usage control in contrail cloud
play

Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo - PowerPoint PPT Presentation

Jul 02, 2023 •140 likes •464 views

Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo Mori IIT - CNR contrail-project.eu 1 Agenda CONTRAIL project Usage Control Model Security Policy Language Usage Control System Architecture

  1. Usage Control in CONTRAIL Cloud POFI 2011 Pisa, 9 June 2011 Paolo Mori IIT - CNR contrail-project.eu 1

  2. Agenda  CONTRAIL project  Usage Control Model  Security Policy Language  Usage Control System Architecture contrail-project.eu 2

  3. CONTRAIL Project contrail-project.eu 3

  4. contrail is co-funded by the EC 7 th Framework Programme Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT-2009.1.2) Project reference: 257438 Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From 2010-10-01 till 2013-09-30 Duration: 36 months Contract type: Collaborative project (generic) contrail-project.eu 4

  5. Objectives • Design, implement, validate and promote an open source software stack for Cloud federations • Develop a comprehensive Cloud platform integrating a full IaaS and PaaS offer • Allow Cloud providers to seamlessly integrate resources from other Clouds with their infrastructure • Provide trusted Clouds by advanced SLA management • Break the current customer lock-in situation by allowing live application migration from one cloud to another contrail-project.eu 5

  6. CONTRAIL Federation • A CONTRAIL federation integrates in a common platform multiple Clouds, both public and private • Coordinates SLA management provided by single Cloud providers • Does not disrupt providers' business model • Allows to exploit the federation as a single Cloud contrail-project.eu 6

  7. Expected Outputs – A collection of infrastructure services • Virtual Infrastructure Networks • Virtual Cluster Platform • Globally Distributed File System – Services to federate IaaS Clouds • Identity Management • Management of federation policies • SLA management • Autonomic resource management – A collection of PaaS services to support Cloud applications • High throughput elastic structured storage • Automatic set-up and configuration of SQL servers • Geographically distributed key/value store contrail-project.eu 7

  8. Expected Outputs (II) – A collection of run-time environments • An efficient map-reduce implementation • Scalable hosting for service oriented applications • Autonomic workflow execution – A collection of applications • Distributed Provisioning of Geo-referentiated Data • Multimedia Processing Service MarketPlace • Real-Time Scientific Data Analysis • Electronic Drug Discovery contrail-project.eu 8

  9. CONTRAIL in a Nutshell contrail-project.eu

  10. Sub-projects and Workpackages 1 Project Project management management SP5. Use cases and exploitation 13 14 12 15 16 Exploitation Exploitation Applications Applications Communication Communication and technology and technology Demonstrators and Use Cases Demonstrators and Use Cases Testbeds Testbeds and Dissemination and Dissemination transfer transfer SP3. Platform as a Service SP4. Text 8 9 System Runtime Runtime High level services High level services environments environments Engineering SP1. Cloud federation management 10 2 3 System Service level System Service level Architecture IaaS federation agreements Architecture IaaS federation agreements SP2. Virtual Infrastructure layer 11 6 7 4 5 Computational Computational Integration, Integration, Global Security in Global Security in Virtual Virtual Resource Management Resource Management testing and release testing and release Autonomous Virtual Infrastructure Autonomous Virtual Infrastructure for Virtual Cluster for Virtual Cluster management management Network Network File System Infrastructures File System Infrastructures Platforms Platforms contrail-project.eu 10

  11. WP7  Security in Virtual Infrastructure – Authentication – Usage Control – Compartmentalization and Isolation – Auditing contrail-project.eu 11

  12. Usage Control Model contrail-project.eu 12

  13. Usage Control Model  Defined by R. Sandhu et. al. – The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004 – Formal Model and Policy Specification of Usage Control. ACM Trans. on Information and System Security, 8(4), 2005 – Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008 – .....  Main novelties – New decision factors – Mutability of Attributes – Continuity of Enforcement contrail-project.eu 13

  14. Example: onGoing Authorization The right is granted without pre decisions, but authorization decisions are made continuously while the right is exercised authorize(s,o): true revoke(s,o): (usageNum(o) >10) and (s,t) in startT(o) with t min preUpdate(startT(o)): startT(o) = startT(o) U {(s,t)} preUpdate(usageNum(o)) : UsageNum(o)++ postUpdate(usageNum(o)) : UsageNum(o)-- postUpdate(startT(o)): startT(o) = startT(o) – {(s,t)} where (s,t) in startT(o) with t min contrail-project.eu 14

  15. Access VS Usage Control Continuity of decision Decision Decision Ongoing decision Ongoing decision Pre decision Pre decision request Access request begin end Access begin end Usage Before usage Usage After usage Usage Before usage Usage After usage Mutability of attributes Pre update Post update Pre update Post update Attr. update Ongoing update Attr. update Ongoing update Time Time contrail-project.eu 15

  16. Access VS Usage Control Continuity of decision Decision Decision Ongoing decision Ongoing decision Pre decision Pre decision revocation request Access request begin Access begin Usage Before usage Usage After usage Usage Before usage Usage After usage Mutability of attributes Pre update Post update Pre update Post update Attr. update Ongoing update Attr. update Ongoing update Time Time contrail-project.eu 16

  17. Access VS Usage Control Traditional Access Control Continuity of decision Decision Decision Ongoing decision Ongoing decision Pre decision Pre decision request Access request begin end Access begin end Usage Before usage Usage After usage Usage Before usage Usage After usage Mutability of attributes Pre update Post update Pre update Post update Attr. update Ongoing update Attr. update Ongoing update Time Time contrail-project.eu 17

  18. UCON Core Models DecisionDecision Attributes Update Factors Time IMMUT PRE ONGOING POST Auth PRE Y Y N Y ON Y Y Y Y Obbl PRE Y Y N Y ON Y Y Y Y Cond PRE Y N N N ON Y N N N contrail-project.eu 18

  19. Why Usage Control in CONTRAIL? • Accesses to some resources last a long time (hours, days,..) – Run a Virtual Machine – Mount a Global File System on a Virtual Machine – Establish a virtual network connection – ... • The factors that granted the access when it was requested could change while the access is in progress – User's reputation could decrease – Workload of resources could change – ... • The security policy should be re-evaluated every time that factors change – An access that is in progress could be interrupted contrail-project.eu 19

  20. Security Policy Language contrail-project.eu 20

  21. UCON XACML Security Policy Language • We are extending XACML language to implement UCON features: – Attributes update – Continuous control • Preliminary work: – A proposal on enhancing XACML with continuous usage control features. CoreGrid ERCIM WG Workshop on Grids, P2P and Service Computing, 2009 contrail-project.eu 21

  22. UCON-XACML Policy Schema XACML standard Effect components 1 Advice 0..* Policy/Rule 1 UCON 0..* Combining components Algorithm 1 1 1 1 PolicySet 1 Policy 1 1 1 1 Rule Pre/On 1..* 1 1 1 1 1 1 1 1 1 1 Pre/On/Post 1 1 1 1 0..* 0..* Target 1..* 1 1 Condition 1 1 1 0..* AnyOf 1 1 Obligation 1 U-XACML 0..* 1 1..* Policy AllOf AttributeUpdate 1 0..* contrail-project.eu 22

  23. Example of UCON-XACML policy contrail-project.eu 23

  24. UCON XACML Security Policy • CONTRAIL supports security policies at different levels: – Federation level – Cloud Provider level – Interactions through attributes contrail-project.eu 24

  25. Usage Control System Architecture contrail-project.eu 25

  26. Security-Relevant Actions • Are the action that are relevant for system security – Their execution must be controlled by the usage control system • We are defining the set of security-relevant actions for each component of the CONTRAIL architecture, e.g.: – Federation Manager – VM manager – VIN – GAFS – VCP – ….. contrail-project.eu 26

