CCM 4902

Report Title

To evaluate security related issues encountered in Grid
Computing and evaluate possible solution to it.

Author
BILAL ABBAS BAKHSHI
M00430641
Supervisor
JASPREET SINGH SETHI

Dated: 8/10/2013











"A thesis submitted in partial fulfillment of the requirements for the degree
Master of Science in Computer Network Management."










2 | P a g e


Abstract

In the opening chapter the researcher has given the problem statement on which research is based,
then follows the aims and objectives which are to evaluate security requirements, security issues
encountered and best solution to them. A rationale of study is given on which the particular topic is
taken. In the end the thesis outline is given portraying the layout of the entire report. Grid computing
yields significant computing capability, excessive data warehousing, and cooperation eventualities to
its end users. In the connected ingress to the computing with a single sign on scheme as the gateway
to the prospects of world wide computing grids security characterize a decisive role. The literature
review lends a detail secondary research of the various mechanism of bracing security issues in the
grid computing domain, and explicitly devotes to the finding security solution to them and also
identifying security requirements of grid computing. The grid middleware architecture is given on
which grid computing is based especially on globus, Bonic and globus toolkit. The scheme portrayed
divides grid computing security literature into System clarifications, Behavioral clarifications and
Hybrid clarifications. Each one of these kind is given in features to lend acumen as to their rare
mechanism of attaining grid security, the kinds of grid and security circumstances they employ
optimum to, and the advantages and disadvantages for each kind of clarification. While in research
methodology chapter briefly gives view of why we chose qualitative research method and our
selection of survey consisting of questionnaires. Then in chapter findings the result of primary
research are given while conducting survey regarding security issues in authentication and
authorization in bonic and globus grid computing. Then in last chapter discussion the answers to
research questions and overall information found through primary research in contrast with
secondary research is given which is actually heart of report. While in the end future
recommendations and conclusion are given which could be looked at by future researchers.
Keywords: Grid computing, Globus, Authentication and Authorization, GSI, PKI, Security
requirements.











3 | P a g e



Declaration



I hereby declare that the research thesis dissertation project work entitled To evaluate
security related issues encountered in Grid Computing and evaluate optimum possible solution
to it submitted to the Middlesex University London, is a record of an original work done by
me under the guidance of my supervisor Jaspreet Singh Sethi, Faculty Member, Middlesex
University Dubai Campus and this project work has performed the basis for the award of the
Postgraduate Degree.









Bilal Abbas Bakhshi
M00430641



















4 | P a g e




Acknowledgements




I would like to express my gratitude to everyone who helped me complete my thesis work. First
and foremost thanks go to my project supervisor Sir Jaspreet Singh Sethi. Jaspreet not only
made it possible for me to continue my dissertation project, but he was an invaluable source of
new opinions and critiques. Iam also grateful to my module leader Dr Lejla Vrazalic for
approving topic for my thesis and for all the deliberation we had throughout the journey called
graduation. My special thanks go to Middlesex University in providing me access to library
and other resources in completing my dissertation thesis project. This chain of gratitude would
be incomplete without thanking my family for all the support they provided.






M00430641
Dated: October 10
th
, 2013

























5 | P a g e



Table of Contents
Abstract ...................................................................................................................................................... 2
List of Figures ........................................................................................................................................ 8
List of Tables ............................................................................................................................... 9
Chapter 1: Introduction ........................................................................................................... 10
Problem Statement ........................................................................................................... 11
Research Questions ........................................................................................................... 11
Research Aims and Objectives11
Rationale of Study.....................................................................................................11
Thesis Outline..12
Chapter 2: Literature Review..13
Relevance.13
Background Grid Computing and security issues prevalent
in it.13

Grid Computing Middleware and its Components.14

Components of Grid Middleware.14

Grid Middleware Security Concerns...15

Authentication and Authorization.16

Scheduling.16
Execution.17
6 | P a g e

Data Ingress and Management..17
Fabric Management.18
Information and Monitoring...18
Challenges and Possible Solution to Security Issues in Grid
Computing.19
Physical Ingress Security Aspects..20
Grid Computing in the Distributed Computing Context.20
Synopsis of Grid Computing Security..21
Systems Clarifications26
System Security for Grid Resources.26
Intrusion Detection Systems (IDS) in Grid Computing.27
Behavioral Clarifications..28
Comprehensive Guideline Oversights.29
Reliance-Based Security Clarifications29
Hybrid Clarifications..31
Authentication vs. Authorization..31
Authentication and authorization based clarifications.31
Chapter 3: Research Methodology34
Introduction34
Qualitative Research Method..34
7 | P a g e

Quantitative Research Method.34
Reason for choosing Qualitative research method.....................34
Limitation..35
Summary.35
Chapter 4: Findings.36
Introduction................................................................................................................36
Results.37
Summary.37
Chapter 5: Summary.38
Discussion ..39
Conclusion.40
References...............................................................................................................................41
Appendix47












8 | P a g e





List of Figures


Figure 1 - Grid Computing Architecture..10

Figure 2 - Grid Middleware Architecture...15

Figure 3 - Distribution for grid computing security..25























9 | P a g e




List of Tables


Table 1 - Recap some of the aspects of the distinctive distributed
Computing settings............................20-21

Table 2 - Kinds of grid computing systems.21

Table 3 - Kinds of grid systems and security circumstances
according to the suggested categorization system23-24




























