentiality, trust, privacy policies, and other security constraints. This concept of virtualization of security services can be realized through distributed virtual engines that will enable security service calls to be unified according to requirements and not according to the technologies to be supported.

A configurable mechanism for the invocation of security services is proposed to address security needs of the different kinds of users. This approach permits the evolution of security infrastructure with less impact on the resource management functionalities, which are still on the verge of evolution. Moreover, it permits the users and resource providers to configure the security architecture according to their requirements and satisfaction level. The set of these security services include core security services (such as authentication, authorization, identity mapping, audit, etc.) as well as contemporary security services (such as mobile access control, dynamic digital signature, etc.)

Scientific Contribution

The proposed fellowship will contribute to the general objective of the roadmap of the second CoreGrid workpackage whose aims is to provide an integrated view of data and knowledge management in Grids. More specifically:

  • the lowest layer deals with systems-level, distributed storage management issues. The proposed fellowship will address issues related to storage management policies, by modelling security requirements at the application level, and the requirements on mechanisms for using storage semantic web services.
  • the middle layer explores techniques that will turn storage systems into knowledge representation systems. The fellowship proposal will address semantic modelling issues by providing requirements for expressing security related quality of service when searching for semantic web services, and negotiating quality of service with service providers.