Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Security Services Lifecycle Management in Dynamically Provisioned

advertisement 
Security Services Lifecycle Management in Dynamically
Provisioned Composable Services
Yuri Demchenko, Cees de Laat (University of Amsterdam), Diego R. Lopez (RedIRIS), Joan A. Garcia Espin (I2CAT)
Security Services Lifecycle Model
(a)
Services
Lifecycle
Stages
Service
Request
(GRI)
(b) Security
Services
Lifecycle
Stages
Design
Development
Reservation
SecServ
Request
(GRI)
Deployment
Deployment &
RsrBind
Reserv
Session
Binding
Registr
Synchro
(Ext)
Operate
Maintain
Use case: Provisioning Multi-domain Collaborative
Environment On-Demand
Decommision
Instrument
(Manufactoring)
Control &
Monitoring
User A
Operatn
Access
Grid
Storage T0
Grid
Center
Grid
Storage T1
Grid
Center
Grid
Storage T1
Visualisation
Decommission
User K
User P
Security Service request and generation of the GRI that will serve as a provisioning session identifier
and will bind all other stages and related security context.
Reservation session binding that provides support for complex reservation process including required
access control and policy enforcement.
Deployment stage begins after all component resources have been reserved and includes distribution
of the security context and binding the reserved resources or services to GRI as a common
provisioning session ID.
Registration&Synchronisation stage (optional) specifically targets possible scenarios with the
provisioned services migration or failover/interruption. In a simple case, the Registration stage binds
the local resource or hosting platform run-time process ID to the GRI as a provisioning session ID.
Operation stage - security services provide access control to the provisioned services and maintain
the service access or usage session.
Decommissioning stage ensures that all sessions are terminated, data are cleaned up and session
security context is recycled.
SLM
stages
Request
Process/
Activity
SLA Nego
tiation
Design/
Reservation
Development
Deployment
Service/
Resource
Composition
Reservation
Composition
Configuration
Operation
Orchestratio
n/ Session
Managemen
t
General and security mechanisms in SLM/SSLM
Decomissi
oning
SLA – used at the stage of the service Request placing and can
also include SLA negotiation process.
Workflow is typically used at the Operation stage as service
Orchestration mechanism and can be originated from the
design/reservation stage.
Metadata are created and used during the whole service
lifecycle and together with security services actually ensure
the integrity of the SLM/SSLM.
Dynamic Security Associations support the integrity of the
provisioned resources and are bound to the security sessions.
Authorisation Session Context supports integrity of the
authorisation sessions during Reservation, Deployment and
Operation stages.
Logging can be actually used at each stage and essentially
important during the last 2 stages – Operation and
Decommissioning.
Logoff
Accountin
g
Mechanisms/Methods
SLA
V
V
Workflow
Metadat
a
(V)
V
V
V
V
V
Dynamic
Security
Associat
n
(V)
V
V
AuthZ
Session
Context
V
(V)
V
Logging
(V)
(V)
V
V
Visualisation
Computing
Cloud
Permanent link
High Speed link provisioned on demand
Link provisioned on-demand
Components of the typical e-Science infrastructure involving multidomain
and multi-tier Grid and Cloud resources and network infrastructure.
Composable Services Architecture (CSA)
Applications and User Terminals
User
Client
Proxy (adaptors/containers) – Composed/Virtualised Services and Resources
Control &
Management
Plane
Open Group Service Integration Maturity Model (OSIMM)
• Provides framework for evaluation and development of the strategy for business model/processes migration to true SOA
• Defines 7 maturity level and 7 dimensions to achieve “Dynamically reconfigured virtualised services”
• To ensure consistency security issues addressed at multiple dimensions: Business, Methods/models, Services. (Information)
Microsoft Security Development Lifecycle (SDL) Framework
• Primarily focused on the product development process by engineers/programmers
(Training) – Requirements – Design – Implementation – Verification – Release – (Response)
Composition
Layer
(Reservation
SLA
Negotiatn)
Composable Services Middleware
(GEMBus)
(Operation,
Orchestration)
MD SLC
Registry
Logging
Security
Logical Abstraction Layer for Component Services and Resources
Proxy (adaptors/containers) - Component Services and Resources
Storage
Resources
Existing Frameworks in Services Virtualisation and On-Demand Provisioning
ITU-T standards seria Y: Global information infrastructure, Internet protocol aspects and Next-Generation Networks (NGN)
• ITU-T REC Y.2232 (01/2008) NGN convergence service model and scenario using Web Services
• ITU-T REC Y.2234 (09/2008) Open service environment capabilities for NGN
• ITU-T REC Y.2701 (04/2007) Security requirements for NGN release 1
• Security requirements to NGN and security services binding to basic NGN interfaces (e.g., UNI, NNI, ANI)
TMF standardised frameworks, practices and procedures
• NGOSS – New Generation Operations Systems and Software (including eTOM)
• SDF - Service Delivery Framework
• SLAM - Service Level Agreement (SLA) Management Framework
Cloud
Storage
Compute
Resources
Network Infrastructure
Component Services & Resources
CSA Incorporates the major principles of the Service Oriented Architecture (SOA) and supports
SLM/SSLM services lifcecycle management models
Logical Abstraction layer provides a basis for uniform component services presentation
allowing federated cross-domain composite services operation.
