Security Architecture for Open Grid Services soap

Document Sample
Security Architecture for Open Grid Services soap Powered By Docstoc
					Security Architecture for
Open Grid Services
Overview
♦ Grid Security challenges
♦ Categorizing the Grid Security
♦ Web services security roadmap
♦ Building blocks
♦ Summary




                                   2
Grid Security Challenges
♦ Heterogeneous Distributed Environment
♦ Federated Security
   – Virtual Organizations
   – Federated Identity
   – Federated Trust
♦ End-to-end security
   – Multi-hop scenarios - multiple (un)trusted intermediaries
   – Security in hosting environment and its effect on the Grid
♦ Dynamic interactions
   – Dynamic policies, grouping, authorization, etc
♦ Support for multiple security mechanisms
♦ User driven service deployment and management



                                                                  3
Categorizing Security
♦ Securing Grid Services
   – Credential/Identity Propagation
   – Policy
   – Integrity
   – Confidentiality
   – Authorization
   – Privacy
   – VO policies
♦ Grid Security Services
   – Identity Mapping
   – Authentication or Identity Service
   – Authorization
   – Profile/Wallet
   – Audit                                4
Web Services Security Roadmap
♦ IBM-Microsoft joint proposal (announced: April 11th;
  OASIS – June 27th)
♦ The roadmap presents our strategy for addressing security
  issues within a Web Services environment.
♦ It consists of one defined specification (WS-Security) and
  several planned composable specifications along with
  example scenarios.
♦ The proposed specifications build upon foundational
  technologies such as SOAP, WSDL, XML Digital
  Signatures, XML Encryption and SSL/TLS.
♦ This is the first Web services security model that brings
  together formerly incompatible security technologies such
  as public key infrastructure, Kerberos, and others.
                                                               5
Scenarios
♦ To make the issues                 ♦   Direct Trust using Username/Password
                                         and Transport-Level Security
   and solutions                     ♦   Direct Trust using Security Tokens
                                     ♦   Security Token Acquisition
   discussed in the                  ♦   Firewall Processing
   roadmap as concrete               ♦   Issued Security Token
   as possible, several              ♦   Enforcing Business Policy
                                     ♦   Privacy
   scenarios that reflect            ♦   Smart Clients
   current and anticipated           ♦   Web Clients
                                     ♦   Mobile Clients
   applications of web               ♦   Enabling Federation
   services.                         ♦   Validation Service
                                     ♦   Supporting Delegation
                                     ♦   Access Control
  Authorized
  Requester
                                     ♦   Auditing
                            Web
                Firewall
                           Service
 Unauthorized
  Requester




                                                                                6
Current/proposed specs
Building on the SOAP Foundation




                                  Today: describes SOA
                                   extensions for secure
            WS-Security            messaging, provides
                                   foundation for other
                                      building blocks
         SOAP Foundation

                                                     7
WS-Security details
♦ Submitted to OASIS
                                             ♦ What is addressed?
♦ Enhancements to SOAP
   messaging                                   –   Message integrity
    – Provides quality of protection           –   Message confidentiality
    – Is a general purpose mechanism
      for associating security tokens with     –   Message authentication
      SOAP messages.
                                               –   Encoding security tokens
♦ Builds upon and interoperates                     • String subject names
   with existing standards                          • Binary tokens
    –   SSL/TLS (transport)
    –   IPSEC (network)                                 – X.509 certs, Kerberos
    –   W3C XML Digital Signatures                        tickets
    –   W3C XML Encryption                              – Other token formats
                                                          (including XML-
                                                          encoded tokens)
                                                        – keys




                                                                                  8
Current/proposed specs
Building on the SOAP Foundation




                                   Planned : will define
 WS-Policy
 WS-                                 how to express
                                     capabilities and
                                  constraints of securit
                                         policies
               WS-Security


             SOAP Foundation

                                                     9
Current/proposed specs
Building on the SOAP Foundation



                                      Planned : will
                                  describe the model
                                    for establishing
 WS-
 WS-Policy       WS-
                 WS-Trust           both direct and
                                     brokered trust
                                      relationships
                                    (including third
               WS-Security             parties and
                                    intermediaries)


             SOAP Foundation


                                                  10
Current/proposed specs
Building on the SOAP Foundation




                                            Planned: will be a
                                              model for how
 WS-Policy
 WS-             WS-
                 WS-Trust      WS-Privacy
                               WS-
                                            users state privacy
                                             preferences, and
                                               for how Web
               WS-Security                  Services state and
                                            implement privacy
                                                 practices

