wiki:GENISecurity-2Q09-status

Version 1 (modified by jtaylor@bbn.com, 9 years ago) (diff)

--

GENISecurity Project Status Report

Period: 2Q09

I. Major accomplishments

Revision of the GENI Security Architecture document to reflect the spiral 1 implementations of four of the five cluster control frameworks in a common structure. The common structure is derived from the GPO system engineering view of the control frameworks, to help place understanding of security within the system engineering context.

A. Milestones achieved

Posting of a report describing our plans for coordinating security of operational data collected and provided by the GMOC.

B. Deliverables made

No deliverables in this period.

II. Description of work performed during last quarter

A. Activities and findings

Our work over the past quarter has continued to review the progress and development of the control frameworks, focusing on the details of the actual security approach being taken in spiral 1. As written material has been produced by each of the control frameworks as part of their design activities, we have reviewed those designs, and tried to extract our understanding of the security mechanisms being used. There is a wide-range of maturity and degree of detail available for each control framework, so our approach has been to write-up a first description of our understanding, and then interact with a specific individual working within each control framework cluster to update our write-up and to clarify the description of that control framework’s security design.

As each control framework is pursuing their work according to their own individual contract and schedule, this is necessarily an imprecise characterization or snapshot of the current design. Moreover, each control framework is taking their own interpretation on how to fulfill the broad mandate of functionality required by the GPO requirements documents and the slice-based facility architecture document that pre-dated the more complete system engineering documents. Our aim is to represent each control framework’s security mechanisms in a form that highlights the similarities and differences of each control framework, and puts the choices within the context of the GPO system engineering specifications and requirements documents and our GENI Security Architecture. The next revision of the GENI Security Architecture document is slated to be posted before the next GEC5 meeting, so that it can serve as a point of discussion with all the GENI projects regarding their security approach. We also expect to make one more update to the GENI Security Architecture based on clarifications and other new information we learn from face-to-face meetings at GEC5. This is especially true for projects that are part of a cluster but have separate distinct security mechanisms that should be documented, or for those projects that are offering alternate security mechanisms as candidates for use in GENI control frameworks.

B. Project participants

The following SPARTA staff are participating in the GSAT project:
Stephen Schwab, Alefiya Hussain. In addition, we also consult with Jim Horning, Sandra Murphy, and Calvin Ko, although their participation is constrained by the limited amount of funding.

C. Publications (individual and organizational)

None.

D. Outreach activities

None.

E. Collaborations

We have been actively collaborating with Rob Ricci/Utah and other members of the projects collaborating under the ProtoGENI cluster umbrella. This collaboration includes periodic bi-weekly status telecons as well as additional frequent email and other interactions with Emulab staff at Utah. The aim of this effort is to track mechanisms being introduced within Emulab to support ProtoGENI multi-site deployment and prototyping, and to capture the security-relevant aspects of these mechanisms within our security abstractions.

We also have been working closely with John Wroclawski and Ted Faber of USC/ISI under the DETER GENI cluster. In particular, we have progressed to integrating Attribute Based Access Control (ABAC) as a basis for prototyping the security abstractions underpinning the DETER Federation implementation. This implementation will evolve as we gain experience from the implementation and deployment of distributed authorization mechanisms within the federated environment to support broader GENI-specific goals. We have released the ABAC software to DETER/TIED project staff under terms of the GENI Public License, and have a request to similarly provide the ABAC software to the ORCA project to prototype and investigate integration within their framework. We aim to capture the security architecture impacts gleaned from this work within the GENI Security Architecture.

We have also continued to interact with Larry Peterson and the PlanetLab control framework, as well as had discussions with Max Ott and others collaborating on the ORBIT testbed. Additional discussions with Jon-Paul Herron and the GMOC project at Indiana University have also taken place, with an aim of working out how to control access to measurement data collected and accessed via the GMOC.

F. Other Contributions

We have had some email interactions and phone conversations with Giridhar ManePalli of the CNRI Digital Objects Repository project, and plan to review their security-relevant documents and provide guidance on how their technology can fit with, or serve a constructive role, in the GENI control frameworks and overall security architecture.