Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Trust and Security in Virtual Communities Third Workshop — Trusted Services:

advertisement 
Trust and Security in Virtual Communities
Third Workshop — Trusted Services:
Requirements and Prospects
Andrew Martin
eSI/OeRC/Oxford University Software Engineering Centre
eSI 8th/9th July 2008
wiki.esi.ac.uk/Trust and Security Third Workshop
Andrew Martin
Trust and Security: Third Workshop
Housekeeping
wireless network
dinner this evening
refreshments
toilets
emergency exit
other things?
Andrew Martin
Trust and Security: Third Workshop
“Trusted Services: Requirements and Prospects”
Objectives
The First Theme Workshop sought to determine the
Application-Led Agenda for Security in eScience, and the
second workshop followed this up by exploring the most urgent
issues raised: Usability and Interoperability in Authentication
and Authorization.
The aim of the Third Workshop is to move the agenda forward
by considering application domains which have significant trust
requirements, beyond those offered by current commodity (grid,
cloud) computing models.
In particular:
1
look for case studies matching emerging technologies with
emerging needs
2
identify steps (possible projects?) towards trialing these
Andrew Martin
Trust and Security: Third Workshop
Methodology
1
A number of invited speakers: each has a slot of up to an
hour. Intention is to present their work, and have
potentially substantial discussion following (or interspersed
with) each talk.
2
Final plenary discussion, to identify emerging themes.
3
Written report to be produced.
4
Wiki should be used to capture as much information as
possible. It’s always good to record concrete examples, as
well as “broad brush” statements.
Please upload your slides, or email them to me.
Andrew Martin
Trust and Security: Third Workshop
Caveat
We are assuming that what is said here can be in a
widely-circulated report, and can be reported on the eSI wiki. If
you say something which is not to be reported in this way,
please make that clear.
Security can be a touchy issue. If your comments can be
reported but must be non-attributable, that’s ok too. Just make
it clear.
Andrew Martin
Trust and Security: Third Workshop
Proposed Timetable
Tuesday
10.00am
11.00am
12noon
1pm
Arrival, Registration, and Coffee
Theme Introduction and workshop objectives
Adel Taweel Experiences with developing ePCRN project
Lunch
1.45pm
2.45pm
3.00pm
4.00pm
Jens Jensen
Coffee
John Zic
James Cheney Provenance and Security
7.30pm
Dinner at Howies
Andrew Martin
Trust and Security: Third Workshop
Proposed Timetable
Wednesday
9.00am
10.00am
Andy Cooper Towards a Trusted Grid Architecture
Jun Ho Huh Trusted Logging for Grid Computing
11.00am
Coffee
11.15am
12.15pm
Po-Wah Yau Applying Trusted Computing to a workflow s
Yonatan Zetuny Reputation-Policy Trust Model for Grid Re
1pm
1.45pm
3pm
Lunch
Discussion: Emerging Themes, Capabilities, Next Steps
End of workshop
Andrew Martin
Trust and Security: Third Workshop
First Workshop: Summary
The Application-Led Agenda for Security in eScience
Report identifies four emerging cross-cutting themes:
Poor usability in Authentication and Authorization
pioneers can make it work; for others it needs to be
seamless
Poor Interoperability
pioneers can make it work; for others it needs to be
seamless
Need for detailed guidance (specifically in medical
projects, or others with sensitive personal data)
Growing requirements for trusted processing (trustworthy
services)
Good: Risk-based approach to security and planning seems to
have become embedded in eScience.
Bad: The quality of service (w.r.t. security) is insufficient for
many applications. Many ad hoc solutions.
Andrew Martin
Trust and Security: Third Workshop
Trusted/Trustworthy Services
Numerous participants spoke of requirements to improve the
evident trustworthiness of remote services. There is, for
example, no possibility of using National Grid Service
resources or even campus grid resources to process personal
or medical data, because no suitable confidentiality guarantees
are in place. We are aware of other projects which have
prototyped the use of such tools, but for reasons of commercial
value will not deploy data or code to shared resources.
confidentiality of data/code/algorithms
confidentiality of parameters
integrity of results
confidentiality of results
reliability/reputation of service
reliable semantics of service
Andrew Martin
Trust and Security: Third Workshop
Trusted/Trustworthy Services
provenance as a security issue
security aspects of variations in QoS
how to gain confidence that the service really encrypts
data between remote hops?