             SOAP Foundation

                                                                  11
Current/proposed specs
Building on the SOAP Foundation

                                                  Planned : will
  WS-
  WS-Secure                                     describe how to
 Conversation                                     manage and
                                                  authenticate
                                                    message
  WS-Policy
  WS-               WS-Trust
                    WS-           WS-Privacy
                                  WS-              exchanges
                                                between parties
                                               including security
                                               context exchange
                  WS-Security                   and establishing
                                                  and deriving
                                                 session keys

                SOAP Foundation

                                                                    12
Current/proposed specs
Building on the SOAP Foundation


  WS-
  WS-Secure
                   WS-Federation
                   WS-                                Planned : will
 Conversation                                       describe how to
                                                  manage and broker
                                                the trust relationships
  WS-Policy
  WS-                WS-
                     WS-Trust      WS-Privacy
                                   WS-            in a heterogeneous
                                                       federated
                                                      environment
                                                 including support for
                  WS-Security                     federated identities



                SOAP Foundation

                                                                     13
Current/proposed specs
Building on the SOAP Foundation


  WS-
  WS-Secure
                   WS-
                   WS-Federation   WS-Authorization
                                   WS-
 Conversation
                                                        Planned : will
                                                      define how Web
  WS-
  WS-Policy          WS-
                     WS-Trust        WS-
                                     WS-Privacy       services manage
                                                        authorization
                                                      data and policies

                  WS-Security


                SOAP Foundation

                                                                     14
Current/proposed specs
Building on the SOAP Foundation


  WS-
  WS-Secure                                                    This is a
                   WS-Federation
                   WS-             WS-Authorization
                                   WS-
 Conversation                                                composable
                                                             Architecture

  WS-
  WS-Policy          WS-
                     WS-Trust        WS-
                                     WS-Privacy          “only use what
                                                           you need”

                                                        today
                  WS-Security




                                                      time
                SOAP Foundation

                                                                            15
OGSA Security Components
  Intrusion           Secure
                                           Credential and
                                                                         Access Control            Audit &
  Detection                              Identity Translation
                   Conversations           (Single SignOn)                Enforcement          Non-repudiation


 Anti-virus
Management



                   Service/End-point       Mapping              Authorization        Privacy
  Policy
                         Policy             Rules                  Policy             Policy
Management
 (authorization,
    privacy,




                                                                                                                   Secure Logging
federation, etc)




                                                                                                     Trust Model
                                       Policy Expression and Exchange

   User
Management

                                          Bindings Security
   Key
Management                     (transport, protocol, message security)




                                                                                                                                    16
Building Blocks
                               AppServer                 Platform (OS)              Application security
 Exploiters                     security                    security                     (on top of app server)




Security services   AuthnService               AttributeService             AuthzService          ...             AuditService
(TBD)

Federation layer           WS-Federation                 WS-SecureConversation
                                                                                                                  WS-Authorization


 Policy layer                 WS-Policy                              WS-Trust                                     WS-Privacy



 Message Security                     ds:
                                   Signature
                                                                  xenc:
                                                              EncryptedData        ...          SecurityToken


  Web services                     WSDL                        SOAP               ...          WS-Routing                            WS*L
  standards

  XML security              XML                   XML                       Assertion
  standards               Signature             Encryption                  Language
                                                                                                       XKMS
                                                                                                                         ...         XACML



   Protocol layer                                                    IIOP
   security
                              HTTP
                               https                              CSIv2                 ...                       JMS
                                                                                                                  (MQ)



  Platform resource                NT          Solaris       Linux          AIX         OS/400              z/OS
  security                                                                                                                                   17
Sample Scenario

                         BagsPacked
                         Travel                                               Sales Dept. management
                                                                              domain
   Browser
                                 Travel Agency
   User Bob                      Portal


                      Firewall
                                                                                  Security
                                                                                  Token
                                   BookHotelReservation                           Exchange
                                                                                  Service




                                                                                                                SleepyLand Hotels




                                                                   Firewall
                                                                                                  Reservation
                                                                                                  system




                                                                                       Firewall
                                      Registration
                                      system
                                                                                                       ReserveRoom

                                           GetAccountInfo




             Accounting Dept.
             management domain

         Figure 5: Service requests across virtual organizations




                                                                                                                                    18
Security Documents
♦ Proposed drafts
♦ Security Architecture for Open Grid Services
   – Capture high level requirements, components for
     OGSA Security
♦ OGSA Security Roadmap
  – Formulate requirements into specifications that need to
    be worked on
♦ Posted in http://www.globus.org/ogsa/Security




                                                              19
Summary
♦ Securing Grid Services
  – Web services security roadmap
  – Grid security requirements
♦ OGSA Security
  – Architecture document
  – Roadmap document
  – GGF Workgroups



                                    20

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:10
posted:6/28/2010
language:English
pages:20
Description: Security Architecture for Open Grid Services soap