An Interdisciplinary
Approach to Grid Security
P Y A Ryan
School of Computing Science
University of Newcastle
DIRC
z Dependability Interdisciplinary Research
Collaboration.
z 6 year (1st July, 2000 - 30th June, 2006 ),
EPSRC funded collaboration of 5 institutes:
–
–
–
–
–
City University, London.
Edinburgh
Lancaster
Newcastle
York
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Aims
z From the DIRC web page:
z “To address the dependability of computerbased systems. Dependability is a
deliberately broad term to encompass many
facets including reliability, security and
availability. The term "computer-based
systems" highlights the involvement of
human participants. The interdisciplinary
approach includes, for example,
sociologists and psychologists as well as
computer scientists and statisticians.”
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Key messages
z Security matters for Grid
z Security is challenging
z Needs to be addressed early
z Needs to be addressed in an
interdisciplinary fashion
z Failures will occur.
– Prevention is not enough.
– => need to develop effective detection,
containment and recovery mechanisms,
strategies.
– Synergy between dependability/fault tolerance
and security communities.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Beyond the glass bead game…
z Most security vulnerabilities can be traced back to
failures to take due account of human factors:
–
–
–
–
Weak passwords, post-its,…
Social engineering,
Poorly designed, non-intuitive interfaces,
Failures to patch promptly.
z However, most work hitherto has concentrated on
purely technical challenges and issues. Notable
exceptions:
–
–
–
–
–
–
Roger Needham
Ross Anderson
Angela Sasse
Doug Tygar
Avi Rubin
Kevin Mitnick ?!
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Goals, policies, rules
z Security goals are high-level requirements.
z Goals induce constraints (may include
obligations, availability…) on the behaviour
of components, including the humans.
z Typically need a mix of technical (crypto,
access control,…) as well as legal, social
enforcement mechanisms (audits,
accountability,…).
z The conjunction of rules and mechanisms
as the “security policy”.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Security policy rules
zThe policy and assumptions should
entail the goals.
zViolation of rules does not necessarily
entail a violation of the goals, e.g., use
of weak passwords. Hazard states.
zTendency to assume that everything
can be technically enforced.
zModelling and analysis tractable.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Limits of technical enforcement
z Theoretical limits:
– E.g., information flow (confidentiality, integrity)
not enforceable. Pillow talk etc..
z Envelope of what is technically enforced
can be pushed out:
– E.g., separation of duty
– Least privilege
– Forced complexity of passwords…
z In practice it may not be effective:
– Inflexible
– Unwieldy
– Counterproductive (workarounds, post-its)
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Security culture
z Fully technically enforced security doesn’t seem
feasible or desirable.
z May be counter-cultural, e.g., clinicians, bank
managers….
z Need to deal with exceptions, adaptation…
z User involvement in system security is essential.
Security cultures-how do organisations instil and
maintain a culture of security.
– Grid theory.
z Need to be able to establish cost effective balance
and mix of socio-technical mechanisms.
z Need to better understand, ideally to be able to
model the various stakeholders.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Modelling the users
z Mental models-how do humans construct
mental models to interpret the behaviour of
security mechanisms
– “Why Johnny can’t encrypt”
– Rushby style FSM models
– Chaum experiments…
z Shaping factors- what influences peoples
attitude and effectiveness:
– Stress, fatigue
– Risk perception, anticipated regret.
– Least effort.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Modelling the adversary
z Difference with dependability: accidental vs.
malicious (intentional). Pure actuarial data
not very useful.
z Traditionally fairly crude models: e.g.,
Dolev-Yao for security protocols.
z Really just rough models of capability. No
motivation, risk perception, expertise,
collusion etc.
z Can we do better, e.g., constraint approach.
z Game theory.
z Psychology of hackers.
z Hacker community.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Detection and recovery
zIntrusion/failure detection.
zDifficulty in distinguishing normal,
accidental and malicious.
zDefine failure modes (vulnerabilities).
zDefine recovery modes and strategies.
zLearning and adaptation.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Boundaries, structure,
abstraction…
zRecurring problem: where to draw the
system boundaries, where to set the
levels of abstraction.
zSecurity properties tend not to behave
well under refinement and
composition.
zCreating systems.
zRecovery systems.
zLegal redress, liability
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Challenges
z Establish minimal policy requirements (policy
templates, meta-policies?)
z To what extent are security requirements uniform
across grid projects? Data vs. compute grids.
z Similar to security requirements across other
domains: military, commercial etc? is RBAC or
maybe TBAC enough?
z Medical applications lead to richer info flow
policies.
z How special is security really?
z Better understanding (models?) of the role of
humans.
z Boundaries, levels of abstraction.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Ongoing DIRC work
z Security cultures-application of grid theory.
z GOLD: grid-enabled, virtual (dynamic)
enterprises for the (UK) Pharmaceutical
industry.
z Dependability/risk analysis of the Chaum
voting scheme (DSN).
z Trials of Chaum-understanding, mental
models, public trust etc.
z More (Grid) case studies welcome.
z DIRC potentially a useful resource.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan