Usage control: From distributed systems and information to Clouds Fabio Martinelli Institute for Informatics and Telematics ICT Department National Research Council (IIT-CNR)
Distributed systems Outline GRID,P2P, MANETs, Clouds Usage control, experiences from two EU projects: Server-side (GridtTrust Approach) User-side (Consequence Approach) Discussion on usage control in clouds
Distributed systems in a picture (Foster et al.) Supercomputers Distributed Systems Grids Clouds Clusters Application Oriented Web2.0 Service Oriented
Grid Computing Dynamic collection of diverse and distributed individuals who share heterogeneous resources (services) in a coordinated fashion Computers Data Bases Storage User and service Providers might be unknown each other An advanced security support is required to: Protect resources from code provided by users Protect the code provided by users from resources
Cloud Computing Still a cloudy definition Current : Clouds are a large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of resources is typically exploited by a pay-per-use model in which guarantees are offered by the Infrastructure Provider by means of customized SLAs. 9. Vaquero LM., Rodero-Merino L., Cáceres J., Lindner M. A Break in the Clouds: Towards a Cloud Definition. ACM Computer Communication Reviews. January 2009 Future :???
Usage Control Model A Uniform conceptual model suggested by Sandhu et al It systematizes previous work in the area The evaluation of an usage right is performed Before the action (PRE) Standard access control approach Continuously during the access (ONGOING) The right could be revoked and the access interrupted Used for long lived accesses (hours, days,...)
From Access Control to Traditional Access Control Pre decision Usage Control Continuity of decision Ongoing decision Usage Decision still valid? Can you revoke access? Before usage Ongoing usage After usage Pre update Ongoing update Post update Mutability of attributes Time
Usage Control Model: Beyond Access Control Privacy Protection UCON [Park04] Intellectual Property Rights Protection Sensitive Information Protection Traditional Trust Access Mangt. Control DRM Usage Control Server-side Reference Monitor (SRM) Client-side Reference Monitor (CRM) SRM & CRM
Usage Control Server Side: the GridTrust Approach (1) The Grid is dynamic environment, but Standard GRID/Globus authorization mechanisms are too coarse and static GridTrust adopts the Usage Control Model to protect the service providers Fine grained control Continuous policy enforcement Active Policy decision Point Policies depend on trust levels Trust levels are modified by adherence to policies
Usage Control Server Side: the GridTrust Approach (2) Service Level: the execution of grid services is controlled Service execution is interrupted when ongoing authorization fails Computational Level: the execution of user applications on Computational services is monitored The security relevant actions performed by the applications are controlled The application is interrupted when ongoing authorization fails UCON as a SERVICE: We implemented UCON on GRID services as a GRID service
Continous Usage Control Works Code Provider for Computational GRID Code CodeInsta OpenFile() nce ReadFile() Hosting Environment The po licy may depend on the trust value Monitor Start Closed Local Policy Opened Reading OpenFile() CloseFile() Shared resources Policy Enforcement Point Trust on the code provider is reduced Violation
Usage Control Client-side: the Consequence Approach (1) Context Aware Data-centric Information Sharing Agreements Focus on protection of disseminated information regulated by data sharing agreements: Define an architecture within a framework to enable dynamic management policies based on agreements that ensure end-to-end secure protection of data-centric information.
Usage Control Client-Side: the Consequence Approach (2) Digital information is disseminated among peers The usage policies must obey digital agreements The protection mechanism is now client-side (not owned by the data provider) Policies are attached/related to data There is the need for digital crypto-containers Software-based reference monitors ID-based crypto Hardware-based reference monitors (TCB): (Currently not foreseen in the project)
UCON in Cloud? In the Cloud, the same entity could be both Producer and Consumer: PROSUMER In GRID the same entity could share a service and exploit the services provided by other participants The Usage Control Framework could integrate Server side controls User side controls E.g., privacy policies on stored data could be expressed as usage control policies
Integrated UCON The UCON framework monitors both Services that are accessed by users Data that have been distributed to users Advantages An access on server side could influence an access on user side and viceversa Global view of the behaviour of an entity Possibly uniform policy management systems
Example Scenario The user downloads a road map of Italy The map data is protected by a Usage Control policy The user wants to compute a tourist's path in tuscany He submits the map to a tourist's service Several policies to be enforced The map local policy, that determines whether the user can read that map The service local policy, that determines whether the user can access that service The system global policy to decide whether that path can be computed on that map by that user on that service
Local policy Integrated UCON Architecture Attribute Manager Services service request User environment UCON authz Global policy access Data Local policy Obligation Manager
Links Fabio Martinelli www.iit.cnr.it/staff/fabio.martinelli GRIDtrust Project www.gridtrust.eu/ CONSEQUENCE project http://www.consequence-project.eu/