10 | P a g e


Chapter 1

Introduction


Grid computing can mean different thing to different individual in their respective fields. The grand
idea is often presented as a correlation to power grids where end users (or electrical appliances) get
ingress to electricity through wall sockets with no care or condition for where or how the electricity
is literally generated. In our context of use grid computing, computing becomes prevalent and
peculiar users (or client applications) gain ingress to computing resources (processors, storage, data,
applications, and so on) as obligational with little or no knowledge of where those resources are
located. In addition what the elemental technologies, hardware, operating system, and so on are. In a
nutshell grid computing is basically employing geographically distributed and interconnected
computers together for computing and for resource distribution. Now getting to the stage the topic
we are researching is connected to security related issues faced in grid computing and evaluating
optimum possible solution to this critical problem. Thats why it was important to give overview and
idea of concept of grid computing. Numerous investigations by organization have shown that there
exists serious problem of security violation by unregistered users by hacking, eavesdropping and
intercepting vital information. There are some clarifications that have been discovered and
successfully employed to the security issues encountered in grid computing. As set of different
independent computers are interconnected from substantially different regions of the world to
achieve common purpose by fully exploiting idle resources of system in order to achieve higher
goals. The grid computing idea is shown in figure 1 below.


Figure 1 Grid computing architecture
11 | P a g e

Source: http://www.it.uom.gr/teaching/unc_charlottePPG/grid.htm

Problem Statement

The main problems which are encountered in grid computing application and mostly in every
technology used are security issue. The researcher is evaluating security issues encountered in grid
computing regarding system solution, behavioral solution, hybrid solution mainly concentrating on
authentication and authorization in grid computing by employing globus toolkit middleware in it.
Also evaluate optimum possible solution to various problems. We will also evaluate by employing
the globus toolkit software which can be employed for utilizing various unused resources by users to
get their work done easily. So when these various systems are interconnected located in various
regions and utilized various unused resources so they bound have mechanism in place to avoid
hackers compromising their system. The user when login in into the system there should some
verification in place to establish that users are not impersonating by stealing password and acquire
user sensitive information.

Research questions
Q1. What are security related issues are encountered in grid computing?
Q2. What are security requirements in grid computing?
Q3. Evaluate optimum possible solution to security related issues in grid computing?



Research Aims and Objectives

1. The researchers aim is to evaluate security related issues in grid computing
2. To study security related issues faced in grid computing and security Requirements.
3. To evaluate optimum possible solution to the security related problems.


Rationale of Study
Although there is a vast amount of literature available on the Grid computing and its Grid
middleware are employed in it like globus and security solutions of authentication being solved by
employing of PKI in its grid security infrastructure. In which PKI uses digital signature for
authentication and authorization purposes. Also the thing that encouraged the researcher to
investigate further in security requirements and issues, possible solution to them also further
strengthens one optimum solution. The study further goes in depth of security problems in grid
computing which is being employed in volunteer computing and Grid computing like BONIC. The
researcher is also encouraged by the application of grid technology in electricity grids of global
aspects. So far there has been no direct study conducted in the area where the impact is analyzed in
detail. The study also helps us to understand grid computing and grid middleware architecture in
order to further inquire security requirements and issues encountered. Rest of important information
will be unraveled further in thesis.





12 | P a g e

Thesis Outline
The rest of thesis is as follows.
Chapter 2
Literature review: In this section we present a brief background on grid computing to give concept
of technology on which are writing thesis materials under relevance. Then giving view of security
issues prevalent in it from the historical perspective given by the father of grid computing concept
Ian foster. Further the grid computing middleware and its architecture is explained. Then in order to
understand the security concerns and requirements the grid middleware security concerns are
elaborated. Then security challenges regarding grid computing and their possible solutions are given
and in addition further the physical security aspects of grid computing are given. Then the main
ending section relating to system solution, behavioral solution and hybrid solution regarding
authentication and authorization in grid computing regarding security issues is discussed to arrive at
appropriate choice.

Chapter 3

Research Methodology: In this section the researcher will give reasons why the appropriate method
of research qualitative was chosen instead of quantitative method. It will give brief overview of
quantitative and qualitative research methods. Then further the method of qualitative research in
which survey was chosen a brief outline given and limitation of the research with summary given in
end of section.

Chapter 4

Findings: In this section the research results of primary data will be given in form of text and
percentage figures. The section includes introduction of chapter which give brief view. Then it is
followed by the results section of elaborating the findings. The end is followed by summary of
chapter.

Chapter 5

Discussion: In this section the research collected in primary data is compared with the secondary
data reviewed in literature review to arrive at the answers to our research questions explained in
problem statement and aims and objective section. As further there is recommendation for further
research and method which could be explored to better this security problem regarding
authentication and authorization. In the end there is brief conclusion describing what the researcher
has found in the dissertation exercise.



References: Then follow the reference section containing the references used during the writing of
the thesis in order and cited in text also.

Appendix: The appendix will consist of information relevant to the thesis report topic and will
contain the questions asked during survey conducted. It will consist of definitions of some new and
some old terms specific to the report.



