Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure

Codifying Information Assurance Controls for Department of Defense (DoD) Supervisory Control and Data Acquisition (SCADA) Systems (U)

Protecting DoD critical infrastructure resources and Supervisory Control and Data Acquisition (SCADA) systems from cyber attacks is becoming an increasingly challenging task. DoD Information Assurance controls provide a sound framework to achieve an appropriate level of confidentiality, integrity, and availability. However, these controls have not been updated since 2003 and currently do not adequately address the security of DoD SCADA systems. This research sampled U.S. Air Force Civil Engineering subject matter experts representing eight Major Commands that manage and operate SCADA systems. They ranked 30 IA controls in three categories, and evaluated eight SCADA specific IA controls for inclusion into the DoD IA control framework. Spearman’s Rho ranking results (ρ = .972414) indicate a high preference for encryption, and system and information integrity as key IA Controls to mitigate cyber risk. Equally interesting was the strong agreement among raters on ranking certification and accreditation dead last as an effective IA control. The respondents strongly favored including four new IA controls of the eight considered

Data privacy by design: digital infrastructures for clinical collaborations

The clinical sciences have arguably the most stringent security demands on the adoption and roll-out of collaborative e-Infrastructure solutions such as those based upon Grid-based middleware. Experiences from the Medical Research Council (MRC) funded Virtual Organisations for Trials and Epidemiological Studies (VOTES) project and numerous other real world security driven projects at the UK e-Science National e-Science Centre (NeSC – www.nesc.ac.uk) have shown that whilst advanced Grid security and middleware solutions now offer capabilities to address many of the distributed data and security challenges in the clinical domain, the real clinical world as typified by organizations such as the National Health Service (NHS) in the UK are extremely wary of adoption of such technologies: firewalls; ethics; information governance, software validation, and the actual realities of existing infrastructures need to be considered from the outset. Based on these experiences we present a novel data linkage and anonymisation infrastructure that has been developed with close co-operation of the various stakeholders in the clinical domain (including the NHS) that addresses their concerns and satisfies the needs of the academic clinical research community. We demonstrate the implementation of this infrastructure through a representative clinical study on chronic diseases in Scotland

The State of the Electronic Identity Market: Technologies, Infrastructure, Services and Policies

Authenticating onto systems, connecting to mobile networks and providing identity data to access services is common ground for most EU citizens, however what is disruptive is that digital technologies fundamentally alter and upset the ways identity is managed, by people, companies and governments. Technological progress in cryptography, identity systems design, smart card design and mobile phone authentication have been developed as a convenient and reliable answer to the need for authentication. Yet, these advances ar enot sufficient to satisfy the needs across people's many spheres of activity: work, leisure, health, social activities nor have they been used to enable cross-border service implementation in the Single Digital Market, or to ensure trust in cross border eCommerce. The study findings assert that the potentially great added value of eID technologies in enabling the Digital Economy has not yet been fulfilled, and fresh efforts are needed to build identification and authentication systems that people can live with, trust and use. The study finds that usability, minimum disclosure and portability, essential features of future systems, are at the margin of the market and cross-country, cross-sector eID systems for business and public service are only in their infancy. This report joins up the dots, and provides significant exploratory evidence of the potential of eID for the Single Digital Market. A clear understanding of this market is crucial for policy action on identification and authentication, eSignature and interoperability.JRC.DDG.J.4-Information Societ

Developing a Framwork for Evaluating Organizational Information Assurance Metrics Programs

The push to secure organizational information has brought about the need to develop better metrics for understanding the state of the organization’s security capability. This thesis utilizes case studies of information security metrics programs within Department of Defense organizations, the United States Air Force (USAF), and the National Aeronautics and Space Administration’s (NASA’s) Jet Propulsion Lab to discover how these organizations make decisions about how the measurement program is designed, how information is collected and disseminated, and how the collected information supports decision making. This research finds that both the DOD and USAF have highly complex information security programs that are primarily focused on determining the return for security investments, meeting budget constraints, and achieving mission objectives while NASA’s Jet Propulsion Lab seeks to improve security processes related to compliance. While the analytical techniques were similar in all of the cases, the DOD and USAF use communication processes still based mostly on manual data calls and communications. In contrast, NASA’s JPL information security metrics program employs a more automated approach for information collection and dissemination