code quality issues
licence compliance: for software, for data provision
Andrew Martin
Trust and Security: Third Workshop
Second Workshop: Summary
Usability and Interoperability in Authentication and Authorization
PKI nonsense (end-user digital certificates) seems to be
on the run except for international work
quite a few barely-compatible alternatives; many ‘process’
problems (issue and revocation of credentials;
manageability of quotas; VO management)
participants identified need for best practice guide (to avoid
‘over-doing’ security; as well as avoiding its neglect)
Andrew Martin
Trust and Security: Third Workshop
Second Workshop
Open Question
Security must always be “just good enough” for the application
area and context. Clearly, there are some eScience projects
with very high assurance needs (for sensitive personal data, for
example), and many with almost trivial security requirements.
What remains unclear is whether there is a continuum between
these extremes (so that eScience is an ideal test-bed for trying
out a range of progressively stronger security ideas), or
whether there is a big step change at some point, where
everything has to change.
Andrew Martin
Trust and Security: Third Workshop
Second Workshop
Open Question
Security must always be “just good enough” for the application
area and context. Clearly, there are some eScience projects
with very high assurance needs (for sensitive personal data, for
example), and many with almost trivial security requirements.
What remains unclear is whether there is a continuum between
these extremes (so that eScience is an ideal test-bed for trying
out a range of progressively stronger security ideas), or
whether there is a big step change at some point, where
everything has to change.
Resolving this seems to be a key to finding a strategy for
advancing the state-of-the-art.
Andrew Martin
Trust and Security: Third Workshop
Spectrum
Individual
Patient
Records
Climate
Prediction
Data
financial
modelling
Census
Data
bioinformatics
engineering
collaborations
Particle
Physics
Data
high
physical
isolation
fine-grained
access control
audited
low
generalpurpose
grid
in-house
'grid'
supervised
access
'sticky policies'
DRM
virtual
organisation
management
(single dimension over-simplifies the issues)
Andrew Martin
Trust and Security: Third Workshop
simple
access
controls
Spectrum
1
want to elaborate the picture further
2
need realistic goals
3
identify strong feasible case studies
4
advancing the boundaries of what’s possible, piecemeal
Andrew Martin
Trust and Security: Third Workshop
Trusted Services
Don’t we already trust lots of services?
yes, but should we?
grounds for trust deserve to be made explicit (and where
possible, quantified)
many application domains regard the technologies of
eScience as untrustworthy
lack of explicit QoS
very fat middleware: inherently large trusted computing
base
grid/cloud abstraction is at odds with accountability
in some cases trust begins and ends with the contracts we
sign
Andrew Martin
Trust and Security: Third Workshop
Trusted Services
And yet:
simply keeping everything in house is not necessarily
viable
ethics (often backed by law and regulation) has a big
impact:
personal data has to be protected (“appropriate technical
measures. . . ”)
data integrity/results provenance becomes ever more
critical
threats and their likelihood vary by application domain, but
are no longer in the realm of fantasy and high-grade
espionage
commercial value of digital assets continues to grow
technology is not standing still, either
To achieve the best science, we cannot afford inaction.
Andrew Martin
Trust and Security: Third Workshop
Trust
Trust is the subject of stacks of literature, in computing, in
psychology, and so on.
Dieter Gollman: Why Trust is Bad for Security
Ken Thompson: Reflections on Trusting Trust
US DoD: Trustorthy Systems Evaluation Criteria
...
Andrew Martin
Trust and Security: Third Workshop
Trusted Systems
Trusted systems are those upon whose correct (or predictable)
operation we simply rely.
If they fail to live up to our expectations, bad consequences will
follow.
Careful speakers distinguish
trusted systems
trustworthy systems
— we could have either without it being the other.
Andrew Martin
Trust and Security: Third Workshop
Steps to Trust
Graeme Proudler says that it is safe to trust something when:
1
it can be unambiguously identified, and
2
it operates unhindered, and
3
the user has first-hand experience of consistent, good,
behaviour or the users trusts someone who vouches for
consistent, good, behaviour.
“An entity can be trusted if it always behaves in the expected
manner for the intended purpose. (TCG 2004)”
Andrew Martin
Trust and Security: Third Workshop
RFC 2828
trust 1. (I) Information system usage: The extent
to which someone who relies on a system can have
confidence that the system meets its specifications,
i.e., that the system does what it claims to do and
does not perform unwanted functions. (See: trust
level.)
