Professional Documents
Culture Documents
Unit-5 GCC
Unit-5 GCC
Trust models for Grid security environment – Authentication and Authorization methods – Grid security
infrastructure – Cloud Infrastructure security: network, host and application level – aspects of data
security, provider data and its security, Identity and access management architecture, IAM practices in
the cloud, SaaS, PaaS, IaaS availability in the cloud, Key privacy issues in the cloud.
➢ If qualified security mechanisms are not there, then the threats may affect the
environment.Eg:network sniffers,
▪ out-of-control access,
▪ faulty operation,
▪ malicious operation,
▪ delegation,
➢ A user job demands the resource site to provide security assurance byissuing a security demand (SD).
➢ The site needs to reveal its trustworthiness, called its trust index (TI).
➢ These two parameters must satisfy a security assurance condition: TI ≥ SD during the job mapping
process.
➢ When determining its security demand, users usually care about some typical attributes. These
attributes and their values are dynamically changing and depend heavily on
▪ security policy,
▪ accumulated reputation,
▪ self-defense capability,
Dept of CSE 1
▪ site vulnerability.
➢ In a reputation-based model, jobs are sent to a resource site only when the site is trust worthy to
➢ The site trustworthiness is usually calculated from the following information: the defense
➢ The defense capability refers to the site’s ability to protect itself from danger.
➢ Direct reputation is based on experiences of prior jobs previously submitted to the site.
➢ The reputation is measured by many factors such as prior job execution success rate, cumulative
Dept of CSE 2
site utilization, job turnaround time, job slowdown ratio, and so on.
➢ In this model, the job security demand (SD) is supplied by the user programs.
➢ The trust index (TI) of a resource site is aggregated through the fuzzy-logic inference process
➢ Specifically, one can use a two-level fuzzy logic to estimate the aggregation of numerous trust
parameters and security attributes into scalar quantities that are easy to use in the job scheduling
➢ The TI is normalized as a single real number with 0 representing the condition with the highest
risk at a site and 1 representing the condition which is totally risk-free or fully trusted.
▪ fuzzification,
▪ inference,
▪ aggregation, and
▪ defuzzification.
➢ The second salient feature of the trust model is that if asite’s trust index cannot match the job
Dept of CSE 3
5.2 AUTHENTICATION AND AUTHORIZATION METHODS
➢ The major authentication methods in the grid include passwords, PKI, and Kerberos.
➢ The password is the simplest method to identify users, but the most vulnerable one to use.
➢ To implement PKI, we use a trusted third party, called the certificate authority (CA).
➢ The public keys are issued by the CA by issuing a certificate, a user recognizing a legitimate user.
➢ The private key is exclusive for each user to use, and is unknown to any other users.
➢ A digital certificate in IEEE X.509 format consists of the username, user public key, CA name,
The following example illustrates the use of a PKI service in a grid environment.
➢ Decisions can be made either at the access point of service or at a centralized place.
➢ Typically, the resource is a host that provides processors and storage for services deployed on it.
Based on a set predefined policies or rules, the resource may enforce access for local services.
Dept of CSE 4
➢ The central authority is a special entity which is capable of issuing and revoking polices of access
▪ Attribute Authorities,
▪ Identity Authorities.
Dept of CSE 5
5.3 GRID SECURITY INFRASTRUCTURE (GSI)
➢ Both build on the same base, namely the X.509 standard and entity certificates and proxy
certificates, which are used to identify persistent entities such as users and servers and to support
▪ message protection,
▪ authentication,
▪ delegation, and
▪ authorization.
➢ TLS (transport-level security) or WS-Security and WS-Secure Conversation (message level) are
➢ An Authorization Framework allows for a variety of authorization schemes, including a “gridmap file”
ACL, an ACL defined by a service, a custom authorization handler, and access to an
➢ In addition, associated security tools provide for the storage of X.509 credentials (MyProxy and
Delegation services), the mapping between GSI and other authentication mechanisms (e.g.,
KX509 and PKINIT for Kerberos, MyProxy for one-time passwords), and maintenance of
➢ Transport-level security entails SOAP messages conveyed over a network connection protected
by TLS. TLS provides for both integrity protection and privacy (via encryption).
