A Technical paper presentation on

SECURITY IN GRID COMPUTING

V.R.SIDDHARTHA ENGINEERING COLLEGE.

VIJAYAWADA-07
PRESENTED BY:

P.SUDHEER,

Y07IT105, II/IVB.Tech,

E-mail:prattipati8@yahoo.co.in

Ph no:9989153955

TO
Quest 09
JNTUCE,HYDERABAD
ABSTRACT:
A Computational Grid is a collection of
heterogeneous computers and resources
spread across multiple administrative
domains with the intent of providing users
uniformaccess to these resources. There are
many ways to access the resources of a
Computational Grid, each with unique
security requirements and implications for
both the resource user and the resource
provider. Grid Computing strives to provide
seamless, scalable access to wide-area
distributed
resources. However, with this benefit of
resource collection and distribution, security
of that information becomes a major risk
(Vijayan, 2004). Currently there is debate
among IT professionals as to the security,
functionality, middleware, and scalability
provisions of
computational grids. A central security
requirement for grid computing can be
referred to as behaviour conformity. This is
an assurance that ad hoc related principals
(users, platforms or instruments) forming a
grid virtual alorganisation (VO) must each
act in conformity with the rules for the VO
constitution. Trusted Computing (TC)
technology can add to grid computingthe
needed property of behaviour conformity.
With TC using an essentially in-platform
(trusted) third party, a principal can be
imposed to have conformed behaviour and
this fact can be reportedto interested parties
who may only need to be ad hoc related to
theformer. A broader goal of these scenarios
are to increase the awareness of security
issues in grid computing
KEY WORDS: VIRTUAL
ORGANIZATION(VO),TRANSMISSION
CONTROL PROTOCAL(TCP),OPEN
GRID SERVICE
ARCHITECTURE(OGSA),
CONTENTS:

 ABSTRACT

 INTRODUCTION

 WHAT IS A GRID COMPUTING?

 WHAT GRID COMPUTING CAN DO?

 CONCEPTS AND COMPONENTS OF GRID

COMPUTING

 CONSTRUCTION OF GRID COMPUTING?

 MIDDLEWARE

 VIRTUAL ORGANISATION

 WHAT GRID COMPTING CANNOT DO?

 SECURITY IN GRID COMPUTING

 FUNDAMENTALS IN GRID
SECURITY

 SYMMENTIC AND ANTI

SYMMENTIC KEY

 CERTIFICATE AND DIGITAL

 GRID SECURITY POLICIES AND

PROCDURE

 GRID SECURITY INFRASTRUCTURE

 PHYSICAL

 GRIDFRIEWALL

 OPERATING
SYSTEM

 HOST INTRUSION
DECTION
  POTENTIAL GRID SECURITY RISKS

 P

 APPLICATIONS AND LIMITATIONS OF GRID

COMPUTING.

 PRESENT AND NEXT GENERATIONS OF GRID

COMPUTING

 CONCLUSION

 REFERENCE
INTRODUCTION:Security requirements risk. To properly secure your grid
are fundamental to the grid design. The environment, there are many different tools
basic security components within the Globus and technologies available. This chapter will
Toolkit provide the mechanisms for examine some of those technologies and the
authentication,authorization, and different components provided within the
confidentiality of communication between Grid Security Infrastructure (GSI) of the
grid computers.Without this functionality, Globus Toolkit.
the integrity and confidentiality of the
WHAT IS A GRID COMPUTING?
dataocessed within the grid would be at

Grid computing, most simply stated, is communications between heterogeneous

distributed computing taken to the next system created the Internet explosion. The
evolutionary level. The goal is to create the emerging standardization for sharing
illusion of a simple yet large and powerful resources, along with the availability of
self managing virtual computer out of a higher bandwidth, are driving a possibly
large collection of connected heterogeneous Lequally large evolutionary step in grid
systems sharing various combinations of computing.
resources.The standardization of
WHAT CAN GRID COMPUTING DO?

When you deploy a grid, it will be to meet a

set of customer requirements. To better
match grid computing capabilities to those
requirements, it is useful to keep in mind the
reasons for using grid computing.

