|
...have many different definitions and objectives and may exhibit many different properties. For the purposes this paper, the key characteristic of a grid is that it allows organizations to pool computing resources (processors, storage, information, applications, etc.) to enable users to benefit from a potentially far larger pool of resources than would otherwise have been available to them.
Terminology. From this perspective, the ultimate grid would include the whole Internet, so that anyone could tap anyone else's resources, assuming they were available and financial compensation was arranged. While isolated examples of grids of this type are certainly emerging--for instance, the SETI@home and folding@home efforts--a generic and global-scale scenario of this type, which we call an inter-grid, is not about to happen. The ideas to be discussed in this paper would certainly assist in implementing such a scenario, but they are in no way sufficient to address all issues.
At the other end of the spectrum, today, most grids are internal to some existing organization. Such grids, which we call intra-grids, pool resources across departments, sites, or other entities within some larger organization. Because of the existence of such a larger organization, the entities participating in the intra-grid have often deployed their own information technology (IT) infrastructures according to common architectural guidelines and using a relatively simple trust model. The resulting grid thus benefits from relative homogeneity among the interconnected systems, which greatly simplifies the pooling of resources. Such intra-grids generally do not need any of the ideas discussed in this paper.
This paper addresses challenges encountered in what we will refer to as extra-grids, namely, grids resulting from the pooling of resources across organizational entities that did not follow common architectural guidelines to deploy their IT infrastructures. Such grids emerge, for instance, when different organizations are integrated following a merger or acquisition, or when separate organizations decide to pool their IT resources for some common goal but otherwise want to retain their autonomy. In the merger or acquisition scenario, all resources of participating organizations may become part of the new pool, and all users of participating organizations may in principle enjoy some access to resources of other organizations. By contrast, in the second scenario, typically, only some resources from each of the participating organizations will be pooled, while most others will remain outside the pool, and only a subset of the users of each participating organization may use any of the pooled resources.
The grid community often refers to the notion of a "virtual organization" (VO). In the context of this paper, this notion of a VO corresponds to the set of resources that are pooled and the set of users who can tap these pooled resources. Figure 1 shows a sample scenario of how VOs may typically be formed. The issues of how a VO is named, referred to, represented, populated, and managed over time, and issues of how grid policies are set, how information may be imported to or exported from a VO, and how intellectual property issues may be settled between a VO and its participating organizations are all important, but they are outside the scope of this paper. The only aspect of a VO that is important for this paper is the trust that it implies between participating organizations. How that trust can be represented and materialized will be discussed subsequently.
[FIGURE 1 OMITTED]
Objectives. This paper focuses on the issues arising in extra-grids from the need to define and enforce security policies spanning different organizations using heterogeneous security mechanisms within the same VO. When organizations using heterogeneous security regimes decide to pool some of their resources into a VO for the benefit of some of their users, they need to be able to specify which of their users should have what rights to access which of their resources under what circumstances. The challenge is that such cross-organizational policies are typically beyond the normal expressive power of security assertions used to represent policies in any of the individual organizations participating in the VO. Specifically, the syntax and semantics of security assertions in one organization have no immediately obvious way to refer to entities (users, resources, attributes) defined in some other domain. As a result, if a user or application authenticated in one organizational security domain presents its security credentials to another organization in the same VO, using different credential syntax and semantics, those credentials simply cannot be understood by that target organization.
Even if two organizational security domains trust one another, as they do in a common VO, and even if they have established some sort of security service gateway to translate the syntax of foreign credentials into locally understandable ones, any user name and attribute from one domain would still be undefined semantically in the other domain. Specifically, even if two organizations, for example, example.com and targetex.org know and trust one another and are able to translate the credentials for a user called Alice in the domain example.com into a format palatable for targetex.org's security infrastructure, the name Alice would still be meaningless because it was never defined and seen before in targetex.org's domain. No form of standardized authorization query interface could even help paste over these differences and obviate the need to refer to foreign users, resources, or other entities in whatever domain a policy is defined.
The challenge is compounded by a frequent grid requirement (1) that each organizational security domain within a VO should retain full control over who can access which of its resources. Thus, it is entirely targetex.org's choice whether Alice should have access to its resources. Not even knowing about the existence of a user ID such as Alice in the domain example.com, much less about what it means, in the absence of other measures, targetex.org could not use that name to express Alice's rights in any security policy it wants to set in its own domain. A mechanism is required by which a security domain in a VO can express authorization (or denial thereof) of some local resource access by an alien identity from another domain (in this example, Alice).
This paper does not describe a complete architecture, much less a working design, for implementing extra-grids, nor does it describe a concrete solution to the extra-grid security challenges raised above (many frameworks and standardization proposals are being developed to this end.) It merely makes a number of fundamental observations about these challenges and suggests that some basic assumptions about abstract security assertions seem to be required for any of the emerging frameworks...
NOTE: All illustrations and photos
have been removed from this article.
More articles from IBM Systems Journal
Global namespace for files.(global namespace service), December 01, 2004
A logger system based on web services.(Product/Service Evaluation), December 01, 2004
Service domains.(analysis), December 01, 2004
MyMED: a database system for biomedical research on MEDLINE data.(Prod..., December 01, 2004
Looking for additional articles?
Search our database of over 3 million articles.
Looking for more in-depth information on this industry?
Search our complete database of Industry & Market reports by text, subject, publication
name or publication date.
About Goliath
Whether you're looking for sales prospects, competitive information, company
analysis or best practices in managing your organization,
Goliath can help you meet your business needs.
Our extensive business information databases empower business
professionals with both the breadth and depth of credible,
authoritative information they need to support their business
goals. Whether it be strategic planning, sales prospecting,
company research or defining management best practices -
Goliath is your leading source for accurate information.
|
