|
|
< Contents ERCIM News No. 63, October 2005 |
SPECIAL: Security and Trust Management
|
|
|
An Akogrimo Approach to Securing Virtual Organizations within Mobile GRID Computing Environments
by Thomas Kirkham, Giuseppe Cirillo, Julian Gallop, Damian Mac Randal, Brian Ritchie and Pierluigi Ritrovato
The Akogrimo Project (EU FP6-IST, 2004 to 2007) was introduced in a previous article, 'The Grid Goes Mobile' in ERCIM News (Issue 59). Akogrimo is aiming to radically advance the pervasiveness of Grid computing across Europe. To achieve this goal, and in addition to embracing layers and technologies which are intended to make up the so-called next-generation Grids (eg knowledge-related and semantics-driven Web services), Akogrimo aims to design and prototype a blueprint of a next-generation Grid that exploits and closely cooperates with evolving mobile Internet infrastructures based on IPv6. In this article, initial higher-level work on the security of virtual organizations and future plans for work in the security area are discussed.
Mobile Dynamic Virtual Organizations (MDVO)
Services shared by groups or individuals within distributed computing environments can be seen as virtual organisations (VOs). Within a traditional Grid these organizations can be seen as generally static and non-mobile. These traditional non-mobile VOs benefit from being able to register and link to services in permanent ways. Since service addresses and location details very rarely change, they can be made subject to common security measures associated with static networked topologies.
In Akogrimo, mobility is clearly a key concern. Since the VOs are both mobile and dynamic, several security issues are raised ranging from connection insecurity (wireless or otherwise) to Authentication, Authorization and Accounting (AAA) challenges. These security problems are present in particular during service discovery and re-discovery, since mobile services are prone to loss of connection, changes in bandwidth and so on.
Operative Virtual Organisations (OpVO)
Within Akogrimo this problem is approached by using a separate VO for the processing of services. This separate VO is referred to as an Operative Virtual Organization and is in existence for the lifetime of the particular workflow. In this model, user and service agents wrap a security layer around Grid users and services. The OpVO is linked to a Base VO via secure messaging and shared components, but it is essentially a temporary environment for the execution of services as opposed to the more permanent traditional view of the VO. A simple illustration of the basic security steps in the execution of a mobile Grid service can be seen in the figure.
|
The Operative VO architecture and key security points. |
|
The figure shows a service able to operate within VHE2, a Virtual Hosting Environment, wrapped by a service agent (SA), and able to be invoked by a workflow in the OpVO. Security is handled in the VHE where the service resides and also in the Base VO where the service is registered. The Base VO is central to the model and has the power to create and destroy an OpVO. This allows the existence of a hierarchy, the apex of which is a central point of security and policy enforcement for the workflow. Direct communication should not be possible between entities (eg users, services, resources etc) that belong to different administration domains, without going through the Base VO's security services. The execution of services within the OpVO and VHE reduces the workload on the Base VO, and it can be argued that this reduces the potential of a security breach occurring within the main Base VO, which could be running multiple OpVOs.
During workflow execution the Base VO in the model is largely used as a repository of VHE service details and security policy. The Workflow Manager links the VHEs to the Base VO for the purpose of discovery and authorization during the creation of an OpVO. This link calls services located in the VHEs by looking into the Base VO's service registry. As services are discovered and brought into the OpVO they are authenticated and granted access via the secure exchange of tokens issued by the Base VO. If a service drops out or loses its connection after discovery, the workflow manager has the ability to send a request from the OpVO for a new service to be used; in this case the discovery and authentication process from the Base VO will be repeated. This re-authentication will help prevent security breaches such as 'man in the middle' attacks, which are popular on wireless connections. In addition, all traffic from the OpVO to the Base VO will be via an encrypted Web Service Secure Conversation link.
Conclusion and Future Work
In finding a solution to the problem of mobile Grid-based security, it can be argued that the use of Operative Virtual Organisations is the tip of the iceberg. The model is presented here in simplistic terms: plenty of scope exists for future investigation. The areas in which we are currently looking to improve security include greater monitoring, integration with security capabilities and constraints provided at the Network (mobile) layer (eg OASIS SAML standard for identity management and single sign-on), specifications for common security wrappers for integrating resources of administration domains having their own security policies and mechanisms, further details on the secure exchange of messaging using Web Service Secure Conversation and encryption, and the defining of policy in a more detailed fashion at all levels of the project.
Links:
CCLRC: http://www.cclrc.ac.uk/
Akogrimo: http://www.mobileGrids.org/
Please contact:
Julian Gallop, CCLRC, UK
E-mail: j.r.galloprl.ac.uk
|
|
|
|