13 | P a g e


Chapter 2

Literature Review

Relevance

Background Grid Computing and security issues prevalent in
it

In recent years, Grid computing technology has emerged as a viable option for high performance
computing as sharing of resources lends improved performance at a lower cost than if each
organization were to own its own closed box resources(A.R. Butt, et al. 2003, pp.1006-1014). Grid
computing in literature is defined as System and applications that integrate and manage resources
and services distributed across multiple control domains (M. Humphrey, et al. 2005, pp644-652).
As Grid Computing has security issues that should be considered since it is a distributed system
where a heterogeneous set of computers share their idle resources. Marty Humphrey, Mary R.
Thompson defined various synopses and gave various clues on how Grid security should be managed
and what are its problems. Computational grid scientists had spent tireless amount of effort to come
up with a shield environment for sharing resources. However, advance intruders still compromising
machines on the grid, which justify the research in intrusion detection system for Grid environment.
We will also discuss some issues of the GIDS on Grid environment with suggested clarifications. A
suggested solution will be analyzed from conceptual framework toward technical architecture. This
research paper describes the particular concept of having a Grid-based Intrusion Detection System
(GIDS) for the Grid environment. We will give few synopses of how GIDS can take place on the
Grid environment (M. Humphrey and M.R. Thompson, 2001, pp. 95-103). In the end researcher
will give conclusion which will help better security related issues in grid computing.

Grid is a system that confirms to three specific categories as follows it coordinates resources that
are not subject to centralized control, it uses standard, open, general-purpose protocols and
interfaces, and it delivers nontrivial quality of service (I. Foster and K. Kesselman, 1999). The ever
evolving number of devices and thus mostly unused resources connected to the internet triggered
many different opinions to share available computing and storage resources. In 1998 Ian Foster and
Carl Kesselman defined in the book The Grid: Blueprint for a New Computing Infrastructure a
computational grid as a hardware and software infrastructure that lends dependable, consistent,
pervasive, and inexpensive ingress to high-end computational capabilities(Ian Foster,2002, pp.817-
840). This definition was subsequently refined according to new circumstances in emerging
technologies. In general, grid computing lends users with the capability to divide and spread large
computations across multiple machines as well as ingress to distributed storage and collaboration
possibilities within virtual organizations(Ian Foster,2002, pp.817-840). As in the coordination,
administration, and subsequently also the billing of resource employment in a grid is not only
challenged by the decentralized oversight and ownership of the computing and storage structure but
also by the aim to provide an efficient and usable environment to its users. The prevalent grid
middleware like the Globus Toolkit, legion 2, gLite3, or BOINC4 provide a fundamental software
infrastructure and tools for masking the ramification of the divergent infrastructure of a grid from the
users, for easing the administrating and configuration of the participating systems, for subordinating
and oversee vacant resources, and for presenting a basic layer for developers to produce grid
applications. In the following a closer look will be taken at security threats, countermeasures, and
14 | P a g e

detection in grids and how different grid middleware clarifications approach these issues (I.Foster, et
al. 1998, pp. 8392).

Grid Computing Middleware and its Components

Middleware stage out to a genre of computer software used to linkup, or allow the
communication of software components with their applications. Middleware is encompassed of
service sets that warrant the complement of numerous numbers of processes operating synchronously
on one or numerous computing gadgets. In grid computing, middleware supports diversified
architectures, which in turn reinforce diversified utilization (Andera Stein, 2013). We illustrate the
middleware preserving in sense the key tasks it lends. Globus Toolkit (GT) is a paramount
middleware and the veritably definitive for grid performance (Choi-Hong Lai and Frdric
Magouls, 2009). It will be the focus of our deliberation subsequent on thesis report in appendix
section.


Components of Grid Middleware

In order to understand the security related issues in grid computing and from different
perspectives, to arrive at some solution just a concise overview of its components. The disperse
entree of grids, the adaptability and the divergent nature of their infrastructure, and the intent of
being a vast desired system are a trail to grid middleware to cater a feasible distributed, impregnable,
substantial, and high aspect-of-utility system to its end users or attaining this most ingression of grid
middleware are broken up into the following segments (S.Burke, et al. 2008):
Basic middleware: This constituent yields the basic abstraction layer from the system segregated in
the grid and also the API for progressing and functioning applications on the grid.
Authentication and Authorization system: This constituent is liable for the authentication and
authorization of users, virtual organizations, and processes that ingresses the grid.
Workload Management: This constituent governs the organizing, dissemination, and preference of
jobs and processes operating on the grid.
Data Management: This constituent governs the data storage and also the ingress to data on the
grid.
Fabric Management: This constituent yields tools for installation management of grid applications
and basic task management, observing, and configuration.
Information System: This constituent collects available knowledge about the grid like availability
and status of resources, the job queue and the status of active jobs, knowledge about users and virtual
organizations, etc. These systems allow observing the grid and also yielding tools allowing users to
collaborate with their submitted jobs (I.Foster, et al. 1998, pp. 8392).











