Professional Documents
Culture Documents
Definition of Trust:
Trust is the firm belief in the competence of an entity to behave as expected such
that this firm belief is a dynamic value associated with the entity and is subject to
the entitys behavior and applies only within a specific context at a given time.
Trust
It is context based (under different context may have different trust value)
Reputation:
When making trust-based decisions, entities can rely on others for information
regarding to a specific entity.
Definition of Reputation:
Entities may form alliances and they may trust their allies and business partners
more than others.
1. network sniffers,
2. out-of-control access,
3. faulty operation,
4. malicious operation,
6. delegation,
On the one hand, a user job demands the resource site to provide security
assurance by issuing a security demand (SD).
On the other hand, the site needs to expose its trustworthiness, called its trust
index (TI).
When determining its security demand, users usually care about some typical
attributes. These attributes and their values are dynamically changing and
depend heavily on the trust model, security policy, accumulated reputation,
self-defense capability, attack history, and site vulnerability.
Three challenges are outlined below to establish the trust among grid sites.
A service needs to be open to friendly and interested entities so that they can
submit requests and access securely.
Trust Model:
Resource sharing among entities is one of the major goals of grid computing.
To create the proper trust relationship between grid entities, two kinds of trust
models are often used.
1. One is the PKI -based model, which mainly exploits the PKI to
authenticate and authorize entities.
The three major factors which effect the trustworthiness of a resource site.
Direct reputation is decided based on the job success rate, site utilization, job
turnaround time, and j ob slowdown ratio measured.
In a reputation-based model, jobs are sent to a resource site only when the site
is trustworthy to meet users demands.
The defense capability refers to the sites ability to protect itself from danger.
On the contrary, a negative experience with a site will decrease its reputation.
A Fuzzy-Trust Model:
In this model, the j ob security demand (SD) is supplied by the user programs.
The trust index (TI ) of a resource site is aggregated through the fuzzy-logic
inference process over all related parameters.
Specifically, one can use a two-level fuzzy logic to estimate the aggregation
of numerous trust parameters and security attributes into scalar quantities that
are easy to use in the j ob scheduling and resource mapping process.
Fuzzification.
Inference.
Aggregation.
Defuzzification.
The second salient feature of the trust model is that if a sites trust index
cannot match the job security demand (i.e., SD > TI ), the trust model could
deduce detailed security features to guide the site security upgrade as a result
of tuning the fuzzy system.
Authentication:
Mutual Authentication
Mutual authentication is the key concept of Grid computing model.
A user is allowed to access certain resource of Grid environment
providing the user is authorized entity.
On the basis of the dependence relationship mutual authentication
takes place to avoid replacement source to restrict.
User Proxies
A user proxy is a conference manager process that provides consent to
proceed on behalf of a user for a limited phase of time. User proxy
mechanism is a substitute for the user. It has got the unique feature to
prevent repetitive password typing by the user for offering its service.
The major authentication methods in the grid include passwords, PKI , and
Kerberos. The password is the simplest method to identify users, but the most
vulnerable one to use.
To implement PKI , we use a trusted third party, called the certificate authority
(CA). Each user applies a unique pair of public and private keys.
The public keys are issued by the CA by issuing a certificate, after recognizing a
legitimate user.
The private key is exclusive for each user to use, and is unknown to any other
users. A digital certificate in IEEE X.509 format consists of the user name, user
public key, CA name, and a secrete signature of the user.
Typically, the resource is a host that provides processors and storage for services
deployed on it. Based on a set predefined policies or rules, the resource may
enforce access for local services.
The central authority is a special entity which is capable of issuing and revoking
polices of access rights granted to remote accesses.
The user conducts handshake with the authority first and then with the
resource site in a sequence.
Then the resource contacts its authority to verify the request, and the
authority authorizes at step 3.
Finally the resource accepts or rejects the request from the subject at step
4.
The subject check with the authority at step 1 and the authority makes
decisions on the access of the requested resources.
GSI lets a user create and delegate proxy credentials to processes running on
remote resources; this allows remote processes and resources to act on a users
behalf.
This feature is important for complex applications that need to use a variety of
remote resources.
Proxy credentials are short-lived credentials created by a user; in essence they
are a short-term binding of the users identity to an alternate private key.
It allows users to be authenticated once, and then perform multiple actions.
The proxy credential is stored unencrypted for ease of repeated access, and has
a short lifetime in case of theft.
Single sign-on is an important feature as it simplifies the coordination of
multiple resources; a user authenticates once, and can then perform multiple
actions without further authentication; in addition, the system allows processes
to act on the users behalf without further authentication.
Authorization modes in GSI
GSI supports three authorization modes on both the server and client.
Server-side authorization
Depending on the authorization mode chosen, the server will decide if it accepts or
declines an incoming security request.
None: This is the simplest type of authorization. No authorization will be
performed.
Self: A client will be allowed to use a grid service if the clients identity is the
same as the services identity.
Gridmap: The gridmap file contains a list of authorized users; this is similar
to an ACL.Here only the users listed in the services gridmap file may invoke
it.
Client-side authorization:
A client in GSI can chose to use a remote service or not based on it having the appropriate
security credentials.
None: No authorization will be performed.
Self: The client will authorize an invocation if the services identity is the same as
the client. If both client- and server-side use self-authorization, a service can be
invoked if its identity matches the clients.
Host: The client will authorize a security request if the host returns an identity
containing the hostname. This is done using host certificates.