GEMBus Infrastructure for Composable Services
GEMBus Component Services
Service 1
(CSrvID,
SesID)
Service 4
(CSrvID,
SesID)
Service 3
(CSrvID,
SesID)
Service 2
(CSrvID,
SesID)
Message Handling
Routing
Service Delivery Framework (SDF) by TeleManagement Forum (refactored from[1])
Targeted automation of the whole service
delivery and operation process including:
• End-to-end service management in a multi-
Design
16
SDF Service Design
Management (ISS)
Deploy
SDF Service
Repository (ISS)
9
10
SDF Service
Lifecycle Metadata
Repository (ISS)
17
11
SDF Service
Deployment
Management (ISS)
SDF Service Lifecycle
Metadata
Coordination (ISS)
2
Operate
SDF Service State
Monitor (ISS)
5
SDF Service Provisng
Mngnt (MSS)
SDF Service
Instance
1
6
3a
SDF Service Quality/
Problem Mngnt (MSS)
12
3
SDF Service Resource
Fulfillment (ISS)
SDF Service Resource
Monitor (ISS)
7
SDF Service Usage
Mngnt (MSS)
SDF MSS
1.
2.
3.
4.
Composite Services
provisioned on-demand
4
Service instance
Service Management Interface
Service Functional Interface
Management Support Service
(SDF MSS)
4. Infrastructure Support Service
(ISS)
13
14
service providers environment
• End-to-end service management in a
composite, hosted and/or syndicated service
environment
• Management functions to support a highly
distributed service environment, for example
unified or federated security, user profile
management, charging etc.
• Any other scenario that pertains to a given
phase of the service lifecycle challenges, such
as on-boarding, provisioning, or service
creation
Configuration
GEMBus Messaging
Infrastructure (GMI)
GEMBus
Registry
Composition &
Orchestration
15
DESIGN STAGE
9. Service Repository
10. Service Lifecycle Metadata Repository
14. Service Design Management
DEPLOYMENT STAGE
10. Service Lifecycle Metadata Repository
11. Service Lifecycle Metadata Coordinator
15. Service Deployment Management
Security Service
Logging Service
CSrvID – Composite Service ID
SesID – Provisioning Session ID
GEMBus Infrastructure Services
SDF Service Resource
Usage Monitor (ISS)
SDF ISS
Interceptors
AspectOriented
GEMBus
8
OPERATION STAGE
5. Service Provisioning Management
6. Service Quality/Problem Management
7. Service Usage Monitor
9. Service State Monitor
10. Service Resource Fulfilment
11. Service Resource Monitor
12. Resource Usage Monitor
[1] TeleManagement Forum Service Delivery Framework (SDF) - http://www.tmforum.org/ServiceDeliveryFramework/4664/home.html
GEMBus provides common dynamically configurable messaging infrastructure for Composable
services communication
GEMBus is an ongoing development in the GN3 JRA3 Task 3 Composable Services activity
Contributing Project
GEANT3 JRA3 Task 3 – Composable services (GEMBus) - http://www.geant.net/
GEYSERS – Generalised Architecture for Infrastructure services - http://www.geysers.eu/
Credits: Yuri Demchenko, Cees de Laat, Diego R. Lopez, Joan A. Garcia Espin
Contact: Yuri Demchenko <y.demchenko@uva.nl>
Related documents
FEEDBACK ON WORKPLACE SKILLS PLAN REPORT
FEEDBACK ON WORKPLACE SKILLS PLAN REPORT
Negotiated Text
Negotiated Text
Photos from ISS - Space Exploration
Photos from ISS - Space Exploration
(SDF) Study Support and Work Placement Applications
(SDF) Study Support and Work Placement Applications
Charity Law and Administration
Charity Law and Administration
Evaluation and pricing of risk under stochastic volatility
Evaluation and pricing of risk under stochastic volatility
EXAMPLES
EXAMPLES
1a - Intro to ID and..
1a - Intro to ID and..
Composable Services Architecture for Dynamically Configurable Virtualised Infrastructure Services Provisioning
Composable Services Architecture for Dynamically Configurable Virtualised Infrastructure Services Provisioning
Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning Yuri Demchenko
Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning Yuri Demchenko
Download
advertisement