15 | P a g e




















Figure 2 Grid Middleware Architecture







Grid Middleware Security Concerns

Due to the peculiar of grids each of these subcomponents provide a test for security in knowledge
systems to avert alteration, exploitation, unauthorized ingress, denial of service, hijacking, halting of
processes, and stealing of info stored on the grid, computing power yielded by the grid, and as a
whole devices connected to the grid(I.Foster, et al. 1998, pp. 8392).Each tier of grid middleware
constituent is encountered with security concern, either with problem concerning only its kind or
issues concerning numerous kinds. But as soon as one constituent is conceded or yields a security
loophole the entire grid substructure may be compromised by incursions, which have the chance to
Applications
Applications and Portals
User Level Middleware
Development Domain & Tools
Core Middleware
Fabric
Distributed Resources & Coupling Services
Local Resource Management
16 | P a g e

hijack the grid and get into a distributed computing substructure which is devised for high efficiency
computing. On setting out with taking charge of user authentication in grids (R.Butler, et al. 2000,
pp. 60-66) the security working association of the grid forum started to outline issues, which also
have to be consigned when looking at the security of grids (M.Humphrey and M.Thompson , 2001 ).

Authentication and Authorization

Most security deliberation in grids is spotlighted on the authentication and authorization to
ingress the reachable resources on the grid. From an applicability stage of view to ingress the grid
and all its resources users should insert their login authorization particulars only once. This single-
sign-on approach to entree the different and distributed environment of grids is a corner stone of the
success and in addition surge and dissemination of grids (R.Butler, et al. 2000, pp. 60-66).Using
public key infrastructure (PKI) based on X.509 certificates has become the standard for grid
middleware like Globus to employ the single-sign-on ingression. The employment of this PKI
constitute a collective reliance link among the user and the entree stage to the grid granting not only
the grid to review the users certificate but also vice versa allow the user to certify the ingress to the
grid via the certificate (N.Park, et al. 2003, pp. 112-120).

In addition to this basic authentication the middleware Globus use a user proxy approach to
empower the accreditation to the systems either used for ciphering by the user or the user processes
and encompassing data obligatory by the user or users processes. Using a proxy the user empowers
the prerogative to its which again can empower the prerogative to processes started by the user and
obligation to ingress other systems of the grid infrastructure. To evade the disclosure and
dissemination of the users accreditations the proxy employs its own accreditations which are only
valid for short period of time, usually for about 12 hours (Novotny, et al. 2001, pp. 104-111). On the
systems themselves the grid users are generalized to local user accounts, which allow the attainment
of the desired jobs and entree to data mandatory for the attainment of the request. In Globus this
user-mapping is based on grid map-files (R.Butler, et al. 2000, pp. 60-66).In Globus the ingress to
resources can also be confined by compelling users to be members of virtual organizations (VO). By
restraining the ingress to systems of the grid infrastructure to special VOs, only representatives of
those VOs are authorized to ingress them (Xue, et al. 2008, pp.33-40).


Scheduling

The organizing of jobs and managing a jobs ingress to data, especially if the attaining process is
very data comprehensive (Xue, et al. 2008, pp.33-40).Processes functioning in grid environments do
not only want CPU time but also bandwidth and data storage, which should be kept for the processes.
Due to the arrangement of grids and resources which are managed, distributed organizing of tasks
improves the organizing performance and according to (Xie, et al. 2005, pp. 219-237) makes a
system compact, impregnable, and well proficient of distributing organizing workload among a host
of computational sites in the system. In (Xie, et al. 2007, pp.145-153) a managing approach is
presented, where the disparity among the desired security levels and granted security levels effects
the managing of jobs on the grid. The aligning from universal user accounts to peculiar user accounts
on computing elements of a grid may lead to such disparities, which have to be considered at
organizing time, so that susceptible data or computations may not be altered or viewed by
unauthorized users. When looking at numerous grid middleware utilizations, not all of them have
security- and guideline-based organizing.

17 | P a g e

Although Globus use GSI as a primary layer for all processes and users have the facility to give
numerous obligations which have to be met by available resources to decide which ones should be
used (S.Burke, et al. 2008) the time managing is by default based on the information given by the
users in the job report file and the users virtual organization (VO). BOINC, as a tremendous
throughput grid arrangement, lets the possessor of the resource decide at which project he wants to
engage and all available resources are used. In contrast to Globus where the users are the ones who
ingress others resources and thus have dependence on the resources and the infrastructure, when
participating at BOINC the users have to rely on the software and data installed and sent to them.
Regarding security, the scheduler server of BOINC 5 checks, whether a resource i-e a users
computer is reliance worthy or not and sends the job demand (S.Burke, et al. 2008).

Execution

After a job is endured and scheduled for execution it is submitted to the designated resource and
computing element for execution. Numerous security aspects have to be considered at this stage.
From an administrators perspective the job should have no eventualities to do any misuse to the
resource it is working on. It should not be able to ingress data and other jobs it is not granted to
entree as well as it should not be able to exhaust so many resources on the computing machine that
other locally originated jobs starve due to resource shortage. Numerous mechanisms like application-
level sandboxing, virtualization, user-space sandboxing, or flexible kernels can be used to hold back
data on the computing machine (Chakrabarti, et al. 2008, pp. 44-51). Grid middleware like Globus
only grant liable users to endure jobs, develop new applications, and send and ingress those jobs and
applications. In general WMS allows numerous levels of sandboxing; from account-based
sandboxing by creating a user environment on the fly to full virtualization by booting a user peculiar
virtual machine (EGEE JRA3, 2005).