PARALLEL CPU:

The potential for massive parallel CPU

capacity is one of the most attractive
features of a grid. In addition to pure
scientific needs, such computing power
isdriving a new evolution in industries such
as the bio-medical field, financialmodeling,
oil exploration, motion picture animation,
and many others.
CONCEPTS AND COMPONENTS OF
GRID COMPUTING:
CONCEPTS: Types of resources
COMPONENTS:
Any grid system has some management
components. First, there is a component that
keeps track of the resources available to the
grid and whichusers are members of the
grid. This information is used primarily to
decide where grid jobs should be
assigned.Second, there are measurement
com ponents that determine both the
capacities of the nodes on the grid and their
current utilization rate at any given time.
This information is used to schedule jobs in
the grid. Such information is also used to
determine the health of the grid, alerting
personnel to problems such as
outages,congestion, or overcommitment.
This information is also used to determine
CONSTRUCTION:
DEPLOYMENT PLANNING: The use of a
grid is often born from a need for increased
resources of some type.One often looks to
their neighbor who may have excess
capacity in the particular resource. One of
the first considerations is the hardware
available and how it is connected via a LAN
or WAN. Next, an organization may want to
A grid is a collection of machines,
sometimes referred to as “nodes,”
“resources,” “members,” “donors,”
“clients,” “hosts,” “engines,” and many
other such terms.They all contribute any
combination of resources to the grid as a
whole. Someresources may be used by all
users of the grid while others may have
specificrestrictions.
add additional hardware to augment the
capabilities of the grid.
ORGANIZATION: The technology
considerations are important in deploying a
grid. However,organizational and business
issues can be equally important. It is
important to understand how the
departments in an organization interact,
operate, and contribute to the whole.
SECURITY: Security is a much more
important factor in planning and maintaining
a grid than
in conventional distributed computing,
where data sharing comprises the bulk ofthe
activity. In a grid, the member machines are
configured to execute programs rather than
just move data. This makes an unsecured
grid potentially fertile ground for viruses
and Trojan horse programs
MIDDLEWARE:
DEVELOPMENT:This discribes the
software for the grid portal environment
.source code and applications for two of the
main gro=id protocals.resource and
datamanagement.the software ws written by
apache jetspeed and IBMwebspherebportal
sphere.
SCHEDULER:schedulers are at the
foundation of thee ny grid system.their job is
to schedule programme or jobs in clusters of
of maachine among others.and it also
includes sun grid engine,(Sge),condorand
others.and also includes managedd job
factory service providede by
troubleshootuing& globus toolkit.
VIRTUAL ORGANIZATION: Two or more
organizations that share resources become
VO.The policies governing access to those
resource vary according to the actual
organizations involved,creating an
environmemnt of providers and
consumers.resources are made available by
owners withconstraints on when,where and
what can be done on them.Resources
consumers may also place constraints on
properties of the resources they are prepared
to work with.For example ,a consumer may
accept resource over a secure channel only.
WHAT CAN GRID COMPUTING
CANNOT DO:
A word of caution should be given to the
overly enthusiastic. The grid is not a silver
:SECURITY IN GRID COMPUTING:
FUNDAMENTALS IN GRID SECURITY:
Security requires the three fundamental
services: authentication, authorization,and
encryption. A grid resource must be
authenticated before any checks can be done
OGSA:Open grid service architecture is the
middle-tier software that glues client and
scheduler service together.this includes
overview of ogsa,service
models,interfaces,factories,lifetime
management,service discovery,notifications
bullet that can take any application and run
it a 1000 times faster withoutthe need for
buying any more machines or software. Not
every application issuitable or enabled for
running on a grid. Some kinds of
applications simplycannot be parallelized.
For others, it can take a large amount of
work to modifythem to achieve faster
throughput. The configuration of a grid can
greatly affect the performance, reliability,
and security of an organization’s computing
infrastructure. For all of these reasons, it is
important for the users to understand
how far the grid has evolved today and
which features are coming tomorrow or in
the distant future.
as to whether or not any requested access or
operation is allowed within .
Authentication Authentication is the process
of verifying the validity of a claimed
individual and identifying who he or she
is.Authentication is not limited to human
beings; services,
applications, and other entities may be SYMMENTIC: Symmetric key encryption
required to authenticate also.
is based on the use of one shared secret key
Access control Assurance that each user or
to perform both the encryption and
computer that uses the service is permitted
decryption of data. To ensure that the data is
to do what he or she asks for. The process of
only read by the two parties (sender and
authorization is often used as a synonym for
receiver), the key has to be distributed
access control, but it also includes granting
securely between the two parties and no
the access or rights to perform some actions
others. If someone should gain access to the
based on access rights.
secret key that is used to encrypt the data,
Data integrity Data integrity assures that the
data is not altered or destroyed in an they would be able to decrypt the
unauthorized manner.
information. This form of encryption is
Data confidentiality Sensitive information
much faster than asymmetricencryption
must not be revealed to parties that it was
not meant for. Data confidentiality is often
Here are some commonly used examples of
also referred to as privacy. a symmetric key cryptosystem:
Key management Key management deals
with the secure
generation,distribution,authentication, and
storage of keys used in cryptography.
SYMMENTIC AND ANTI
SYMMENTIC KEYS ENCRYPTION:
_
Data Encryption Standard (DES): 56-bit key ANTI SYMMENTIC KEY ENCRYPTION:
plus 8 parity bits, developed by
IBM in the middle 1970s The asymmetric key pair is generated by a
_ Triple-DES: 112-bit key plus 16 parity bits computation which starts by finding two
or 168-bit key plus 24 parity bits vary large prime numbers. Even though the
(that is, two to three DES keys) public key is widely distributed, it is
_ RC2 and RC4: Variable-sized key, often practically impossible for computers to
40 to 128 bits long
To summarize, secret key cryptography is calculate the private key from the public
fast for both the encryption and decryption key. The security is derived from the fact
processe . However, secure distribution and that it is very difficult to factor numbers
management of keys is difficult to exceeding hundreds of digits.This
guarantee. mathematical algorithm improves security,
but requires a long encryption time,
especially for large amounts of data. For this key between the two parties,and all further
reason, public key encryption is used to encryption is performed using this
securely transmit a symmetric encryption symmetric key.

Figure 3-1 Symmetric key encryption using a

shared secret key

CERTIFICATE AND DIGITAL _ Protecting the Certificate Authority server

AUTHORITIES: _ Maintaining a namespace of unique names
for certificate owners
CERTIFICATE:A properly implemented _ Serve signed certificates to those needing
Certificate Authority (CA) has many to authenticate entities
responsibilities. responsibilities.These _ Logging activity
DIGITAL:
should be followed diligently to achieve
good security. The primary Digital certificates are digital documents
responsibilities are: that associate a grid resource with its
_ Positively identify entities requesting specific public key. A certificate is a data
certificates
_ Issuing, removing, and archiving structure containing a public key and
certificates
pertinent details about the key owner. A
certificate is considered to be a tamper-proof
electronic ID when it signed by the
Certification Authority for the grid
environment. Digital certificates, also called
X.509 certificates, act very much like
passports;they provide a means of
identifying grid resources. Unlike passports,
digital certificates are used to identify grid
resources.

GRID SECURITY POLOCIES AND build a CA, but unfortunately none of the
PROCEDURE: policies. In this section, we will examine
CA AUTHORITY some of the basic policies and expectations
A PKI must be operated in accordance with
that a CA would normally be responsible
defined policies. The deployment of a PKI
for. For any type of 76 Introduction to Grid
system in an organization requires the
Computing with Globus production CA
development of security policies and
duties, it is suggested that you examine a
processes for that organization. The demo
commercial vendor To providetheseservices
CA that is provided within the Globus
for you
Toolkit provides the software in order to
.
CONTROL REVIEW: affect the overall security of the
When building any new environment or
environment and any other areas of change.
mplementing a new software application, it
This can help provide guidance on the
is always a good idea to perform a security
overall use of security controls or how you
health check. A security health check will
are managing security within your
help determine how these new changes will
environment. A review of your security
controls can help you better understand how
security works for your passwords,
administration, toolsets, auditing, and
monitoring within your environment. This
GRID SECURITY INFRASTRUCTURE:
Apart from the different GSI components
and technologies, there are many other
infrastructure security components that are
needed to secure the grid.
Physical security
Once again, the security of grid
infrastructure is based on other common
security fundamentals. The basics involve
solid physical security practices for all grid
computers. The physical environment of a
system is also considered a part of
theinfrastructure. physical access should be
controlled and ispart of the security policies
that need to be defined For maximum
security, the network segment where the
PKI-sensitive servermachines are installed
should be physically and logically separated
from the rest of the network. Ideally, the
separation is done through a firewall that Is
transparent only for PKI-related traffic.
Normally, PKI traffic is reduced to using
only a few TCP/IP ports.
GRID FIREWALLSFirewalls can be used
within networked environment to logically
separate different sets of computers that
will provide an in-depth review of the site
security controls in place and the related
processes used within the organization.
require additional security. In a grid
environment,this is no different. The use of
firewalls within a grid design helps restrict
network.access to computers. The firewall is
an important piece of the
securityinfrastructure, so it needs to be
carefully analyzed and understood before it
is implemented.
OPERATING SYSTEM:
A review of the configuration files for each
operating system and middleware
component within the scope of the project
determines how each effectively allows
authorized users access based on your
security policy and prevents and detects
unauthorized access attempts at all times.
You should:
_ Remove any unnecessary processes from
the servers. If the grid server does not need
sendmail or an FTP server running, these
processes should be disabled.
_ Remove any unnecessary users or groups.
Introduction to Grid Computing with Globus
_ Use strong passwords for all users on the
grid server.
_ Update your server with the latest updates
and security FixPacks. This includes all
software the has been installed as well.
_ Restrict access to the /.globus directory.
_ Consider using host IDS to monitor
important directories on the server.
_ Enable logging and auditing for the server.
_ Use a uniform operating system build
whenever possible.
_ Enable file level restrictions on important
files within the server.
_ Make periodic reviews of the operating
system every other month to ensure
that nothing major has changed.
_ Enable anti-virus protection.
HOST INTRUSION DETECION:
A recommended option for further securing
your grid computers is to invest in a host
intrusion detection (IDS) product. As with
POTENTIAL GRID SECURITY RISK:
potential:
Building a PKI environment will provide the
necessary services along with the GSI to
design a secure grid solution. This, however,
does not guarantee that there are not any
security risks. Within this section, we will
examine somen possible vulnerabilities to
watch out for during your security design.
This is by no means a laundry list for all
security vulnerabilities or a cookbook for
building a srcure infrastructure.
PKI vulnerabilitiesJust because you have
built a PKI environment does not mean that
your networkis completely secure. There are
still many vulnerabilities to be aware of. It
isnecessary to always keep an open mind
any software application that stores
important files within the local workstation,
host intrusion detection can add a greater
defense for anyone manipulating files on the
workstation thatshould not be doing so.
Intrusion detection functions include:
_ Monitoring and analyzing both user and
system activities
_ Analyzing system configurations and
vulnerabilities
_ Assessing system and file integrity
_ Ability to recognize typical patterns of
attacks
_ Analysis of abnormal activity patterns
_ Tracking user policy violations
and understand that with any networked
environment there is going to be some risk
involved.
Impersonation: Obtaining a certificate
through fraudulent means (either user or
organization).
Theft of private key: Unauthorized use of a
private key associated with a
validcertificate.
Compromise of root CA private key: Using
a CA key to sign fraudulentcertificates or
destroying a private key.
Automatic Trust Decisions: Automated
trust decisions can also automate fraud.
Grid server vulnerabilities
Any server or workstation that participates
in the grid is a potential vulnerability to an
external or internal hacker. Knowing this, it
is very important to protect and isolate any
grid computer from any network or Any modification of the gridmap file.
resources that do not need explicit access to Latest operating system FixPacks. Any
the grid. Good physical security will limit application FixPacks.
the exposure of anybody walking up to the
server and accessing the console. APPLICATIONS AND LIMITATIONS
OF GRID COMPUTING:
Protect any directories of the /.globus
directory. Distributed data management
• Compute resources for simulations
Theft of the digital certificate and private
• Coupling distributed data with simulation
key (along with the private key Virtual resources and virtual organizations
for collaboration:
phrase).