  27. Example: VM Manager • Security Relevant Actions: – Create a new VM Image – Start a VM – Stop a VM – Delete a VM Image Begin access End access VM Image usage Begin access End access VM usage Time Time Create Image Start VM Stop VM Delete Image contrail-project.eu 27

  28. Usage Control System Architecture • We are extending XACML architecture to deal with continuous policy enforcement CONTRAIL Usage Control System component Context PDP handler PEP PAP PIP PIP contrail-project.eu 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Contrail-Cirrus Man-made Experiments on Complex Cloud Physics Ulrich Schumann German

Contrail-Cirrus Man-made Experiments on Complex Cloud Physics Ulrich Schumann German

Contrail-Cirrus Man-made Experiments on Complex Cloud Physics Ulrich Schumann German Aerospace Center, Oberpfaffenhofen, Germany TOPICS: Cirrus Contrails Past: Brewer Dobson, TIL, Ice Supersaturation, Nucleation Present:

493 views • 33 slides
Climatology of tropospheric CO 2 observed by CONTRAIL- CME Taku Umezawa 1 , Toshinobu Machida 1 ,

Climatology of tropospheric CO 2 observed by CONTRAIL- CME Taku Umezawa 1 , Toshinobu Machida 1 ,

Climatology of tropospheric CO 2 observed by CONTRAIL- CME Taku Umezawa 1 , Toshinobu Machida 1 , Hidekazu Matsueda 2 , Yousuke Sawa 2 and Yosuke Niwa 2 1 National Institute for Environmental CONTRAIL Sticker Available! Studies 2 Meteorological

316 views • 12 slides
Challenging Dropbox: The Adoption and Usage of New Cloud Storage Service sciebo at German

Challenging Dropbox: The Adoption and Usage of New Cloud Storage Service sciebo at German

Challenging Dropbox: The Adoption and Usage of New Cloud Storage Service sciebo at German Universities Dominik Rudolph, Raimund Vogl, Holger Angenent, Anne Thoring, Andreas Wilmer, Christian Schild WWU Mnster 1 Academia & Cloud

534 views • 17 slides
Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud

Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud

Lisa Zangrando INFN Padova Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud service developed in the context of the INDIGO-DataCloud European project which aims to develop a new cloud software

629 views • 16 slides
Reduced and Alternative Energy for Cloud and Telephony Applications James Hughes, Fellow Cloud

Reduced and Alternative Energy for Cloud and Telephony Applications James Hughes, Fellow Cloud

Reduced and Alternative Energy for Cloud and Telephony Applications James Hughes, Fellow Cloud Computing www.huawei.com HUAWEI TECHNOLOGIES CO., LTD. Agenda Energy usage in a Telco Trends and direction Energy usage in data centers

358 views • 21 slides
Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The

Access Control Origin Usage Control (UCON) Since the advent of timesharing system The main goal is to selectively determine who can access services, resources, and ISA 767, Secure Electronic Commerce digital contents and Xinwen

313 views • 10 slides
Smart Cloud Federation Simulations with CloudSim Gaetano F. Anastasi, Emanuele Carlini, Patrizio

Smart Cloud Federation Simulations with CloudSim Gaetano F. Anastasi, Emanuele Carlini, Patrizio

Smart Cloud Federation Simulations with CloudSim Gaetano F. Anastasi, Emanuele Carlini, Patrizio Dazzi Contrail is co-funded by the EC 7th Framework Programme under Grant agreement nr. 257438 National Research Council of Italy Clouds are

631 views • 28 slides
10 years of observation for greenhouse gases by commercial airliner in the CONTRAIL project Y.

10 years of observation for greenhouse gases by commercial airliner in the CONTRAIL project Y.