In comparison to these grid middle wares BOINC6 does not use PKI for user authentication on
the BOINC grid, which allows easy assimilation of resources. To avert pernicious executable
distribution BOINC employs code signing, which allows only signed code to be executed on the
computing elements. Each executable is checked before being executed on the computing elements,
which also allows pernicious code to be traced back to its originator. In addition to this account
based sandboxing is used on the computing elements, which restricts the grid applications to ingress
other data stored on the computing elements. Account based sandboxing only works if the privileges
are set correctly. If the prerogatives of the account created by BOINC are altered by the possessors of
the computing element for sure private information about the possessor could be acquired as the
resources used by BOINC applications are mostly privately owned computers (Chakrabarti, et al.
2008, pp. 44-51).

Data Ingress and Management

Besides distributing and parallelizing computations on the grid the ingress to saving of data in the
heterogeneous environment of a grid also lend many ultimatums regarding distribution, replication,
and attainment as well as regarding security issues. Globus use GridFTP as transportation protocol,
which is a FTP solution, is based on GSI, and employs transport layer security (TLS) for attaining
the file transfer among clients, storage elements, and computing elements (V.Welch, 2005). Besides
GridFTP Globus also lends shield file transfer via web services: reliable file transfer (RFT) service.
In contradiction to GridFTP, where the file transfers predicament is lost in instance of a failure of
the client, RFT prevail the predicament of the file transfer in reliable storage (Globus Alliance,
March 2008). Also GSI dCache Ingress Protocol (gsidcap) without an entire file transfer. But in
general when operating a process a user specifies an input sandbox where the data is read from and
an output sandbox where the output of the process is placed. Both sandboxes frequently have to be
18 | P a g e

owned by the grid user starting the process. All references to files on the grid which are read and/or
written by grid applications are stored in a file catalogue the LCG File Catalogue (LFC) which
also contains the ingress oversight list (ACL) for each file(S.Burke, et al. 2008).Besides plain text
storage on storage elements also encrypted storage is possible in globus as described. The solution
stores the encryption key distributed on numerous key servers and whenever a user or a process
started by the user desires encrypted data, this key is reacquired and only on the computing element
the data is decrypted for processing. Thus at two stages of the grid architecture the data is available
in plaintext: on the client side and on the computing element, where it is used as plaintext in memory
and probably in a temporal file on the disk (EGEE JRA3, 2005).

Apart from pure file based data ingress, storage, and management also a generic data ingress
interface for grids is available. The project Open Grid Services Architecture Data Ingress and
Integration (OGSA-DAI) is aimed at providing web service based entree to any possibility of
ingression and storing data regardless of how the data is stored, whether the data is stored in
databases, in structured, semi-structured, or unstructured file formats. OGSA-DAI are built upon the
grid security infrastructure and necessitate web service based authentication to ingress data from data
sources available via OGSA-DAI (OGSA-DAI 3.0 Documentation, 2007).

Fabric Management

As grids are not component of one but are distributed over numerous administrative domains,
installed services, configuration management, and update strategies vary widely. Therefore, the grid
middleware has to atone on one hand the dissemination guideline of jobs to resources where the
desired services are available and on the other hand the in reverse rapport to older still operating
versions. Depending on the administrator of an administrative domain software updates are installed
sooner or subsequent, configurations regarding the security of the local system and/or the whole grid
infrastructure have been applied correctly or not, etc. Those mostly human factors currently are not
atoned by current grid middlewares.

Information and monitoring

Collecting information about available and used resources computing and storage resources, the
status of jobs, active services, etc. is a vital component of managing and also using a grid
infrastructure. Each grid middleware has tools to collect information provided optionally by
computing and storage elements and information which must be available to schedulers and make
this information via a public interface available to administrators and users of the grid. Globus for
instance encompasses the web information and monitoring tool GridICE(S.Burke, et al. 2008), which
can yield information about vacant memory, number of CPUs, storage size, etc. for computing and
storage elements, which is handy information for administrators and users, but also probably useful
information for intruders.
At BOINC, if the possessor of computing elements allows the dissemination of the information, it
is possible to find out hardware and software information about the computing elements a user has
the BOINC middleware installed on; for instance the number and kinds of CPUs, size of memory,
size of cache, and the active operating systems (OS version, updates). In addition to security issues
of the grid middleware itself these grid portals introduce security issues of web applications to the
grid infrastructure. Although breaking into a Grid may not necessarily allow the infiltrator entree to
backend Grid resources, but as most grid portals allow users to ingress grid resources and manage
their accreditation, monitor and maybe even interact with their operating jobs, breaking into grid
portals lends the same prerogative to an infiltrator as the grid user has on the grid portal. Generally
speaking, providing ingress to and oversight over grid resources to users via a web portal increases
the security breach of a grid infrastructure (Vecchio, et al. 2006, p.114).
19 | P a g e

