myGrid asset-based security analysis Victor Tan, Luc Moreau University of Southampton Mike Surridge IT Innovation myGrid in one slide • EPSRC pilot project (Manchester, Southampton, Nottingham, Newcastle, Sheffield, EBI) • Industrial partners (AZ,Merck,GSK,IBM, SUN, …) • myGrid aims at providing a personalised environment for bioinformaticians to perform in silico experiments • In-silico experiments operate over the Grid; resources are geographically distributed and managed by multiple institutions; necessary tools, services, and worflows are discovered and invoked dynamically; this is data intensive grid. Motivation • • • Perform security analysis of myGrid Need to design security architecture for myGrid From a project viewpoint, decide what aspect of security we need to allocate our resources to Background • Follow standard security engineering process methodology 1. Define primary purpose and goals of the project 2. Obtain high-level security requirements 3. Identify assets in project 4. Identify risks posed to assets and the cost of possible compromise 5. Selection of security technologies on the basis of a cost benefit analysis 6. Definition of operational responsibilities: development, maintenance and response. Background • A two steps approach: – Questionnaire 1 to identify high-level project goals and high-level security requirements – Questionnaire 2 to identify project assets, risks, and technological solutions. Questionnaire 1 scope and structure • Scope of Questionnaire 1 1. Define primary purpose and goals of the project 2. Obtain high-level security requirements • Divided into 6 main parts 1. 2. 3. 4. 5. 6. Purpose of the project Deployment and management Security management and roles Organizational issues myGrid communities Legal issues Purpose of the project (Part 1) • Three distinct viewpoints for operation of myGrid – Bioinformatics – Grid computing – Industrial use • For each viewpoint, identify the primary goal – – – – Research tool One-off-demo Proof-of-concept Operational use Purpose of the project (Part 1) • For each viewpoint, identify the level of risk associated with the compromise of: – User identity – Data integrity and confidentiality – Host machines • Explore the longevity of the myGrid components and services after final report writing – Handling of code base – Management of code base and services Summary of survey (Part 1) • The majority opinion is that the primary goal of myGrid from all viewpoints is a proof of concept system. • The overall intent is on demonstrating proof of concept for myGrid from the aspect of functionality rather than security • The risk involved in the various areas of security are generally classified as high risk Summary of survey (Part 1) • A security architecture is seen as something that has to be done as opposed to a possible venue for exploring or researching new security concepts. • Most believe that maintenance of the code base would be undertaken by either the developers or the open middleware institute OMII, with little likelihood of it being maintained in a commercial context. Deployment and management (Part 2) • myGrid services to be deployed primarily as – Open vs closed systems – Loosely bound / autonomous vs tightly bound / centralized • Gauge the extent of involvement of the user in using myGrid components: – – – – – Downloading Installation Deployment Upgrade Maintenance Summary of survey (Part 2) • • • • The majority feel that myGrid should be operated as an open system which permits services to join and interact with it dynamically during the duration of its operation Most also view myGrid as a confederation of loosely bound services which are largely autonomous. With regards to user involvement, the majority are of the opinion that involvement should be minimal. There is a desire to delegate responsibility of all management issues to system managers Security management and roles (Part 3) • Determine which of the three basic roles: end user, system manager and group manager would be involved in: – – – – – – Patching software Publishing security related news Keeping track of security compromises Registering and issuing certificates to new users Firewall operation Alerting and responding to the Computer Emergency Response Team – Setting an update policy for updating software – Setting a usage policy governing the use of the service – Setting a security policy dictating how security issues are handled • Integration / reconciliation of conflicting security policies of different participating organizations Summary of survey (Part 3) • For the activities of setting usage policies and security policies, the group manager was identified as the most suitable role. • For the rest of the security activities (patching software, publishing security related news, etc), most believe that the system manager should be responsible • In all instances, the amount of user involvement is again minimal. Summary of survey (Part 3) • Most believe that the issue of integrating potential conflicts between different security policies should not be addressed as it is too broad and complex to be resolved within the timeframe of the project • Focus should be on more security issues in the small such as authentication, integrity, etc. Summary of survey (Part 3) • Security requirements is understood for each individual myGrid component but how these requirements impact and affect each other when components interact is neither known nor is there any desire to examine it in depth. • The fundamental view to emerge from this is a lack of desire to define in detail an overarching view of security in myGrid. • But, this seems to be a contradiction, if we expect a system manager to deploy a myGrid system, without indication of what its security implication. • “It does what it says on the tin” … BUT “nothing is written on the tin”. Organizational issues (Part 4) • Nature of impact on these following organizations in the event a myGrid deployment is compromised – Institution / department – Computing