VO: Centralised or Decentralised Federation - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

VO: Centralised or Decentralised Federation

Description:

'Since VOs are based on sharing information and knowledge, there must be ... Mutability of attributes. Ongoing decision. Continuity of decision. Time. Pre update ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 18
Provided by: brunole
Category:

less

Transcript and Presenter's Notes

Title: VO: Centralised or Decentralised Federation


1
VO Centralised or Decentralised Federation
  • Philippe Massonet et al
  • CETIC
  • TG6, 19-20/03/2009

2
Trust in Dynamic Virtual Organisations
  • Since VOs are based on sharing information and
    knowledge, there must be a high amount of trust
    among the partners. Especially since each partner
    contribute with their core competencies
  • Threats
  • Bad service (contract not respected)
  • Attacks loss of information
  • Attacks disruption of service
  • Vulnerability to attacks (low level of security
    at one of the partners)

Collaboration
2
Services
1
5
4
3
How do you maintain Trust and Security
properties in dynamic VO? Need for Trust and
security mechanisms
3
Secure VO Lifecycle Management
  • VO set of users that pool resources in order to
    achieve common goals - Rules governing the
    sharing of the resources
  • Trust and security policies are derived following
    the goals of the VO and rules for sharing
    resources

monitoring Enforcing policies Maintenance of
reputation
establishment of security policies, following
governing rules
discovery of potential trustworthy partners
termination of trust relationships maintenance of
reputation
membership and policy adaptation
4
Security at Different Levels in Grid
NGG Architecture
  • VO
  • Service
  • Computational

GRID Application Layer
GRID Service Middleware Layer
GRID Foundation Middleware Layer
Network Operating System
5
Trust and Security Issues in Service based Grids
Is the selected IP secure?
Can I trust the SR and SP?
Service Provider (SP)
Service Requestor (SR)
VO
Res.
Res.
Is SP using my resources with malicious intent?
Service Request
6
General Architecture
Globus
PPMService
SRBService
Service Providers
VBEService
VO
C-UCONService
VO Manager
Enforcer
TRSService
7
From Access Control to Usage Control
Usage Decision still valid ?
Can you revoke access ?
Pre decision
Before usage
Time
8
Usage Control Services
  • Monitor the actions executed on behalf of the
    grid users and enforce a UCON security policy
  • Computational level (C-UCON)
  • The policy consists of a highly detailed
    description of the correct behaviour of the
    application being executed
  • Only the applications whose behaviour is
    consistent with the security policy are executed
    on the computational resource
  • VO level (Enforcer)
  • Policy evaluation point that support UCON
    policies
  • The usage control service will be integrated into
    the Globus middleware

GRID Service Middleware Layer
GRID Foundation Middleware Layer WP3/WP4
9
Secure Resource Broker Service
  • Integrate access control with resource/service
    scheduling
  • Both resource owners and VO define their resource
    access and usage policies
  • ?The resource broker schedules a user request
    only within the set of resources whose policies
    match the user credentials (and vice-versa)
  • Scalability and efficiency
  • It will be integrated into the Globus middleware

GRID Service Middleware Layer
GRID Foundation Middleware Layer WP3/WP4
10
Trust and Reputation Service
  • Collect, distribute and aggregate feedbacks about
    entities' behaviour in a particular context in
    order to produce a rating about the entities
  • ? Entities could be either users, resources/
    services, service providers or VOs
  • The reputation service is based on ideas of
    utility computing
  • Can be used in both centralised and distributed
    settings
  • The reputation service will be also integrated
    into the Globus middleware

GRID Service Middleware Layer WP2/WP4
11
VBE Virtual Breeding Environment Service
  • It manages the Virtual Breeding Environment
    composed of users and service providers (user,
    service provider registration, certificate
    management, etc.)

12
PPM Profile and Policy Management Service
  • The policy and profile management service is a
    database service that keeps information about
    security policies of all the entities of the
    system.
  • Support several types of query
  • Service ID, Type, Name, attribute (OS, Memory,
    CPU type, Library, Certificate)

13
VO Library
  • To be used by the VO Manager to use and interface
    with GridTrust services
  • Offers a full set of functionalities to manage VO
    life cycle (Creation, Termination,)
  • Manage access at communication and authentication
    level from applications to GridTrust Services.
  • Hides complexity of certificates management
    between users and GridTrust CA

14
GridTrust Framework - Components
service providers
PKI
  • GridTrust Services
  • TRS
  • VBE
  • SRB
  • PPM

C-UCON
users
VO Library
ENFORCER
15
Secure VO Lifecycle Formation
VBE Manager
PKI
16
Secure VO Lifecycle VO Operation
Policy Service1 Service2
Virtual Breeding Environment
VO
TRS
ENFORCER
VO user
Service2
Application
Service1
Service3
17
VO and Federation
  • VO Federation
  • Loosely coupled
  • GridTrust VO
  • Federation of domains
  • But
  • Centralised access control
  • Single certification authority
  • Need for Decentralised?
  • VO management
  • Access control
Write a Comment
User Comments (0)
About PowerShow.com