Challenges and Possible Solution to Security Issues in Grid
Computing

Security in grid computing contradicts from the Internet security due to the threat that arises when
we seek to build extensible virtual organizations. Grid Computing has a lot of security issues that
should be examined since it is a distributed system where a dissimilar set of computers share their
unproductive resources. Marty Humphrey, Mary R. Thompson (Marty Humphrey and Mary R.
Thompson, 2009) defined various instances and gave various tips on how Grid security should be
handled and what are their dilemmas. Here is a checklist of the main challenges and clarifications:
1. A machine is distributing its resources and the user is operating applications. Then it is
obligational to make certain that the machine has not been conceded.
Solution: A particular scheduler that allows users with ample prerogative to run applications.
2. Local user ID and Grid user ID must be graphed.
Solution: It can be done through the use of streamline domain oversights, for instance
OpenLdap, that yield user authentication and authorization mechanism.
Others (Marty Humphrey and Mary R. Thompson, 2009) give another solution: a single Grid sign-
in mechanism.
3. Ingress to logs that are over sighted by numerous users.
Solution: To do this peculiar security libraries can be used to ingress the data and restraint that
who did what?
4. Determine ingress guidelines to services either locally or remotely.
Solution: The authorization rule must locally be digitally signed by the possessor and conserved
shielded. Remotely, the possessor must be able to have an impregnable connection and
authenticate himself.
5. Data integrity and confidentiality should be attained.
Solution: Integrity is attained through MAC algorithms. Confidentiality is attained through
encryption methods and keys with a limited life time.
6. Convenient key administration.
Solution: One prospect is to use smart cards.
7. Reliance rapport among users and domains/hosts become essential.
Solution: Authentication is attained by SSL accreditation or impregnable DNS and IPsec.
8. Delegation of prerogative to one or various persons is a dilemma with no clarion solution yet.
9. Information must be reachable and can be desired from everywhere.
Solution: So in order to have opportunity, information services are used. LDAP can be
used to these objective since it gives user/password entree oversight and can graph the users id
to his services directory.
10. Firewalls and VPNs among Grids domains became a threat.
Solution: Infrastructure servers can be configured to run on known ports which can be granted
by the firewall. In the instance of VPN, certificates like x509 identity certificates would be a
good solution to grant ingress to other grid domains (Marty Humphrey and Mary R. Thompson,
2009).







20 | P a g e

Physical Ingress Security Aspects

Physical ingress security has to be examined as well and some other issues about Grid Computing
have been considered by Ian Foster, Yong Zhao, Ioan Raicu and Shiyong Lu in Public-key based
GSI (Grid Security Infrastructure) protocols are used for authentication, communication protection
and authorization (I.Foster, et al. 2008, pp.1-16)
1. Grid computing is more dissimilar and has potent resources, which is why it should abode some
concerns: A single sign-in mechanism to entree multiple Grid sites, concealment, integrity and
isolation should be taken into account so that resources owned by one user cannot be ingress
by unauthorized users and/or interfere with during transmission (I.Foster, et al. 2008, pp.1-16).
2. Community Authorization Service (CAS) is used for progressive resource authorization within
and beyond domains (I.Foster, et al. 2008, pp.1-16).





Grid computing in the distributed computing context
However, there are numerous variation which are given in Table 1 (T. Dimitrakos, et al. 2002,
pp.228-231).

Table 1 Recap some of the aspects of the distinctive distributed computing settings

Distributed
computing
settings
Instance Oversight and
management
design
Security rule
design
Conventional
users
Reliance levels
and
impermanence
Classic
centralized
network
computing
Computer
network
within one
company
Supervised by a
single entity who
preserve
tightened
oversight over
network; shield
architecture;
various network
regulation
prevails (bus,
token ring, star,
Wireless
802.11b, etc.)
Usually
immense level
security
guidelines; if
not, sustaining
steady security
guidelines is
still
probable due to
centralized
oversight
Representatives
of a single
institution or
entity;
network admin
has ingress to
all of them
High reliance
due
to low
impermanence
of
representatives




Grid
computing
MIT Grid Some
centralization
due to
presence of
resource broker/
schedulers,
however
resources
are possessed
and handled by
Thorough
security
guidelines can
and do
probable,
however may
be problematic
to
employ due to
non centric
Users/resource
possessors
are
representatives
of many
companies , or
may be
particular
private
persons.
Medium
reliance
due to increased
impermanence
of
representatives
over
network
computing
21 | P a g e

numerous
entities; some
regulation exists

nature
Peer-to-Peer
(P2P)
computing
Kazaa No centralized
management
structure; no
regulation.

No centralized
security
guidelines;
however
singular
users/resource
possessors may
or may not
have local
security
guidelines
Component of
many
institutions or
may
be private
users.
Depleted
reliance due to
huge
impermanence
of
users.



Synopsis of grid computing security
This section gives a synopsis of the prevailing grid computing settings, as well as a concise
initiation of the security circumstances faced in today's distributed computing settings. There are
three major form of computer grids in use today: computational grids, data grids, and service grids
(A.R. Butt, et al. 2003, pp.1006 -1014). Each has its own stipulated of susceptibility in the security
area, as shown in Table 2.

Table 2
Kinds of grid computing systems (B.A. Kirschner, et al. 2008, pp. 102-109)
Kinds of grid computing
system
Brief explanation Most common susceptible
loopholes
Computational grid Grid architectures that focus on
setting particular resources
explicitly for computing power;
i.e. solving equations and
complex mathematical
problems; machines taking
component in these kinds of
grid are mostly high-
performance servers.
Programs with infinite loops
can be employed to bring down
nodes of this grid, reducing
functionality.
Data grid Grid architecture liable for
saving and providing ingress to
large volumes of data, often
across various companies.
Users can manipulate data of
other users if they surpass their
useable space-this ruins the
other users data.
Service grid A grid which lends services that
are not applicable on a single
machine (N. Li, et al. 2003, pp.
128-171)
Users can employ the service
grid to propel Denial of Service
Incursion (DOS) against
another site


Since the research papers thoroughly reviewed in literature review contend with security hazard
that could be encountered by any kind of grid, it is established in these findings that the phrase grid
computing system encompasses each of these three kinds. In our finding that while the kinds of grid
listed in Table 2 depicts the three common groups of grid computing systems, some grid systems can
22 | P a g e

employ form of numerous or all of the three kinds, labeling them hybrid grid computing systems.
These grids could then counter any of the susceptibility encountered by the grid kinds they are built
up of. For seeing the grid environments divergent and geographically detached resources and wide
array of users, each with rare obligation and objectives for the grid system, the stage of overseeing
the security of users and resources becomes a matter of concern. The users of a grid, be it
computational, data, or service orientated, might have adverse rationale with each other, and thus
would want some assertion that their grid-based activity are shielded from the eyes of other users
(Oracle, Sun Grid, 2010). With the grid agreeable much of a financial resource, users will impel to
demand the equivalent level of security out of their grid employment as they do from any computer-
based commercial tool, such as e-commerce, to assuredly convey satisfactory outcomes. Without
security, a grid setup would be left susceptible to illegitimate users, pernicious processes, and data
intruding that could probably yield it meaningless. A current study rated grid computing as sixth on
preference lists for IT investment among commercial professionals (P.Shread, 2013).

Any impregnable grid environment must employ method to protect authentication, authorization,
data encryption, resource protection, and impregnable transmission (K. Kaneda, et al. 2002, p. 212)
Grid security itself prompts numerous rare security prospects, inclusive of overseeing user
identification across local and global networks, overseeing the diversification of local resource/user
security systems, reliance rapport among entities, end-user key and credential management, and
lending security to resources contra maligned acts from grid users (I.Foster, et al. 1998, pp. 8392).


Modeling an impregnable grid necessitate taking into particular the obligation of grid users for
impregnable distant resources that shield the integrity and confidentiality of data; and also the
obligations of resource possessor to assure that only legitimate, reliance individuals are using their
systems (A.S. Grimshaw, et al. 2004, pp.233-254).

Now the following portrayed distribution system of six viable synopsis encountered by a
distributed computing environment, and the numerous security issues they prompt. Since grid is a
kind of distributed computing environment, these synopses are applicative to the grid computing
platform as well. The first synopses are prompt job implementation, when the user has large amounts
of data that urges to be accumulated from numerous origins for prompt execution. Some instances of
this circumstance encompass the following: a super scheduler must examine list of probable hosts
if it has not already been determined, then requisite adjudge if user is granted to carry out tasks on
those hosts; governing agent must ask for hosts on preference of user; collective authentication must
take place, and the user's grid ID must be graphed to a local ID if paramount. The second synopses
are when a job execution necessitates beforehand scheduling; i.e. to hold back resources for a
subsequent date. Some security ramifications encompass the obligation to empower the user's
prerogative to the super scheduler or broker to make prearrangement, the assertion that if
prearrangement is granted, the user will have the resource for stated time, and the prerequisite for a
non-forgeable prearrangement claim. The user must be able to establish themselves as possessor of
the claim or having had claim legitimately sent to them at the time of employment. The third
synopses is job oversight which the capability to disengage from a job and then restoration to it at
some stage, probably from different regions. The resource being shielded is reachable to an operating
job, so the user operating the job will set ingress oversight guideline. The stage of re-entry is
precisely into computations, circumvent the Grid, so the user must be able to authenticate to the
computations itself. In instance of compelled expiry (if the job is getting out of command) then the
system administrator must establish this status, abort the process, and alert the job possessor. The
fourth synopses are ingression of grid information services. In this circumstance, authentication takes
place among user and possessor of resources. The information service resource implements its own
ingress oversight guideline. Confidentiality or integrity of the message being published could be
obligatory by user and/or information service in this circumstance. The fifth, and probably most
23 | P a g e

security-prone synopses, is setting or inquiring security criterion. This encompass authentication
actions, such as verifying user identity through grid ID, and specification of reliance grid hosts
across grid domains, in which grid resources prove their affiliation in a reliance grid to gain
ingress to a different grid. The sixth synopses, auditing of grid tasks, encompass security criterion
such as logging of system consequences and identification of possible intrusions through weird
consequences (M. Humphrey, et al. 2005, pp. 644-652). Table 3 below lends an intuition into how
our categorization system, analyzed in particular in subsequent sections of the paper, will abode the
different kinds of grids and security circumstances brought out in these findings.



Table 3
Kinds of grid systems and security circumstances according to the suggested categorization
system
References in this
portion
Applicable grid
kinds (Table 2)
Security circumstance
aboded (B. White, et
al. 2001 , p.21)
Section 3System
security

Section 3.1System-
based
security for grid
resources
Entropia (K. Amin, et
al. 2008, pp.749-764)
Virtual private grid
(A.S. Grimshaw, et al.
2004, pp.233-254)
Cooperation and risk
(M. Haynos, 2012)
Data
Data, service
Computational, service
Prompt job execution,
ingression of
information
Prompt job execution,
ingression of
information
Ingression grid
information,
setting/inquiring
security criterion,
auditing grid tasks
Section 3.2IDS Abstraction-based
intrusion detection
(B. White, et al. 2001 ,
p.21)
Service Ingression grid
information,
setting/inquiring
security criterion,
auditing grid tasks
Section 4Behavioral
security

