Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo - - PowerPoint PPT Presentation

usage control in contrail cloud
SMART_READER_LITE
LIVE PREVIEW

Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo - - PowerPoint PPT Presentation

Jul 02, 2023 140 likes •467 views

Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo Mori IIT - CNR contrail-project.eu 1 Agenda CONTRAIL project Usage Control Model Security Policy Language Usage Control System Architecture

slide-1
SLIDE 1

contrail-project.eu 1

Usage Control in CONTRAIL Cloud

POFI 2011 Pisa, 9 June 2011

Paolo Mori IIT - CNR

slide-2
SLIDE 2

contrail-project.eu 2

CONTRAIL project Usage Control Model Security Policy Language Usage Control System Architecture

Agenda

slide-3
SLIDE 3

contrail-project.eu 3

CONTRAIL Project

slide-4
SLIDE 4

contrail-project.eu 4

Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT-2009.1.2) Project reference: 257438 Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From 2010-10-01 till 2013-09-30 Duration: 36 months Contract type: Collaborative project (generic)

contrail is co-funded by the EC 7th Framework Programme

slide-5
SLIDE 5

contrail-project.eu 5

  • Design, implement, validate and promote an open

source software stack for Cloud federations

  • Develop a comprehensive Cloud platform integrating a

full IaaS and PaaS offer

  • Allow Cloud providers to seamlessly integrate

resources from other Clouds with their infrastructure

  • Provide trusted Clouds by advanced SLA management
  • Break the current customer lock-in situation by allowing

live application migration from one cloud to another

Objectives

slide-6
SLIDE 6

contrail-project.eu 6

  • A CONTRAIL federation integrates in a common platform

multiple Clouds, both public and private

  • Coordinates SLA management provided by single Cloud

providers

CONTRAIL Federation

  • Does not disrupt

providers' business model

  • Allows to exploit the

federation as a single Cloud

slide-7
SLIDE 7

contrail-project.eu 7

– A collection of infrastructure services

  • Virtual Infrastructure Networks
  • Virtual Cluster Platform
  • Globally Distributed File System

– Services to federate IaaS Clouds

  • Identity Management
  • Management of federation policies
  • SLA management
  • Autonomic resource management

– A collection of PaaS services to support Cloud applications

  • High throughput elastic structured storage
  • Automatic set-up and configuration of SQL servers
  • Geographically distributed key/value store

Expected Outputs

slide-8
SLIDE 8

contrail-project.eu 8

– A collection of run-time environments

  • An efficient map-reduce implementation
  • Scalable hosting for service oriented applications
  • Autonomic workflow execution

– A collection of applications

  • Distributed Provisioning of Geo-referentiated Data
  • Multimedia Processing Service MarketPlace
  • Real-Time Scientific Data Analysis
  • Electronic Drug Discovery

Expected Outputs (II)

slide-9
SLIDE 9

contrail-project.eu

CONTRAIL in a Nutshell

slide-10
SLIDE 10

contrail-project.eu 10

Communication Communication and Dissemination and Dissemination 14 Demonstrators Demonstrators 15 Exploitation Exploitation and technology and technology transfer transfer 16

Text

  • SP5. Use cases and exploitation

Applications Applications and Use Cases and Use Cases 12 Testbeds Testbeds 13

  • SP3. Platform as a Service

High level services High level services 8 Runtime Runtime environments environments 9

  • SP1. Cloud federation management

IaaS federation IaaS federation 2 Service level Service level agreements agreements 3

  • SP2. Virtual Infrastructure layer

Virtual Virtual Infrastructure Infrastructure Network Network 4

Computational Computational Resource Management Resource Management for Virtual Cluster for Virtual Cluster Platforms Platforms

5

Global Global Autonomous Autonomous File System File System 6 Security in Security in Virtual Virtual Infrastructures Infrastructures 7

SP4. System Engineering

System System Architecture Architecture 10

Integration, Integration, testing and release testing and release management management 11

Project Project management management 1

Sub-projects and Workpackages

slide-11
SLIDE 11

contrail-project.eu 11 Security in Virtual Infrastructure

– Authentication – Usage Control – Compartmentalization and Isolation – Auditing

WP7

slide-12
SLIDE 12

contrail-project.eu 12

Usage Control Model

slide-13
SLIDE 13

contrail-project.eu 13 Defined by R. Sandhu et. al.

– The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004 – Formal Model and Policy Specification of Usage Control. ACM Trans.

  • n Information and System Security, 8(4), 2005

– Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008 – .....

Main novelties

– New decision factors – Mutability of Attributes – Continuity of Enforcement

Usage Control Model

slide-14
SLIDE 14

contrail-project.eu 14

The right is granted without pre decisions, but authorization decisions are made continuously while the right is exercised

authorize(s,o): true revoke(s,o): (usageNum(o) >10) and (s,t) in startT(o) with t min preUpdate(startT(o)): startT(o) = startT(o) U {(s,t)} preUpdate(usageNum(o)) : UsageNum(o)++ postUpdate(usageNum(o)) : UsageNum(o)-- postUpdate(startT(o)): startT(o) = startT(o) – {(s,t)} where (s,t) in startT(o) with t min

Example: onGoing Authorization

slide-15
SLIDE 15

contrail-project.eu 15

Before usage Before usage Pre decision Pre decision Pre update Pre update Usage Usage After usage After usage Ongoing update Ongoing update Post update Post update Mutability of attributes Ongoing decision Ongoing decision

Time Time

Decision Decision Usage Usage

  • Attr. update
  • Attr. update

Access VS Usage Control

Continuity

  • f decision

request request end end Access Access begin begin

slide-16
SLIDE 16

contrail-project.eu 16

Before usage Before usage Pre decision Pre decision Pre update Pre update Usage Usage After usage After usage Ongoing update Ongoing update Post update Post update Mutability of attributes Ongoing decision Ongoing decision

Time Time

Decision Decision Usage Usage

  • Attr. update
  • Attr. update

Access VS Usage Control

Continuity

  • f decision

request request Access Access begin begin

revocation

slide-17
SLIDE 17

contrail-project.eu 17

Before usage Before usage Pre decision Pre decision Pre update Pre update Usage Usage After usage After usage Ongoing update Ongoing update Post update Post update Mutability of attributes Ongoing decision Ongoing decision

Time Time

Traditional Access Control

Decision Decision Usage Usage

  • Attr. update
  • Attr. update

Access VS Usage Control

Continuity

  • f decision

request request end end Access Access begin begin

slide-18
SLIDE 18

contrail-project.eu 18

UCON Core Models

DecisionDecision Attributes Update Factors Time IMMUT PRE ONGOING POST Auth PRE Y Y N Y ON Y Y Y Y Obbl PRE Y Y N Y ON Y Y Y Y Cond PRE Y N N N ON Y N N N

slide-19
SLIDE 19

contrail-project.eu 19

Why Usage Control in CONTRAIL?

  • Accesses to some resources last a long time (hours, days,..)

– Run a Virtual Machine – Mount a Global File System on a Virtual Machine – Establish a virtual network connection – ...

  • The factors that granted the access when it was requested

could change while the access is in progress

– User's reputation could decrease – Workload of resources could change – ...

  • The security policy should be re-evaluated every time that

factors change

– An access that is in progress could be interrupted

slide-20
SLIDE 20

contrail-project.eu 20

Security Policy Language

slide-21
SLIDE 21

contrail-project.eu 21

UCON XACML Security Policy Language

  • We are extending XACML language to implement UCON

features:

– Attributes update – Continuous control

  • Preliminary work:

– A proposal on enhancing XACML with continuous usage control

  • features. CoreGrid ERCIM WG Workshop on Grids, P2P and

Service Computing, 2009

slide-22
SLIDE 22

contrail-project.eu 22

UCON-XACML Policy Schema

Pre/On/Post

Pre/On

U-XACML Policy Policy PolicySet

Rule Target Condition Obligation

AttributeUpdate

Advice Effect Policy/Rule Combining Algorithm AllOf AnyOf

1 0..* 1 1 1 1 1 1 1 1 0..* 0..* 0..* 0..* 1 1 1 1 1 1 1 1 1 1 1..* 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1..* 0..* 1 1 0..* 1..*

UCON components XACML standard components

slide-23
SLIDE 23

contrail-project.eu 23

Example of UCON-XACML policy

slide-24
SLIDE 24

contrail-project.eu 24

UCON XACML Security Policy

  • CONTRAIL supports security policies at different levels:

– Federation level – Cloud Provider level – Interactions through attributes

slide-25
SLIDE 25

contrail-project.eu 25

Usage Control System Architecture

slide-26
SLIDE 26

contrail-project.eu 26

Security-Relevant Actions

  • Are the action that are relevant for system security

– Their execution must be controlled by the usage control system

  • We are defining the set of security-relevant actions for

each component of the CONTRAIL architecture, e.g.:

– Federation Manager – VM manager – VIN – GAFS – VCP – …..

slide-27
SLIDE 27

contrail-project.eu 27

Example: VM Manager

  • Security Relevant Actions:

– Create a new VM Image – Start a VM – Stop a VM – Delete a VM Image

VM usage

Time Time

Start VM Stop VM VM Image usage Create Image Delete Image Begin access Begin access End access End access

slide-28
SLIDE 28

contrail-project.eu 28

Usage Control System Architecture

PEP

CONTRAIL component

Context handler PDP PIP PIP

Usage Control System

PAP

  • We are extending XACML architecture to deal with

continuous policy enforcement

slide-29
SLIDE 29

contrail-project.eu 29

Usage Control System Components

  • Policy Enforcement Point: intercepts the execution of

security-relevant actions

  • Context Handler: constructs XACML requests for the

PDP, retrieves attribute values

  • Policy Decision Point: evaluates the security policy to

determine user's right to execute a security relevant action

  • Policy Information Point: manages the attributes of

users and resources

  • Policy Administration Point: writes policies and make

them available to the PDP

slide-30
SLIDE 30

contrail-project.eu 30

Policy Enforcement Points (PEPs)

  • PEPs must be “embedded” in the architecture components

that implement the security-relevant action (SRA) to:

– Intercept the SRAs before their execution and suspend them – Ask the PDP to evaluate the security policy and wait for the decision – Enforce the decision of the PDP

  • resume the execution of the SRA
  • skip the execution of the SRA

– Interrupt the execution of the SRA that is in progress when requested by the PDP – Intercept the end of a SRA and communicate it to the PDP

slide-31
SLIDE 31

contrail-project.eu 31

Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT-2009.1.2) Project reference: 257438 Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From 2010-10-01 till 2013-09-30 Duration: 36 months Contract type: Collaborative project (generic)

contrail is co-funded by the

EC 7th Framework Programme