Services – JANET • Identify security requirements that the myGrid project can ignore and leave to the deploying organisation to address • Definition of what constitutes proper usage of myGrid resources Summary of survey (Part 4) • Most believe that the institution/department and the computing services would be seriously affected in the event of a compromise in the security of the deployment of myGrid • The general consensus is that the myGrid project should try to avoid addressing the majority of security requirements, with the responsibility being delegated or made clear to the deploying organization. Summary of survey (Part 4) • For pharma companies, myGrid is seen to be targeted for internal deployment where it is assumed an existing security infrastructure is already provided for myGrid to fit into. • There is also no clear opinion with regards to defining the nature and proper usage of a myGrid resource. myGrid communities (Part 5) • Implications on security issues that interactions with the following entities may entail: – myGrid communities myGrid pharmaceutical company partners (AZ, GSK, Merck, etc). World wide bioinformatics community. UK e-science community Grid community – Other grid projects Summary of survey (Part 5) • There is a clear desire to interact and communicate with other communities. • For pharmaceutical companies, concerns include: – ensuring privacy of data – companies having their own security infrastructure into which myGrid can be fitted in – supply of code being accompanied with denial of liability. Summary of survey (Part 5) • There was an acknowledgment of a need to adhere to existing security standards or community practices such as the eScience PKI or GSI. • Dealing with copyrighted data and obtaining permission for data distribution or storage are also possible areas of concern. • Some of the projects named are MIASGrid, OGSI and CLEF, but no new security risk was explicitly returned. Legal issues (Part 6) • Understand considerations related to legal constraints that govern privacy and confidentiality of data (Data Protection Act 1998, Human Rights Act 1998, English Common Law and/or specific contracts with organisations employing myGrid services) – Availability of a registered data controller to enforce legal requirements – Obtaining user’s consent on processing personal information – Permitting a user to access and modify his personal details – Preventing exposure of a user’s personal information for the purposes of marketing – Allowing a user to object to the processing of his personal information in a specific manner Legal issues (Part 6) • Discuss how aspects myGrid research focus (provenance, notification of change and personalisation) can be handled with regards to these legal constraints Summary of survey (Part 6) • There is a general awareness of the importance of: – obtaining a user’s consent before collating or processing personal information – allowing a user to object to processing of personal information • Majority of respondents are still unclear about other legal obligations affecting the project with impact on other associated issues of privacy. Summary of survey (Part 6) • There is an appreciation of the various security requirements related to provenance: – Provenance security requirements include user authentication, establishment of authorship, mutual authentication, non repudiation, encryption and access control, tracking of user actions – Provenance data might provide audit information to detect when users are trying to exceed the rights they have been granted, – A possible consideration is that users of myGrid may have to declare the use that can be made of records of their actions in a provenance record – Controlling access for users to provenance records Inconsistencies in response • In Part 1 of the survey (goals of the project), the generally high perception of risks (e.g. bad authentication, compromise of data) appears to contradict the intended goal of myGrid (i.e security is usually not important in a system designated to demonstrate proof-of-concept) • This may have possibly resulted from people responding in a way that they typically perceive security concerns should be viewed as (i.e. high risk) rather than actual assessment of the security needs that correlate with their desired use of myGrid Inconsistencies in response • In Part 2 of the survey (deployment of the system), the responses with regards to the open/closed and loosely-bound/tightly bound views indicated that some respondents did not seem to understand that these options were mutually exclusive • This could be due to the fact that some feel that myGrid can be deployed in modes of operation that reflect a combination of these characteristics Inconsistencies in response • In Part 3 of the survey (security management and roles), the majority felt that the system manager should be responsible for a large portion of the security responsibilities. • However the lack of desire to produce a general overarching view of security makes it difficult for the system manager of the deploying organization to manage myGrid security effectively • This could be due to the fact that the majority of respondents do not believe there are significant security problems that could arise from interaction from the various myGrid components together. Inconsistencies in response • In Part 4 of the survey (organizational issues), the majority feel that many important security requirements should be delegated to the deploying organization • Again this reflects the desire to delegate security responsibility to the system manager of the deploying organization without any consideration of how difficult this task may be for him or her without some form of overarching security overview or policy Questionnaire 1: Overall summary •Purpose of myGrid – proof-of-concept •myGrid viewed as an open and loosely coupled system •Security responsibilities borne mainly by systems manager •No desire to define overarching security policy or overview •Consideration of security requirements should be left to deploying organization •Desire to interact with other communities and acknowledgement of need to adhere to existing security standards •General awareness of some legal rights of a user and how this affects activities like provenance Next step • The next stage in the security engineering process methodology is to perform an asset based risk assessment, which will require the assessment and/or quantification of the threats associated with each myGrid project asset • This assessment will be performed through the distribution of another questionnaire to relevant members of the myGrid project • This assessment will be done with respect to the context of a given role (e.g. end user, researcher, support staff, etc) and will be based on the premise that myGrid would be deployed in a proof of concept scenario Next step • Such a demonstration will run over a predefined period of time and may require re-configuration of existing security policies in the computing departments of the participating organizations. • The ultimate goal would be to produce a bestpractice document that can identify the actual threats involved with each asset in such a scenario. Questionnaire 2: Scope and background • Scope of Questionnaire 2 1. Identify risks posed to assets in project and the cost of possible compromise 2. Selection of appropriate security technologies as possible defences on the basis of a cost benefit analysis Questionnaire 2 premises • Based on two premises obtained from the results of the preceding survey: – Assessment done with respect to the context of a given role (e.g. end user, researcher, support staff, etc) – myGrid would be deployed in a proof of concept scenario that will run over a predefined period of time and may require re-configuration of existing security policies in the computing departments of the participating organisations Questionnaire 2 structure • Establish the context and time frame for the roles involved in the proof of concept deployment. • 5 main roles defined and the various assets and threats associated with them are outlined 1. 2. 3. 4. 5. • Support staff End users Research staff Service providers Project as a whole (combination of all 4) Asset risk cost analysis section identifies the various defences which are capable of addressing the related threats Support staff (Part 1) • System administrators and the support staff for the machines and networks will be involved in the setting up, hosting and maintenance of the various myGrid components • The assets involved are: – – – – Technical skills and expertise of the support staff Reputation and respect for the support staff. Workstations hosting the myGrid clients Servers hosting myGrid services End Users (Part 2) • End users will interact with the various myGrid services by initiating workflows through the various clients (workbench, service browser, etc) • The assets involved are: – Identity credentials (used in authenticating the users properly to the system) – Workflows – Workflow data – Provenance information Researchers (Part 3) • The researchers are the principal investigators, work package leaders and research assistants in the various myGrid academic groups that are involved in the development and deployment of the various myGrid services, databases and clients. • The main asset is the reputation and respect for the researchers. Service Providers (Part 4) • The service providers are the various participating groups that will provide the data (genome sequences, lab results, etc) that are be used in the execution of workflows. • The main asset here would be the data provided and their resources. Overall (Part 5) • Refers to the collective assets and risks faced by the myGrid project team as a whole. • The assets involved are: – Technical skills and expertise of the project members – Reputation and respect for the project and its work. • Questionnaire asks respondents – About other assets, – How high the cost of their compromise would be, – By what threats they would be compromised. • We felt that a full cost analysis was not practical, but indication of “low”, “medium”, “high” cost was enough for our purpose. Asset Risk Cost Analysis (Part 6) • Contrasts the estimated costs of the various threats identified in the previous sections with the estimated costs of the defences required to cope with them satisfactorily. • The following defences are identified initially: – – – – – – – – – – – Firewalls X509 certificates and PKI infrastructure: Proxy certificates Encryption packages/algorithms Secure protocol usage (SSL, HTTPS, WS-Security) Staff training on security procedures Security policies (access control based on security credentials) Operational policies (on using myGrid services) System patching Effective publicity Staff identification (name tags, etc) Conclusion • Few new threats, assets or defences were identified – this may indicate lack of interest in considering the security issue in greater depth as of yet • Of the relevant threats identified, the majority were rated as posing a high risk to their associated assets – this might indicate that the risks listed were perceived to be relevant to the concerns of the questionnaire respondents • Most respondents associated at least one risk with each given asset, and sometimes associated more risks with a specific asset than the initial predefined ones • Defences – difficulty to assess the cost • http://twiki.mygrid.org.uk/twiki/bin/view/ Mygrid/SecurityArchitecture Survey Participants • Matthew Addis (IT Innovation), Syd Chapman (IBM), B Donnelly (GeneticXchange), James Fleming (EPSRC), Rob Gaizauskas (Sheffield), Carole Goble (Manchester), Chris Greenhalgh (Nottingham), Bernard Horan (SUN), Michael Lees (Network Inference), Robin McEntire (GSK), Luc Moreau (Southampton), Matthew Murray (Epistemics), Peter Rice (EBI), Nick Sharman (Manchester), Luca Toldo (Merck), Brian Warboys (Manchester), Paul Watson (Newcastle), Anne Westcott (AstraZeneca) www.mygrid.org.uk m