Securing Cloud File Systems using Shielded Execution

Cloud file systems offer organizations a scalable and reliable file storage solution. However, cloud file systems have become prime targets for adversaries, and traditional designs are not equipped to protect organizations against the myriad of attacks that may be initiated by a malicious cloud provider, co-tenant, or end-client. Recently proposed designs leveraging cryptographic techniques and trusted execution environments (TEEs) still force organizations to make undesirable trade-offs, consequently leading to either security, functional, or performance limitations. In this paper, we introduce TFS, a cloud file system that leverages the security capabilities provided by TEEs to bootstrap new security protocols that meet real-world security, functional, and performance requirements. Through extensive security and performance analyses, we show that TFS can ensure stronger security guarantees while still providing practical utility and performance w.r.t. state-of-the-art systems; compared to the widely-used NFS, TFS achieves up to 2.1X speedups across micro-benchmarks and incurs <1X overhead for most macro-benchmark workloads. TFS demonstrates that organizations need not sacrifice file system security to embrace the functional and performance advantages of outsourcing

Cloudarmor: Supporting Reputation-Based Trust Management for Cloud Services

Cloud services have become predominant in the current technological era. For the rich set of features provided by cloud services, consumers want to access the services while protecting their privacy. In this kind of environment, protection of cloud services will become a significant problem. So, research has started for a system, which lets the users access cloud services without losing the privacy of their data. Trust management and identity model makes sense in this case. The identity model maintains the authentication and authorization of the components involved in the system and trust-based model provides us with a dynamic way of identifying issues and attacks with the system and take appropriate actions. Further, a trust management-based system provides us with a new set of challenges such as reputation-based attacks, availability of components, and misleading trust feedbacks. Collusion attacks and Sybil attacks form a significant part of these challenges. This paper aims to solve the above problems in a trust management-based model by introducing a credibility model on top of a new trust management model, which addresses these use-cases, and also provides reliability and availability

A survey on security issues and solutions at different layers of Cloud computing

Cloud computing offers scalable on-demand services to consumers with greater flexibility and lesser infrastructure investment. Since Cloud services are delivered using classical network protocols and formats over the Internet, implicit vulnerabilities existing in these protocols as well as threats introduced by newer architectures raise many security and privacy concerns. In this paper, we survey the factors affecting Cloud computing adoption, vulnerabilities and attacks, and identify relevant solution directives to strengthen security and privacy in the Cloud environment