Any application vulnerabilities or processes Reliability:

that are running on the grid
High-end conventional computing
systems use expensive hardware to increase

reliability.
VIRTUAL ORGANIZATION THROUGH GEOGRAPHICALLY.

PRESENT AND FUTURE
GENERATION OF GRIDS:
Today, grid systems are still at the early
stages of providing a reliable, well
performing, and automatically recoverable
virtual data sharing and storage. We will see
products that take on this task in a grid
setting, federating data of all kinds, and
achieving better performance, integration
with scheduling, reliability, and capacity.
Autonomic computing has the goal to make
the administrator’s job easier by automating
the various complicated tasks involved in
managing a grid. These include identifying
problems in real time and quickly initiating
corrective actions before they seriously
impair the grid.
provide guidance for theGrid user, the Grid
application developer, and the Grid resource
provider. While a given scenario can
provide practical guidance for design and
deployment, additional insightis gained by
recognizing the general, rapidly-emerging
issuessuch as the need for restricted
delegation (giving onlysubset of your rights
to something that will act on yourbehalf)
that can be seen running through many of
the scenarios.

CONCLUSION: There are many subtle security implications

involved in the many emerging Grid usage
Computational Grids are rapidly emerging
scenarios. Both the resource provider and
as a practical means by which to perform
the resource consumer should under stand,
new science and new applications.
from a security perspective, what is
The goal of this paper was not to discuss the
expected from each other and what might
particularsecurity mechanisms or policies of
happen if these expectations are not met.
systems such as Legion,Globus, or any other
Without this understanding, the transition
existing system, but rather to describeGrid
from experimental systems into production
security that transcends existing approaches.
systems will soon be curtailed by explicit
Each scenarioin this paper is designed to
security violations or more subtly a
compromise of information that a user had
believed was securely kept private.

REFERENCES:

TEXTBOOKS:

GRID COMPUTING A Research

Monograph by D JANAKIRAM

GRID COMPUTING for DEVELOPERS

by VLADIMIR SILVA

Introduction to GRID COMPUING with

globus

By IBM.com/redbooks

WEBSITES:

AN INTERNATIONAL WORK SHOP

PAPER ON Security Implications of
Typical Grid Computing Usage Scenarios
by Marty Humphrey, Mary R. Thompson
http://www.wikipedia.com/
www.amazon.com
www.grid.org
www.ibm.com/redbooks