A Security Policy Framework for Grid Services

Abstract

Grid computing deals with flexible, secure and coordinated sharing of resources that are distributed over wide area networks. With the evolution of this field, the complexity of the distributed systems has increased and therefore the implementation of a secure environment has become difficult. At the same time, grid setups necessarily require a secure environment where users/organizations have access to resources, precisely on the basis of their rights, with proper accountability and control. This thesis work implements a security policy framework to address key security requirements (mainly identified as authentication, privacy, trust and authorization) and provide support to express, evaluate and enforce security policies related to these requirements. The identified security requirements of grid systems have been categorized mainly into four security disciplines which are authentication, privacy, trust and authorization. Therefore, the framework implements four different models namely authentication model, privacy model, trust model and policy based authorization model. These models address security requirements and policies specific to their respective disciplines. To achieve the set objectives, a comprehensive literature review of developments related to grid and web services, their method of operation and execution has been done. The similarities and differences between the two have been brought out. A thorough study and analysis of standards and specifications used in grid and web services based systems has also been carried out. Previous work done in the areas of authentication, privacy, trust and policy based authorization in grid systems has been studied, extended in the form of a framework, and reported in detail. Out of the four models, the authentication model provides support for single sign-on and delegation features using proxy certificates and a credential management service to store, retrieve and update multiple user credentials. The privacy and trust models provide privacy and trust based access to grid services. The privacy model in particular provides support for anonymous access, hidden service access and access to private information based on conformance to privacy policies. The trust model provides support for calculating direct as well as recommended trust to determine trustworthiness of target services/resources. All these models also describe how the security policies related to them can be expressed and evaluated. The policy based authorization model provides access to grid services based on conformance to various types of security policies. The policy specification, evaluation and enforcement related functionality of authentication, privacy and trust models has been incorporated into policy based authorization model and the resulting model is called the integrated policy based authorization model. The complete framework has been evaluated by implementing different security related scenarios and through implementations involving enforcement of different types of access control policies. These scenarios and implementations cover different aspects related to authentication, privacy, trust and authorization. The results show that the various implementations are able to meet the identified security requirements. The results clearly demonstrate that the approach is workable and can be effectively used to address key security requirements related to authentication, privacy, trust and authorization, and further to provide policy based access to grid services/resources.