10 years of observation for greenhouse gases by commercial airliner in the CONTRAIL project Y. Sawa 1 , T. Machida 2 , H. Matsueda 1 , Y. Niwa 1 , T. Umezawa 2 , K. Tsuboi 1 , K. Katsumata 2 , H. Eto 3 , D. Goto 4 , S. Morimoto 5 , S. Aoki 5 1.

187 views • 18 slides
Three-dimensional behaviors of atmospheric CO 2 revealed by the CONTRAIL project T. Machida 1 , H.

Three-dimensional behaviors of atmospheric CO 2 revealed by the CONTRAIL project T. Machida 1 , H.

Three-dimensional behaviors of atmospheric CO 2 revealed by the CONTRAIL project T. Machida 1 , H. Matsueda 2 , Y. Sawa 2 , Y. Niwa 2 and T. Shirai 1 1. NIES, 2. MRI Old JAL Project (MRI, JAL, JAL F) 1993-2005, Twice/month CO 2 , CH 4 , CO ASE:

371 views • 21 slides
Decentralized Cloud Storage Putting Data in the Cloud without Losing Control Introduction +

Decentralized Cloud Storage Putting Data in the Cloud without Losing Control Introduction +

Decentralized Cloud Storage Putting Data in the Cloud without Losing Control Introduction + David Vorick, CEO + Blockchain Expert + Bitcoin enthusiast since 2011 + Full time Blockchain Engineer since 2014 + Co-founded Sia in 2014 + Sia

453 views • 28 slides
Access Control in Untrusted Cloud Storage using Unidirectional Re-encryption Zach Kissel, Jie

Access Control in Untrusted Cloud Storage using Unidirectional Re-encryption Zach Kissel, Jie

Access Control in Untrusted Cloud Storage using Unidirectional Re-encryption Zach Kissel, Jie Wang University of Massachusetts Lowell The Cloud Cloud storage makes many promises: Data can be accessed anywhere at any time No

698 views • 42 slides
Introduction To Puppet And Usage In Cloud Aditya Patawari Fedora Ambassador and Contributor

Introduction To Puppet And Usage In Cloud Aditya Patawari Fedora Ambassador and Contributor

Introduction To Puppet And Usage In Cloud Aditya Patawari Fedora Ambassador and Contributor System Administrator at Directi Internet Solutions aditya@adityapatawari.com adimania on freenode irc May 13, 2012 Aditya Patawari Introduction To

520 views • 14 slides
for reducing energy usage -Dr. Anders S.G. Andrae, Huawei, Nov. 1, 2013 Outline Experience of

for reducing energy usage -Dr. Anders S.G. Andrae, Huawei, Nov. 1, 2013 Outline Experience of

The role of cloud computing, telepresence and telecommuting for reducing energy usage -Dr. Anders S.G. Andrae, Huawei, Nov. 1, 2013 Outline Experience of Huawei Introduction to energy consumption of ICT, Entertainment&Media and cloud

592 views • 31 slides
K Pre-Post Cloud Tutorial for basic usage RIKEN R-CCS MARCH 18, 2019 About this Slides This

K Pre-Post Cloud Tutorial for basic usage RIKEN R-CCS MARCH 18, 2019 About this Slides This

K Pre-Post Cloud Tutorial for basic usage RIKEN R-CCS MARCH 18, 2019 About this Slides This material explains how to create your first instance with OpenStack dashboard in order to know what OpenStack virtualization is. Also, this material is

601 views • 32 slides
Why We Use a New Currency: The Role of Trust and Control in Explaining the Perception and Usage

Why We Use a New Currency: The Role of Trust and Control in Explaining the Perception and Usage

Why We Use a New Currency: The Role of Trust and Control in Explaining the Perception and Usage of Bitcoin Dissertation Presentation Joe Walton, Ph.D. Introduction Recent Events Bitcoin burst on scene in 2008 at height of Great

759 views • 57 slides
1 (Cloud) Colocation Games Colocation Games: Questions IaaS cloud providers offer

