Challenges of Deploying Scalable Virtual Infrastructures – A Security Perspective Syed Naqvi1 , Philippe Massonet1 , Joseph Latanicki2 1 Centre of Excellence in Information and Communication Technologies, Belgium
[email protected],
[email protected] 2 Thales Theresis, France
[email protected]
Abstract. Virtual infrastructures are coming to the fore with their fascinating prospects of cost savings, user friendliness, enhanced flexibility, and simplified management of underlying resources. Nevertheless, deployment of secure and dependable virtual infrastructures poses a number of challenges. Security is at the forefront of these challenges. In this paper, we present our approach for addressing the security issues of these virtual infrastructures at the deployment and at the operational phases. We have modeled the security requirements of their specific characteristics. These security requirements models are used for deriving security policies and eventually used for security rationale. Key words: security management, data protection, autonomous systems, virtual infrastructures
1
Introduction
The concept of virtualization is not new in the field of computer science. It dated back to the onset of the compilers of programming languages. The compiler programs intake high-level (English like) program code, crunch it, and spit out the binary object code that the computers actually understand. Therefore a compiler virtualizes the object code [1]. However, the concept of virtual infrastructures, where physical resources are dynamically mapped to address the spontaneous business needs, is relatively new. Moreover, the scale and scope of this novel concept brings several challenges for its deployment including a lot of uncertainty as to how and where to implement security [2]. Under the auspices of European Union FP7 funded project RESERVOIR (Resources and Services Virtualization without Barriers) [3], we are addressing the security challenges of massive scale deployment and management of complex information technology (IT) services across different administrative domains, IT platforms and geographies. In this paper, we present the preliminary analysis of the security requirements of the RESERVOIR infrastructure. These security requirements are modeled by using KAOS (Knowledge Acquisition by Automated Specification) goaloriented requirements engineering methodology [4].
2
RESERVOIR Architecture
The RESERVOIR project aims to develop technologies to support a service-based online economy, where resources and services are transparently provisioned and managed. The Gabriela Krˇcmaˇrová, Petr Sojka (Eds.): CESNET Conference 2008, Proceedings, pp. 57–65, 2008. c CESNET, z. s. p. o., 2008
58
Syed Naqvi, Philippe Massonet, Joseph Latanicki
RESERVOIR architecture defines a number of independent service sites (grid nodes) containing physical resources. These resources are partitioned by a virtualization layer into Virtual Execution Environments (VEEs). Service tasks are executed inside these VEEs. At each service site the VEEs are managed by a VEE Management System (VEEMS). End-users interact with VEEMS for submitting a VEE request described in a VEE template, query its state, and cancel its operation. VEEMS will also provide administration functionality to apply centralized usage policies and access to global reporting and accounting. In the following sections of this paper, we present set of security requirements of the potentially vulnerable entities and interfaces of the RESERVOIR architecture. These requirements are expressed in terms of security goals. These security goals are refined to give a finer grained pattern of security requirements.
3
End-user Security Requirements
RESERVOIR architecture enables its end-users to define their security requirements in terms of the security services that RESERVOIR provides. The end-users will have the means of monitoring the deployment of their security requirements (check-pointing). These security requirements can be negotiated and will have to result in a common agreement between end-user, service and infrastructure providers. In order to meet the specialized end-users requirements, providers may increase their charges. It is therefore important for an end-user to precisely identify the security requirements of data/job as sophisticated security requirements will result in higher costs due to less competitiveness among the infrastructure providers; and a primitive set of security requirements may dangerously expose data to abuse.
4
Communications Security Requirements
In order to properly address the communications security requirements of the RESERVOIR architecture, it is necessary to identify the ‘sensitive data’ of various stakeholders (end-users, services providers, infrastructure providers) so that adequate security, in terms of encryption and encryption strength, can be provided. From the performance point of view, it is not necessary to employ encryption at the lowest level as it will inflict higher costs on the computing cycles (for encryption/decryption) and network bandwidth. Moreover, bulk data transfer can be securely made with peripheral security or by using secure tunnels in the open networks.
5
Authenticity and Integrity Requirements
Authenticity and integrity is required at various levels in the RESERVOIR architecture. A peculiar case of the RESERVOIR infrastructure security requirement for authentication is the need of protecting the VEE data from the owner of the node and also from the VEEMS Manager/monitor as the data owner may not allow them to have knowledge of
Challenges of Deploying Scalable Virtual Infrastructures – A Security Perspective
59
Fig. 1. RESERVOIR Architecture
the nature of data and/or processing/operations. And the RESERVOIR infrastructure should assure that all the storage units are flushed when a VEE is migrated to another node so that the possibility of any accidental access to the data/execution traces can be eliminated. The assurance of integrity of the VEEs and VEEMS require a formal
60
Syed Naqvi, Philippe Massonet, Joseph Latanicki
Fig. 2. End-user security requirements model
Fig. 3. Communications security requirements model integrity model such as Biba model [5] whose conditions determine if any component of the RESERVOIR architecture is tampered.
6
Authorization Requirements
The important aspect of the authorization requirements from the end-user point of view is that the authorization requirements’ enforcement needs adequate assurances as majority
Challenges of Deploying Scalable Virtual Infrastructures – A Security Perspective
61
Fig. 4. Authenticity and Integrity requirements model of the VEEs’ functions are made transparent to the respective clients of VEEs and therefore they do not have any explicit means of monitoring that the authorization rules are abided by. Likewise, the important aspect of the authorization requirements from the provider (services provider as well as infrastructure provider) point of view is to define the red zones – i.e. to specify what should not be authorized (e.g. access to the host operating system should be forbidden). RESERVOIR architecture’s authorization requirements from the end-user and providers point of views are not mutually exclusive. They fairly overlap on each other – e.g. a client may specify authorization requirements to access his data; and similarly infrastructure and services providers may require assurances that transparent execution of VEEs strictly follows their authorization requirements.