Policy driven security architectures for eBusiness

The dawning of the twenty-first century and genesis of a new millennium has been extremely kind to technological advance. Industries and society alike have reaped the extreme benefits of technology at its finest. Technological progress has also proven to be extraordinarily beneficial to businesses and their bottom lines when properly employed. The need for automated business logic and functionality has spawned numerous concepts and efforts to capitalize on advanced business requirements. Probably the most popular and revolutionary to date of all initiatives is the advent of eBusiness. A direct descendant of Electronic Data Interchange (EDI), eBusiness has and continues to evolve into more than a phenomenon, but rather a sound component of successful corporations and organizations. The evolution and acceptance of eBusiness has created a ripple effect throughout the technical and business worlds. The promise of this wonderful concept and its accompanying technology has forced companies to completely rethink strategic planning efforts, and to sit up and pay full attention to this ever-growing development. One area that has been extremely affected by the wide spread acceptance of eBusiness and its counterparts are the architectures and infrastructures now utilized to support these efforts. Enterprise architectures that had originally been designed to shield internal business activities from the public eye of the Internet and other domains have been either replaced, redesigned, or melded with new architectural designs that proclaim companies and their offerings to the world, all in a digital atmosphere. This proclamation can be exceptionally lucrative and damaging, all at the same time. The conception of the Internet has without a doubt been the single most important episode in the continuing fairytale and illumination of technological advance. What once was considered the Underground Railroad of information; limited to universities, research groups, and government organizations has become the Autobahn of electronic data, and continues to evolve and transcend barriers and boundaries. The ability to surpass traditional barriers such as geography and distance serves as a definite attraction for organizations to eBusiness, and a tremendous amount of companies are acting upon this attraction. However, the dark side of the Internet is a playground for adversaries such as, but not limited to hackers (crackers), lone criminals, malicious insiders (disgruntled employees), industrial spies, media representatives, organized crime, terrorists, national intelligence organizations, special interest groups, competitors, script kiddies, and infowarriors to name a few. All of these can and should be considered a potential danger while individuals and organizations alike interact via the Internet and private networks as well. Nowhere are the aforementioned dangers as prevalent as they are in the increasingly popular world of e. eBusiness, eCommerce, eMarketPlaces, eAuctions, eSupplyChains, etc., etc.; the list goes on and on. The digitization of data is big business, and organizations are realizing the infinite potential involved with participating in these markets, as well as utilizing it to streamline day-to-day business operations and management. Around the globe scores of innovative, thought-provoking systems are deployed daily to feed upon the e landscape and take advantage of this new and exciting world of prosperity. However, the same factions that make haste to establish an Internet or web-based presence and rush to take advantage of digital data and goods are often the very ones that almost always either forget, simply neglect, or place a low priority on an absolute vital necessity of all e-efforts. Security! Therefore, the intent of this thesis is to examine and introduce methodical approaches to designing and implementing security life cycles that are driven by policy for secure eBusiness architectures. In order to provide the necessary assurance and security needed for eBusiness architectures efficient well thought out life cycles must be employed for security practices. Security, like any other component of Information Technology (IT) is not a hit or miss scenario. It is a continuos and meticulous process that is all encompassing of all veins of an enterprise. In order to design a secure architecture a procedural approach must be taken, so that all threats, vulnerabilities, adversaries, holes, nooks, and crannies are covered. Even after all these things have been addressed there is no such thing as an impenetrable system or infrastructure, especially in a networked environment. Given enough time and resources the strongest of confines can be made as vulnerable as a home PC connected to the Net. This is especially true for those systems that operate over public networks such as the Internet. Therefore, processes and procedures must be introduced, refined and constantly managed to maintain a secure state of operation. This text will illustrate the process of assessing technical environments utilized for eBusiness initiatives and gathering requirements for secure operation. Then taking those requirements and developing a functional security policy to govern over the system. Next, the document will discuss extracting requirements from the actual security policy and using them to create a plan of implementation. Also, during the implementation phase exists several testing and assurance activities that should be addressed. After, the overall implementation is completed and deployed, streamlined processes must be applied and properly managed to ensure that the hardened solution continues to function, as it should. An adequate cycle is much more intensive than described above, and this thesis will provide the detail needed to thoroughly address the concepts described here

Perspectives on Auditing and Regulatory Compliance in Blockchain Transactions

The recent advent of blockchain technology is anticipated to revolutionize the operational processes of several industries including banking, finance, real estate, retail and benefit governmental as well as corporate information management structures. The underlying principles of information immutability, traceability, and verifiability built-in blockchain transactions may lead to greater adoption of distributed crypto-ledger applications in auditing automation, compliance monitoring, and guaranteeing high assurance. This chapter discusses the contemporary applications of blockchain technology in information auditing, exploring aspects such as data recording, accuracy, verification, transparency, and overall value of a decentralized blockchain crypto-ledger for auditors. Opportunities for timeliness, completeness, and reconciliation in appraising regulatory compliance of organizations employing blockchain-based contractual frameworks are also investigated. The chapter reviews the existing and anticipated challenges blockchain applications pose to traditional regulatory compliance models and the inherent risks for businesses and stakeholders. We highlight the impact of operational concerns such as decentralized transactions, network complexity, transaction reversals, credential management, software quality, and human resources. Finally, the chapter provides perspective on assurance complexities involved in transforming from proprietary to blockchain-based framework while adhering to IT control obligations dictated by three major auditing standards Sarbanes Oxley Act (SOX), Control Objectives for Information Technologies (COBIT), and International Standardization Organization (ISO) /International Electrotechnical Commission (IEC) 27001