1 (Cloud) Colocation Games Colocation Games: Questions IaaS cloud providers offer

Do you trust that the price is right? I n Cloud ( Markets) W e Trust Towards a Trustworthy Marketplace for Cloud Resources Holistic system (social) view is pass Azer Bestavros Tenants make resource acquisition/ control

481 views • 7 slides
Anc illary Se rvic e s and F re que nc y Ope rating Standards October 15 th 2018 1. Follow on

Anc illary Se rvic e s and F re que nc y Ope rating Standards October 15 th 2018 1. Follow on

Power System Operations Working Group Meeting 1b (follow up): Anc illary Se rvic e s and F re que nc y Ope rating Standards October 15 th 2018 1. Follow on from meeting #1 WEM FOS Ag e nda a) Items raised during the previous meeting

439 views • 40 slides
Monk algebras, completions, and atom structures Robin Hirsch and Ian Hodkinson Aim To show that

Monk algebras, completions, and atom structures Robin Hirsch and Ian Hodkinson Aim To show that

Monk algebras, completions, and atom structures Robin Hirsch and Ian Hodkinson Aim To show that relation algebras can shed light on duality-related matters. To nail more nails in the cof fi n of the hope that RRA is docile. But also perhaps, to

268 views • 25 slides
A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with

A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with

Introduction EL-O: Epistemic Logic of Observation Epistemic planning with conditional effects Conclusion A Lightweight Epistemic Logic and its Application to Planning Elise Perrotin Joint work with Martin Cooper, Andreas Herzig, Faustine

549 views • 24 slides
Appendix A Constitution - Summary of Proposals Full Council May 2018 Proposals to Full Council

Appendix A Constitution - Summary of Proposals Full Council May 2018 Proposals to Full Council

BUSINESS CHANGE Title Appendix A Constitution - Summary of Proposals Full Council May 2018 Proposals to Full Council - specific votes Current Recommendation Petitions : 3500 signatures = debate at Threshold is lifted from 3500 to 1% of

457 views • 10 slides
Section 12 Section 12 External Bus Interface Unit (EBIU) a 12-1 1 ADSP-BF533 Block Diagram

Section 12 Section 12 External Bus Interface Unit (EBIU) a 12-1 1 ADSP-BF533 Block Diagram

Section 12 Section 12 External Bus Interface Unit (EBIU) a 12-1 1 ADSP-BF533 Block Diagram L1 Core Instruction Timer 64 Memory Performance Core LD0 32 Monitor Processor L1 Data LD1 32 Memory JTAG/ Debug SD32 Core D0 bus Core

397 views • 35 slides
Vagrant development environments made easy Michele Orselli CTO@Ideato _orso_ micheleorselli /

Vagrant development environments made easy Michele Orselli CTO@Ideato _orso_ micheleorselli /

Vagrant development environments made easy Michele Orselli CTO@Ideato _orso_ micheleorselli / ideatosrl mo@ideato.it How many of you are developers? Which is your OS? Win? Mac? Linux? Project setup/configuration can be time consuming

735 views • 48 slides
Episode 3: Symbols and Boolean Values (You have 1 new chat request) (You have 1 new chat

Episode 3: Symbols and Boolean Values (You have 1 new chat request) (You have 1 new chat

Episode 3: Symbols and Boolean Values (You have 1 new chat request) (You have 1 new chat request) Sophia: Really? (You have 1 new chat request) Sophia: Really? Michael: Hi 2 u 2. (You have 1 new chat request) Sophia: Really? Michael: Hi 2

801 views • 40 slides
Forward Looking Statements Safe Harbor Statement Under the Private Securities Litigation Reform

Forward Looking Statements Safe Harbor Statement Under the Private Securities Litigation Reform

2 Forward Looking Statements Safe Harbor Statement Under the Private Securities Litigation Reform Act of 1995: This release contains certain forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 and

505 views • 16 slides

More recommend