An Interdisciplinary Approach to Grid Security P Y A Ryan School of Computing Science University of Newcastle DIRC Dependability Interdisciplinary Research Collaboration. 6 year (1st July, 2000 - 30th June, 2006 ), EPSRC funded collaboration of 5 institutes: – – – – – City University, London. Edinburgh Lancaster Newcastle York An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Aims From the DIRC web page: “To address the dependability of computerbased systems. Dependability is a deliberately broad term to encompass many facets including reliability, security and availability. The term "computer-based systems" highlights the involvement of human participants. The interdisciplinary approach includes, for example, sociologists and psychologists as well as computer scientists and statisticians.” An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Key messages Security matters for Grid Security is challenging Needs to be addressed early Needs to be addressed in an interdisciplinary fashion Failures will occur. – Prevention is not enough. – => need to develop effective detection, containment and recovery mechanisms, strategies. – Synergy between dependability/fault tolerance and security communities. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Beyond the glass bead game… Most security vulnerabilities can be traced back to failures to take due account of human factors: – – – – Weak passwords, post-its,… Social engineering, Poorly designed, non-intuitive interfaces, Failures to patch promptly. However, most work hitherto has concentrated on purely technical challenges and issues. Notable exceptions: – – – – – – Roger Needham Ross Anderson Angela Sasse Doug Tygar Avi Rubin Kevin Mitnick ?! An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Goals, policies, rules Security goals are high-level requirements. Goals induce constraints (may include obligations, availability…) on the behaviour of components, including the humans. Typically need a mix of technical (crypto, access control,…) as well as legal, social enforcement mechanisms (audits, accountability,…). The conjunction of rules and mechanisms as the “security policy”. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Security policy rules The policy and assumptions should entail the goals. Violation of rules does not necessarily entail a violation of the goals, e.g., use of weak passwords. Hazard states. Tendency to assume that everything can be technically enforced. Modelling and analysis tractable. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Limits of technical enforcement Theoretical limits: – E.g., information flow (confidentiality, integrity) not enforceable. Pillow talk etc.. Envelope of what is technically enforced can be pushed out: – E.g., separation of duty – Least privilege – Forced complexity of passwords… In practice it may not be effective: – Inflexible – Unwieldy – Counterproductive (workarounds, post-its) An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Security culture Fully technically enforced security doesn’t seem feasible or desirable. May be counter-cultural, e.g., clinicians, bank managers…. Need to deal with exceptions, adaptation… User involvement in system security is essential. Security cultures-how do organisations instil and maintain a culture of security. – Grid theory. Need to be able to establish cost effective balance and mix of socio-technical mechanisms. Need to better understand, ideally to be able to model the various stakeholders. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Modelling the users Mental models-how do humans construct mental models to interpret the behaviour of security mechanisms – “Why Johnny can’t encrypt” – Rushby style FSM models – Chaum experiments… Shaping factors- what influences peoples attitude and effectiveness: – Stress, fatigue – Risk perception, anticipated regret. – Least effort. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Modelling the adversary Difference with dependability: accidental vs. malicious (intentional). Pure actuarial data not very useful. Traditionally fairly crude models: e.g., Dolev-Yao for security protocols. Really just rough models of capability. No motivation, risk perception, expertise, collusion etc. Can we do better, e.g., constraint approach. Game theory. Psychology of hackers. Hacker community. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Detection and recovery Intrusion/failure detection. Difficulty in distinguishing normal, accidental and malicious. Define failure modes (vulnerabilities). Define recovery modes and strategies. Learning and adaptation. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Boundaries, structure, abstraction… Recurring problem: where to draw the system boundaries, where to set the levels of abstraction. Security properties tend not to behave well under refinement and composition. Creating systems. Recovery systems. Legal redress, liability An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Challenges Establish minimal policy requirements (policy templates, meta-policies?) To what extent are security requirements uniform across grid projects? Data vs. compute grids. Similar to security requirements across other domains: military, commercial etc? is RBAC or maybe TBAC enough? Medical applications lead to richer info flow policies. How special is security really? Better understanding (models?) of the role of humans. Boundaries, levels of abstraction. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan Ongoing DIRC work Security cultures-application of grid theory. GOLD: grid-enabled, virtual (dynamic) enterprises for the (UK) Pharmaceutical industry. Dependability/risk analysis of the Chaum voting scheme (DSN). Trials of Chaum-understanding, mental models, public trust etc. More (Grid) case studies welcome. DIRC potentially a useful resource. An Interdisciplinary Approach to Grid Security, NESC 25 November 2003 P Y A Ryan