➢ Transport-level security-types:
Dept of CSE 6
▪ used in conjunction with X.509 credentials for authentication,
1. Integrity protection, by which a receiver can verify that messages were not altered in
3. Replay prevention, by which a receiver can verify that it has not received the same
message previously.
➢ GSI has traditionally supported authentication and delegation through the use of X.509
➢ As a new feature in GT4, GSI also supports authentication through plain usernames and
Dept of CSE 7
passwords as a deployment option.
➢ Certificate has:
(1) a subject name, which identifies the person or object that the certificate represents;
(3) the identity of a CA that has signed the certificate to certify that the public key and the
(4) the digital signature of the named CA. X.509 provides each entity with a unique
identifier
➢ The X.509 certificates used by GSI are conformant to the relevant standards and conventions.
Grid deployments around the world have established their own CAs based on third-party software
to issue the X.509 certificate for use with GSI and the Globus Toolkit.
➢ GSI also supports delegation and single sign-on through the use of standardX.509 proxy
certificates.
➢ Proxy certificates allow bearers of X.509 to delegate their privileges temporarily to another
entity.
➢ To reduce or even avoid the number of times the user must enter his passphrase when several
grids are used or have agents (local or remote) requesting services on behalf of a user, GSI
provides a delegation capability and a delegation service that provides an interface to allow
➢ The key pair that is used for the proxy, that is, the public key
embedded in the certificate and the private key, may either be regenerated for each proxy or be
Dept of CSE 8
slightly to indicate that it is a proxy.
➢ Once a proxy is created and stored, the user can use the proxy
certificate and private key for mutual authentication without entering a password.
differs slightly.
(obtained from her certificate) is used to validate the signature on the proxy certificate.
As far as private clouds, there are no new attacks, vulnerabilities, or changes in risk in the cloud.
➢ Secure extranet
Dept of CSE 9
➢ Private cloud
Public cloud:
➢ Ensuring the confidentiality and integrity of the organization’s data-in-transit to andfrom your
➢ Replacing the established model of network zones and tiers with domains
➢ Some resources and data previously confined to a private network are now exposed to the
➢ Eg: An example of problems associated with this first risk factor is an Amazon Web Services
➢ Since some subset of these resources (or maybe even all of them) is now exposed to theInternet,
an organization using a public cloud faces a significant increase in risk to its data.
➢ A decreased access to relevant network-level logs and data, and a limited abilityto thoroughly
➢ An example of the problems associated with this second risk factor is the issue of reused
➢ (reassigned) IP addresses.
➢ Addresses are usually reassigned and reused by other customers as they become available.
➢ There is necessarily a lag time between the change of an IP address in DNS and the clearing of
Dept of CSE 10
that address in DNS caches.
➢ There is a similar lag time between when physical (i.e., MAC) addresses are changed in ARP
tables and when old ARP addresses are cleared from cache; an old address persists in ARP caches
➢ This means that even though addresses might have been changed, the (now) old addresses are still
available in cache, and therefore they still allow users to reach these supposedly non-existent
resources.
➢ BGP† prefix hijacking i.e., the falsification of Network Layer Reachability Information
➢ It involves announce of autonomous system‡ address space that belongs to someone else without
her permission.
➢ Such announcements often occur because of a configuration mistake, but that misconfiguration
➢ Eg: misconfiguration mistake occurred in February 2008 when Pakistan Telecom made an error
➢ by announcing a dummy route for YouTube to its own telecommunications partner, PCCW,
➢ based in Hong Kong. The intent was to block YouTube within Pakistan because of some
supposedly blasphemous videos hosted on the site. The result was that YouTube was globally
➢ Although prefix hijackings are not new, that attack figure will certainly rise, and probably
➢ As the use of cloud computing increases, the availability of cloud-based resources increases in
value to customers.
Dept of CSE 11
DNS attack:
➢ Not only are there vulnerabilities in the DNS protocol and in implementations of DNS.
➢ It is there are fairly widespread DNS cache poisoning attacks whereby a DNS server is tricked
Types:
Dept of CSE 12
Dept of CSE 13
Abstraction:
➢ Both the PaaS and SaaS platforms abstract and hide the host operating system from end users
➢ One key difference between PaaS and SaaS is the accessibility of the abstraction layer that hides
➢ In the case of SaaS, the abstraction layer is not visible to users and is available only to the
developers and the CSP’s operations staff, where PaaS users are given indirect access to the host
abstraction layer in the form of a PaaS application programming interface (API) that in turn
➢ Unlike PaaS and SaaS, IaaS customers are primarily responsible for securing the hosts
Dept of CSE 14
Virtualization software security
➢ The software layer that sits on top of bare metal and provides customers the ability to create and
➢ Virtualization at the host level can be accomplished using any of the virtualization models,
➢ It is important to secure this layer of software that sitsbetween the hardware and the virtual
servers. In a public IaaS service, customers do nothave access to this software layer; it is managed
Vaserv.com
➢ The virtual instance of an operating system that is provisioned on top of the virtualization layer
and is visible to customers from the Internet; e.g., various flavors of Linux, Microsoft, and
➢ To illustrate the vulnerability of the virtualization layer, some members of the security research
➢ Customers of IaaS have full access to the virtualized guest VMs that are hosted and isolated from
➢ Hence customers are responsible for securing andongoing security management of the guest VM.
Dept of CSE 15
➢ A public IaaS, such as Amazon’s Elastic Compute Cloud (EC2), offers a web services API to
➢ The CSP blocks all port access to virtual servers and recommends that customers use port 22
➢ The cloud management API adds another layer of attack surface and must be included in the
➢ Some of the new host security threats in the public IaaS include:
➢ Track the inventory of VM images and OS versions that are prepared for cloud hosting
➢ Safeguard the private keys required to access hosts in the public cloud.
➢ isolate the decryption keys from the cloud where the data is hosted
➢ Run a host firewall and open only the minimum ports necessary to support the serviceson an
instance.
➢ Run only the required services and turn off the unused services
Dept of CSE 16
➢ Install a host-based IDS such as OSSEC or Samhain
➢ Enable system auditing and event logging, and log the security events to a dedicated logserver
➢ In addition to the security of your own customer data, customers should also be concerned about
what data the provider collects and how the CSP protects that data.
➢ Customer data : metadata does the provider have about your data, how is it secured, and what
➢ For example, at the network level, your provider should be collecting, monitoring, and protecting
firewall, intrusion prevention system (IPS), security incident and event management (SIEM), and
Storage
➢ Three information security concerns are associated with this data stored in the cloud (e.g.,
▪ confidentiality,
▪ integrity, and
▪ availability.
Dept of CSE 17
Dept of CSE 18
Integrity
➢ In addition to the confidentiality of the data, it is also need to worry about the integrity of the
data.
➢ Encryption alone is sufficient for confidentiality, but integrity also requires the use of message
➢ The simplest way to use MACs on encrypted data is to use a block symmetric algorithm (as
opposed to a streaming symmetric algorithm) in cipher block chaining (CBC) mode, and to
➢ Another aspect of data integrity is important, especially with bulk storage using IaaS.
➢ Once a customer has several gigabytes (or more) of its data up in the cloud for storage, how does
Dept of CSE 19
Availability
➢ Assuming that a customer’s data has maintained its confidentiality and integrity, you must also be
➢ For example, Amazon’s S3 suffered a 2.5-hour outage in February 2008 and an eight-hour outage
in July 2008. AWS is one of the more mature cloud providers, so imagine the difficulties that
➢ Finally, prospective cloud storage customers must be certain to ascertain just what services their
➢ Cloud storage does not mean the stored data is actually backed up. Some cloud storage providers
➢ However, many cloud storage providers do not back up customer data, or do so only as an
➢ For example, “data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is
redundantly stored in multiple physical locations as a normal part of those services and at no
additional charge.”
➢ However, “data that is maintained within running instances on Amazon EC2, or within Amazon
S3 and AmazonSimpleDB, is all customer data and therefore AWS does not perform backups.”