7
Management Interfaces Security Requirements
RESERVOIR architecture’s management interfaces (so called virtual cockpits) need adequate protections as they are the most attractive target for an attacker due to the administrative control privileges associated with their functionalities. Access to these interfaces should require multi-tier security clearance that will include verification from the revocation list. All the entities will have to be well identified and strongly authenticated. The management interfaces security requires the ability of different providers to interoperate in a secure way, building mutual trust and defending them from malicious vendors and/or end users.
8
Data Confidentiality Requirements
Data confidentiality has a broader spectrum of functionalities in the RESERVOIR architecture. It not only defines the unauthorized access to the data on the RESERVOIR
62
Syed Naqvi, Philippe Massonet, Joseph Latanicki
Fig. 5. Authorization requirements model
Fig. 6. Management interfaces requirements model
architecture but also assures the isolation of data at various levels (such as among the VEEs, at the storage level, etc.). To control the unauthorized access to the data, a confidentiality model such as Bell LaPadula [6] should be employed; whereas the data
Challenges of Deploying Scalable Virtual Infrastructures – A Security Perspective
63
Fig. 7. Data Confidentiality requirements model
isolation among various entities/operations requires a data isolation assurance model such as Chinese wall model [7].
9
Multi-tenancy Security Requirements
Multi-tenancy refers to the architectural principle, where a single instance of the software runs on a software-as-a-service (SaaS) vendor’s servers, serving multiple client organizations. With a multi-tenant architecture, a software application is designed to virtually partition its data and configuration so that each client organization works with a customized virtual application instance [8]. For the RESERVOIR architecture, the most important assurance is the isolation of a VEE from other VEEs running on the same node. It includes complete isolation of their execution environments and data storage including temporary storage of the execution data. The services tasks of the same node cannot be shared in such situation and the similar rule apply for the transfer of different VEEs data to and from the same node.
10
Related Work and Discussions
Grid computing [9] provides a seamless view of services and connects several heterogeneous computing and storage resources across different administrative boundaries where service providers share and exploit the infrastructure across nodes to run their services. Still the vision of grid has not yet attained the critical mass to tap the full potential of virtualization. The migration of virtual machines (both offline and live) from one physical machine to another [10] offers several advantages to migration when performed at the virtual
64
Syed Naqvi, Philippe Massonet, Joseph Latanicki
Fig. 8. Multi-tenancy security requirements model
machine level rather than the operating system process level. However, the constraints like network connections, storage access, and processor specifications do not take full advantage of the available resources. Grid security infrastructure (GSI) [11] and trusted computing [12] provides the fundamental security services for the deployment of grid environments; however, they do not provide full range of security solutions needed for the secure yet transparent access to resources.
11
Conclusions and Future Directions
Deployment of virtual infrastructures promises a number of benefits for resource management, services provisioning and cost effectiveness. However, the scale and scope of these infrastructures require them to be dependable and secure. This paper presents an analysis of the security analysis of such infrastructures by using the case study of a European funded project RESERVOIR. Our future directions include the enrichment of the current security requirements model by adding risks and threats analyses followed by derivation of security policy.
Acknowledgements This work is supported by the European funded Integrated Project RESERVOIR. The authors gratefully acknowledge the key personnel of the project who formulated the groundbreaking architectural designs of RESERVOIR infrastructure. They are: Benny Rochwerger, Ofer Biran and Eliot Salant (IBM Haifa Research Lab); Ignacio Llorente and Ruben Montero (Complutense University of Madrid); Juan Caceres and Juanjo Hierro (Telefonica Research and Development).
Challenges of Deploying Scalable Virtual Infrastructures – A Security Perspective
65
References 1. Jason Bloomberg, Building Security into a Service-Oriented Architecture, ZapThink Whitepaper, ZapThink LLC Publisher, May 2003 2. Richard Adhikari, The Virtualization Challenge, Part 5: Virtualization and Security, TechNewsWorld, March 2008 3. The RESERVOIR Project – http://www.reservoir-fp7.eu 4. Dardenne A., Lamsweerde A. and Fickas S., Goal-Directed Requirements Acquisition, Science of Computer Programming Vol. 20, North Holland, 1993, pp. 3–50 5. Biba, K. J. "Integrity Considerations for Secure Computer Systems", MTR-3153, The Mitre Corporation, April 1977 6. Bell, D. Elliott and LaPadula, Leonard J., "Secure Computer Systems: Mathematical Foundations". MITRE Corporation, 1973 7. D. Brewer and M. Nash, "The Chinese Wall Security Policy", Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 206-214, May 1989 8. Frederick Chong, Gianpaolo Carraro, and Roger Wolter, "Multi-Tenant Data Architecture", Microsoft Corporation, June 2006 9. Ian Foster, Carl Kesselman, The Grid 2: Blueprint for a New Computing Infrastructure, 2nd edition, Morgan Kaufmann, November 2003, ISBN 978-1558609334 10. Christopher Clark, Keir Fraser, Steven Hand, Jacob Hansen, Eric Jul, Christian Limpach, Ian Pratt, Andrew Warfield, Live Migration of Virtual Machines, 2nd USENIX Symposium on Networked Systems Design and Implementation, Boston, MA, May 2005 11. Foster I., Kesselman C., Tsudik G., Tuecke S., A Security Architecture for Computational Grids, ACM Conference Proceedings, pp. 83–92, 1998, ISBN 1-58113-007-4, 12. Mao W, Martin A, Jin H, Zhang H. Innovations for grid security from trusted computing protocol solutions to sharing of security resource. In: Proceedings of the 14th international workshop on security protocols, Cambridge, UK, March 2006
