1 / 9

A Data Access Policy based on VOMS attributes in the Secure Storage Service

A Data Access Policy based on VOMS attributes in the Secure Storage Service. Diego Scardaci INFN (Italy) EELA-2 First Conference Bogota, Columbia, 25-27.02.2009. Outline. The Insider Abuse Problem The Secure Storage Service for the gLite Middleware: Main Functionalities

red
Télécharger la présentation

A Data Access Policy based on VOMS attributes in the Secure Storage Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci INFN (Italy) EELA-2 First Conference Bogota, Columbia, 25-27.02.2009

  2. Outline • The Insider Abuse Problem • The Secure Storage Service for the gLite Middleware: • Main Functionalities • Data Access Policy based on VOMS attributes Bogota, EELA-2 Conference, 25-27.02.2009

  3. Insider Abuse: Problem • A grid user could store sensitive data in a Storage Elements managed by external organizations. • Storage Elements Administrators could access data (but the data are sensitive!). For this reason data MUST be stored in an encrypted format. • Data Encryption/Decryption MUST be performed inside user secure environment (for example inside the user’s organization). Bogota, EELA-2 Conference, 25-27.02.2009

  4. Insider Abuse: A Solution SECURE ENVIRONMENT USER (VIRTUAL) ORGANIZATION SE File Encryption /Decryption Encrypted File Key Encrypted File SE Key Repository Bogota, EELA-2 Conference, 25-27.02.2009

  5. The Secure Storage service • Provides gLite users with suitable and simple tools to store confidential data in storage elements in a transparent and secure way. The service is composed by the following components: • Command Line Applications: commands integrated in the gLite User Interface to encrypt/upload and decrypt/ download files. • Application Program Interface: allows the developer to write programs able to manage confidential data. • Keystore: a new grid element used to store and retrieve the users’ keys. It is identified by an host X.509 digital certificate and all its Gridtransactions are mutually authenticated and encrypted according to GSI model. Bogota, EELA-2 Conference, 25-27.02.2009

  6. Command Line Applications and API • Secure Storage provides a new set of commands and API on the gLite User Interface: • Like lcg-utils commands and API, but they work on encrypted data. • Encryption and decryption process are transparent to the user. • These commands and API allow to make the main Data Management operations: • lcg-scr: Copy data/file on Storage Elements • lcg-scp: Read data/file from Storage Elements • lcg-sdel: Delete data/file on Storage Elements • …. • API like GFAL (encrypt and decrypt block of data): • allows developers to work to encrypted remote file as local files in clear format. Bogota, EELA-2 Conference, 25-27.02.2009

  7. ACL OWNER DN DN1 DN2 FQAN1 FQAN2 … lcg-scr: Encryption and Storage Access authorized to: DN1, DN2, FQAN1, FQAN2, … GSI AUTHENTICATED CHANNEL A FQAN AUTHORIZED TO ACCESS THE FILE CAN REPRESENT A WHOLE VO OR A VO GROUP ETC. Bogota, EELA-2 Conference, 25-27.02.2009

  8. ACL OWNER DN DN1 DN2 FQAN1 FQAN2 … lcg-scp: Retrieval and Decryption GSI AUTHENTICATED CHANNEL THE KEYSTORE PROVIDES USERS WITH THE KEY ONLY IF USER’S DN OR ONE OF THE VOMS ATTRIBUTES INCLUDED IN HIS PROXY MATCHES ONE ENTRY OF THE ACL Bogota, EELA-2 Conference, 25-27.02.2009

  9. Any questions ? Bogota, EELA-2 Conference, 25-27.02.2009

More Related