➢ For availability, this is a seemingly simple yet critical question that customers should be asking of
Dept of CSE 20
5.7 IDENTITY AND ACCESS MANAGEMENT ARCHITECTURE
➢ The organizations invest in IAM practices to improve operational efficiency and to comply with
➢ Properly architected IAM technology and processes can improve efficiency by automating user
➢ IAM processes and practices can help organizations meet objectives in the area of access control
Authentication
Authentication is the process of verifying the identity of a user or system (e.g., Lightweight Directory
Access
Protocol [LDAP] verifying the credentials presented by the user, where the identifier is the corporate
user ID
Authorization
Authorization is the process of determining the privileges the user or system is entitled to once the
identity is
established. In the context of digital services, authorization usually follows the authentication step and is
used
to determine whether the user or service has the necessary privileges to perform certain operations—in
other
Auditing
In the context of IAM, auditing entails the process of review and examination of authentication,
authorization
records, and activities to determine the adequacy of IAM system controls, to verify compliance with
Dept of CSE 21
established security policies and procedures (e.g., separation of duties), to detect breaches in security
services
(e.g., privilege escalation), and to recommend any changes that are indicated for countermeasures
IAM Architecture
➢ IAM is not a monolithic solution that can be easily deployed to gain capabilities immediately
processes, and standard practices. Standard enterprise IAM architecture encompasses several layers of
➢ The directory interacts with IAM technology components such as authentication, user management,
provisioning, and federation services that support the standard IAM practice and processes within the
organization.
➢ The IAM processes to support the business can be broadly categorized as follows:
▪ User management
▪ Activities for the effective governance and management of identity life cycles
▪ Authentication management
➢ Activities for the effective governance and management of the process for determining that an entity
➢ Activities for the effective governance and management of the process for determining entitlement
rights that decide what resources an entity is permitted to access in accordance with the organization’s
➢ Enforcement of policies for access control in response to a request from an entity (user, services)
➢ Propagation of identity and data for authorization to IT resources via automated or manual processes
Dept of CSE 22
Monitoring and auditing
Monitoring, auditing, and reporting compliance by users regarding access to resources within the
organization
Provisioning
These processes provide users with necessary access to data and technology resources.
Provisioning can be thought of as a combination of the duties of the human resources and IT
departments
These processes are designed to manage the life cycle of credentials and user attributes— create, issue,
manage, revoke—to minimize the business risk associated with identity impersonation and
inappropriate
Dept of CSE 23
account use. Credentials are usually bound to an individual and are verified during the authentication
process
Entitlement management
➢ The processes in this domain address the provisioning and deprovisioning of privileges needed for
the
➢ Entitlement management can be used to strengthen the security of web services, web applications,
Compliance management
➢ This process implies that access rights and privileges are monitored and tracked to ensure the
security
of an enterprise’s resources.
➢ The process also helps auditors verify compliance to various internal access control policies, and
standards that include practices such as segregation of duties, access monitoring, periodic auditing,
and reporting
➢ Federation is the process of managing the trust relationships established beyond the internal
network
A central authentication and authorization infrastructure alleviates the need for application developers
to build
Dept of CSE 24
➢ The maturity model takes into account the dynamic nature of IAM users, systems, and
applications in the cloud and addresses the four key components of the IAM automation process:
o Authentication Management
o Authorization Management
➢ Although the principles and purported benefits of established enterprise IAM practices and
processes are applicable to cloud services, they need to be adjusted to the cloud environment.
Broadly speaking, user management functions in the cloud can be categorized as follows:
Dept of CSE 25
➢ Federation or SSO
➢ Authorization management
➢ Compliance management
➢ Cloud identity administrative functions should focus on life cycle management of user identities
management service provider, organizations can avoid duplicating identities and attributes and
➢ Provisioning users when federation is not supported can be complex and laborious.
Organizations planning to implement identity federation that enables SSO for users can take one of the
In this architecture, cloud services will delegate authentication to an organization’s IdP. In this delegated
authentication architecture, the organization federates identities within a trusted circle of CSP domains.
A
circle of trust can be created with all the domains that are authorized to delegate authentication to the
IdP.
Dept of CSE 26
In this deployment architecture, where the organization will provide and support an IdP, greater control
can be exercised over user identities, attributes, credentials, and policies for authenticating and
Dept of CSE 27
➢ When federating identities to the cloud, organizations may need to manage the identity life cycle
➢ In cases where credentialing is difficult and costly, an enterprise might also outsource credential
issuance (and background investigations) to a service provider, such as the GSA Managed
Service Organization (MSO) that issues personal identity verification (PIV) cards and, optionally,
➢ In essence, this is a SaaS model for identity management, where the SaaS IdP stores identities in
a “trusted identity store” and acts as a proxy for the organization’s users accessing cloud services.