(C) "trusted vs. trustworthy": In discussing a
system or system process or object, this Glossary
(and industry usage) prefers the term "trusted"
to describe a system that operates as expected,
according to design and policy. When the trust can
also be guaranteed in some convincing way, such as
through formal analysis or code review, the system
is termed "trustworthy"; this differs from the ABA
Guidelines definition (see: trustworthy system).
Andrew Martin
Trust and Security: Third Workshop
RFC 2828
trusted computer system (I) Multilevel security
usage: "A system that employs sufficient hardware
and software assurance measures to allow its use for
simultaneous processing of a range of sensitive or
classified information." [NCS04] (See: (discussion
under) trust.)
Andrew Martin
Trust and Security: Third Workshop
RFC 2828
trustworthy system (O) ABA usage: "Computer hardware,
software, and procedures that: (a) are reasonably
secure from intrusion and misuse; (b) provide
a reasonably reliable level of availability,
reliability, and correct operation; (c) are
reasonably suited to performing their intended
functions; and (d) adhere to generally accepted
security principles." [ABA] This differs somewhat
from other industry usage. (See: (discussion of
"trusted vs. trustworthy" under) trust.)
Andrew Martin
Trust and Security: Third Workshop
Trusted Computing
The approach of the Trusted Computing Group, then, means
building computer systems which . . .
1
strongly identify themselves
2
strongly identify their current configuration/running
software
3
allow us to make rational decisions about the level of trust
to invest in them.
platform identity will be based on public-key cryptography
software identity will be based on cryptographic hashes of
program object code (in theory . . . )
Andrew Martin
Trust and Security: Third Workshop
TCG: The “BIG” Picture
Virtualized Platform
Mobile Phones
Hardcopy
Authentication
Networking
Storage
Security
Hardware
Applications
•Software Stack
•Operating Systems
•Web Services
•Authentication
•Data Protection
Desktops &
Notebooks
Servers
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners.
Andrew Martin
Trust and Security: Third Workshop
Slide #6
Trusted Infrastructure Research
Delivering the low-level benefits via middleware; incremental
benefits — moving the feasibility line
strong platform identity
including dynamic provisioning of hosts
strong software identity; locked secrets
Security Hardware Enhanced MyProxy (SHEMP)
Daonity/Daoli secure migration of credentials in a VO
trusted data centre?
trustworthy cycle-stealing/high-throughput computing
improved VPN/remote working capability
Andrew Martin
Trust and Security: Third Workshop
Enabler of New Models
“Digital Rights Management for all”
DRM’s time is yet to come! Perhaps as ‘PRM’.
Virtual Data Enclaves?
Compare IBM’s virtual domains
Processing of data from many sources, without giving up
control
Data which travels with its policy; how are policies
combined?
Andrew Martin
Trust and Security: Third Workshop
“Trusted Services: Requirements and Prospects”
Objectives
The First Theme Workshop sought to determine the
Application-Led Agenda for Security in eScience, and the
second workshop followed this up by exploring the most urgent
issues raised: Usability and Interoperability in Authentication
and Authorization.
The aim of the Third Workshop is to move the agenda forward
by considering application domains which have significant trust
requirements, beyond those offered by current commodity (grid,
cloud) computing models.
In particular:
1
look for case studies matching emerging technologies with
emerging needs
2
identify steps (possible projects?) towards trialing these
Andrew Martin
Trust and Security: Third Workshop
Theme Future
. . . depends on this workshop’s outcomes
. . . will include a workshop on digital rights managment, sticky
policies, etc.
. . . see also the “Information Assurance for eScience” workshop
at All Hands 2008
Andrew Martin
Trust and Security: Third Workshop
Related documents
Come join us for dinner!
Come join us for dinner!
St. Andrew`s C. E. Primary School Curriculum Statement for PSHE At
St. Andrew`s C. E. Primary School Curriculum Statement for PSHE At
Learning from Baby P Flyer (MS Word , 39kb)
Learning from Baby P Flyer (MS Word , 39kb)
2013 ACADEMIC ACHIEVEMENT CEREMONY SCHOOL OF CONTEMPORARY ARTS
2013 ACADEMIC ACHIEVEMENT CEREMONY SCHOOL OF CONTEMPORARY ARTS
Notes for conferences
Notes for conferences
Download
advertisement