Requesting a certificate:
o The GSI uses the Secure Sockets Layer (SSL) [8] for its mutual authentication
protocol. Before mutual authentication can occur, the entities involved must
first trust the CAs that signed each others certificates.
o Each entity will have a copy of the other CAs certificate, which contains its
public keys. The authentication process is illustrated in Figure .
o To mutually authenticate:
1. The first entity (A) establishes a connection with the second entity (B).
To start the authentication process, A gives B its certificate. The certificate
tells B who A is claiming to be (the identity), As public key, and which CA
is being used to certify the certificate.
2. First, B makes sure that the certificate is valid by checking the CAs digital signature to
ensure that the CA actually signed the certificate and that the certificate has not been
tampered with. This is the point where B must trust the CA that signed As certificate.
3. Once B has checked out As certificate, B makes sure that A really is the entity identified
in the certificate. To do this, B generates a random plaintext message and sends it to A,
asking A to encrypt it.
4. A encrypts the message using its private key, and sends it back to B. B decrypts the
message using As public key. If the result is the same as the original random message,
then B knows that A is who they say they are and B trusts As identity.
5. The same operation now happens in reverse. B sends A its certificate.
A validates the certificate and sends a challenge message to be encrypted. B encrypts the
message and sends it back to A. A decrypts it and compares it with the original. If it
matches, then A knows that B is who they say they are.
6. At this point, A and B have established a connection to each other and are certain that they
know each others identities, i.e. they trust each other.
Confidential communication:
The GSI delegation capability is the means to reduce the number of times a
user must enter the pass phrase.
If an activity requires that several resources be used, or a broker or agent is
acting upon a users behalf each requiring mutual authentication, a proxy can
be created (as shown in Figure ) that avoids the need to enter the pass phrase
repeatedly.
A proxy consists of a new certificate (with a new public key) and a new
private key. The new certificate contains the owners identity, modified
slightly to indicate that it is a proxy.
The owner, rather than a CA, signs the new certificate. The certificate also
includes a time notation, after which others should no longer accept the proxy.
Proxies have limited lifetimes and cannot live past the expiry of the original
certificate. The proxys private key must be kept secure.
As the proxys key is not valid for very long, it is typically kept on the local
storage system without being encrypted, but with file permissions that prevent
it being examined easily.
Once a proxy is created and stored, the user can use the proxy certificate and
private key for mutual authentication without entering a password.
5.4 Cloud Security Infrastructure:
Many of the cloud computing associated risks are not new and can be found in the
computing environments.
There are many companies and organizations that outsource significant parts of
their business due to the globalization.
It means not only using the services and technology of the cloud provider, but
many questions dealing with the way the provider runs his security policy.
After performing an analysis the top threats to cloud computing can be
summarized as follows
Abuse and Unallowed Use of Cloud Computing;
Malicious Insiders;
Information Security
In the traditional data center, controls on physical access, access to hardware and software
and identity controls all combine to protect the data. In the cloud, that protective barrier that
secures infrastructure is diffused. The data needs its own security and will require:
The following security compromises between the three cloud deployment models have been
identified.
SaaS provides the most integrated functionality built directly into the offering, with
the least consumer extensibility, and a relatively high level of integrated security since
at the least the provider bears a responsibility for the security.
PaaS is intended to enable developers to build their own applications on top of the
platform. As a result it tends to be more extensible than SaaS, at the expense of
customer ready features.
IaaS provides few if any application-like features, but enormous extensibility. This
generally means less integrated security capabilities and functionality beyond
protecting the infrastructure itself. This model requires that operating systems,
applications, and content be managed and secured by the cloud consumer.
Infrastructure Security:
IaaS application providers treat the applications within the customer virtual instance
as a black box and therefore are completely indifferent to the operations and
management of a applications of the customer .
The entire pack customer application and run time application) is run on the
customers server on provider infrastructure and is managed by customers themselves.
For this reason it is important to note that the customer must take full responsibility
for securing their cloud deployed applications.
Cloud deployed applications must be designed for the internet threat model.
They must be designed with standard security countermeasures to guard against the
common web vulnerabilities.
Customers are responsible for keeping their applications up to date - and must therefore
ensure they have a patch strategy to ensure their applications are screened from malware
and hackers scanning for vulnerabilities to gain unauthorized access to their data within
the cloud.
Customers should not be tempted to use custom implementations of Authentication,
Authorization and Accounting as these can become weak if not properly implemented.
The foundational infrastructure for a cloud must be inherently secure whether it is a private or
public cloud or whether the service is SAAS, PAAS or IAAS. It will require :
Stronger interface security: The points in the system where interaction takes
place (user-to-network, server-to application) require stronger security policies
and controls that ensure consistency and accountability.
Resource lifecycle management: The economics of cloud computing are
based on multi-tenancy and the sharing of resources. As the needs of the
customers and requirements will change, a service provider must provision
and decommission correspondingly those resources - bandwidth, servers,
storage and security. This lifecycle process must be managed in order to build
trust.
The infrastructure security can be viewed, assessed and implemented according its building
levels - the network, host and application levels.
When reviewing host security and assessing risks, the context of cloud services delivery
models (SaaS, PaaS, and IaaS) and deployment models public, private, and hybrid) should be
considered The host security responsibilities in SaaS and PaaS services are transferred to the
provider of cloud services. IaaS customers are primarily responsible for securing the hosts
provisioned in the cloud (virtualization software security, customer guest OS or virtual server
security).
It can be summarized that the issues of infrastructure security and cloud computing lie in the
area of definition and provision of security specified aspects each party delivers.