Pros
➢ Delegating certain authentication use cases to the cloud identity management service hides the
Cons
➢ When you rely on a third party for an identity management service, you may have less visibility
➢ Hence, the availability and authentication performance of cloud applications hinges on the
➢ It is important to understand the provider’s service level, architecture, service redundancy, and
Dept of CSE 28
5.9 SAAS, PAAS, IAAS AVAILABILITY IN CLOUD
5.9.1 SaaS
• One of the primary concerns of IT and business decision makers regarding software-as-a service
• Organizations considering integrating into SaaS services should consider two major challenges
• Is the organization ready to provision and manage the user life cycle by extending its
• Are the SaaS provider capabilities sufficient to automate user provisioning and life cycle
Customer responsibilities
• In SaaS services, customers have limited responsibility and available controls to secure
information.
User provisioning
Dept of CSE 29
• Customers need to understand the preferred method, lag time to activate users, and user attributes
• Almost all SaaS providers support bulk upload of user identities, as that’s the most common use
case for provisioning users. Some SaaS providers may support just-in-time provisioning where
Profile management
• As part of the provisioning process, customers may have the ability to create user profiles that
play a role in user authorization. User profiles such as user and manager are an approach to
• Customers are responsible for evaluating the support for IAM features such as SSO (using
• SAML is the de facto standard for federating identities and is now supported by large SaaS
providers
Investigation support
• Logs and audit trails are also often needed to investigate incidents. For example, PCI DSS
requires the provider to “provide for timely forensic investigation” if the service provider suffers
a breach.
Compliance management
CSP responsibilities
• With regard to IAM, some responsibilities belong to the CSP and some belong to the customer.
Authentication services
• Since users can be accessing the service from anywhere on the Internet, it is up to the SaaS
Dept of CSE 30
Account management policies
• CSPs should communicate the account management policies including account lock-outs, account
Federation
• CSPs supporting identity federation using standards such as SAML should publish the
information necessary for customers to take advantage of this feature and enable SSO for their
users. Such information includes the version SAML 1.1, SAML 2.0
5.9.2 PaaS
• Organizations considering extending their established IAM practices to PaaS cloud providers
• PaaS CSPs typically delegate authentication functions using federation to the PaaS provider’s
IdP.
5.9.3 IaaS
• Some of the responsibilities and challenges in managing users in IaaS services are:
User provisioning
• Provisioning of users (developers, administrators) on IaaS systems that are dynamic in nature.
Given that hundreds of systems are provisioned for workload management, user provisioning will
have to be automated at the time of image creation and should be policy based.
• Managing private keys of system administrators and protecting the keys when system
• Assigning IDs and keys required to access the service. These keys are used for managing access
to customer accounts for billing reasons, as well as for authenticating customers to their services.
Dept of CSE 31
• Provisioning of developers and testers to IaaS instances, and de provisioning the same when
• Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction
of personal data.
• The rights and obligations of individuals and organizations with respect to the collection, use,
Access
• Data subjects have a right to know what personal information is held and, in some cases, can
• In the cloud, the main concern is the organization’s ability to provide the individual with access
• If a data subject exercises this right to ask the organization to delete his data, will it be possible to
ensure that all of his information has been deleted in the cloud?
Compliance
• What are the applicable laws, regulations, standards, and contractual commitments that govern
• How are existing privacy compliance requirements impacted by the move to the cloud?
Storage
• Is it commingled with information from other organizations that use the same CSP?
Dept of CSE 32
• Privacy laws in various countries place limitations on the ability of organizations to transfer some
Retention
• How long is personal information (that is transferred to the cloud) retained? Which retention
policy governs the data? Does the organization own the data, or the CSP?
Destruction
• How does the cloud provider destroy PII at the end of the retention period?
• How can organizations monitor their CSP and provide assurance to relevant stakeholders that
Privacy breaches
• How do you know that a breach has occurred, how do you ensure that the CSP notifies you when
a breach occurs, and who is responsible for managing the breach notification process.
Important Questions:
Dept of CSE 33