Section 4.1Guideline
oversights
Guideline driven
ingress
oversight(B. White, et
al. 2001 , p.21)
Computational Prompt job execution,
exceptional scheduling,
job oversight, ingresses
grid information,
setting/
inquiring security
criterion, auditing grid
tasks
Security architecture
for computational grids
(K. Connelly and A.
Chien, 2002)
Computational Prompt job execution,
exceptional scheduling,
job oversight, ingresses
grid information,
setting/
24 | P a g e

inquiring security
criterion, auditing grid
tasks
Section 4.2Reliance Evolving and
managing reliance
(D. Frincke,2000)
Computational,
Data
Ingresses grid
information,
setting/inquiring
security criterion
Integrating reliance (D.
Frincke,2000)
Computational, data Ingresses grid
information, setting/
inquiring security
criterion
Section 5.0Hybrid
clarifications

Section 5.2
Authentication and
authorization based
clarifications
Adapting Globus and
Kerberos ( N. Peng, et
al. 2001, pp.407-452)
Computational Prompt job execution,
exceptional scheduling,
job oversight, ingresses
grid, information,
setting/
inquiring security
criterion
SHARP (F. Azzedin
and M. Maheswaran,
2002)
Service Prompt job execution
LegionFS(A. Chien, et
al. 2003, pp.597-610)
Computational Prompt job execution
Accounting and
Accountability (J.J.
Mchugh and B.
Michael 2004)
Computational Auditing of grid tasks
Shield group
management
(E.J. Salles, et al. 2002,
pp. 97-104)
Computational Setting/inquiring
security criterion,
auditing grid
information

According to our suggested categorization system for grid computing security research, grid
computing security can be arranged into the following components: systems, behavioral, hybrid as
shown in Fig. 3.















25 | P a g e








































Figure 3 Distribution for grid computing security









Computational
Grid
Data Grid Services Grid
Grid Computing Security
System
Clarifications
Behavioral
Clarifications

Related
Technologies
Clarifications
Hybrid
Clarifications
Guideline Based
Clarifications
Reliance Based
Clarifications
Authentication &
Authorization
Based
Intrusion
Detection
System
security
for Grid
Resources
26 | P a g e

This Distribution lends numerous assistances to the research society. By designating first under
vast opinions and then breaking down into more peculiar groups, we isolate the opinions (securing of
grid resources, authentication and authorization, etc.) from the implementations (Entropia, Globus
etc.). Further, in the analysis of each opinion and implementation we have hinted to the reader which
opinions and implementations are optimum accustomed to which kinds of grid, as cited in Table 2,
and which kinds of grid employment synopses, as cited in(M. Humphrey, et al. 2005, pp. 644-652).

Further functionality is added by detaching the security clarifications into behavioral vs. system-
based clarifications. For instance, a grid programmer/ administrator looking to implement a peculiar
technology on his grid system might turn promptly to the system-based clarifications, while a
researcher studying behavioral aspects of security would have information obligations more
accustomed to the behavior section of the categorization system. What follows is a particularized
deliberation of the categorization system, broken into sections based on the different categorizations
of grid security clarifications within the categorization tree. Within each section is a brief description
of each categorization, along with particularized instances of clarifications falling into that
categorization. The following section discusses the system clarifications from the categorization
system presented in Fig. 3. It is decomposed into system security for grid resources and intrusion
detection systems.



Systems clarifications

This section deliberates papers that propose system based clarifications to shield grid computing
environments. Comparatively than deliberating the implementing of security guidelines and
behavior-based clarifications, this component of the categorization deals with clarifications whose
focus is to manipulate the hardware and software of a grid system precisely in order to achieve
security. Box-product technologies, topologies and architectures, and intrusion detection systems are
aboded benefits in this section.

System security for grid resources

This section deals with research focused on system based clarifications toward grid security.
Suggested clarifications falling into this portion seek to protect resources on the grid. Ingress
oversight is a valid mechanism for protecting resources, and will be analyzed in a subsequent section
of this paper; however it cannot be the only line of defense to assure that grid nodes, applications,
data, and communications are protected from pernicious users. This portion spotlights on protecting
the grid resources, which encompass hardware and computing equipment, applications operating on
the grid and the data that they contain, as well as communication among grid nodes. Clarifications
falling into this portion abode the data and service kinds of grids (Table 2) and the security
circumstances of Prompt Job Execution and Ingression of Information (Table 3).One method of
using technology, comparatively than guidelines, to shield grid resources is to isolate the portion of
the resource dedicated to the grid from the portion of the resource that the possessor wishes to
preserve private. The Entropia system employs a technique known as sandboxing to protect
applications, clients, processes and resources on the grid (A. Chien, et al. 2003, pp.597-610).

The sandbox technique protects the PC client (grid node) by isolating the application from the grid
that is operating on the client. This ramifications of doctoring with the PC registry or desktop and
protects against application fault due to software bugs or viruses. Along with protecting the PC node,
Entropia contains preventive measures to protect the application as well (A. Chien, et al. 2003,
pp.597-610). The sandbox preserves application files and data files encrypted on disk, so no one can
27 | P a g e

ingress the application who is not supposed to get to it. Simply put, the implications of the
application are not obtainable to non-Entropia applications. Data and application files are also
monitored for doctoring evidence by Entropia to assure their integrity (A. Chien, et al. 2003, pp.597-
610). By contradictions, implied the Virtual Private Grid infrastructure, which implicates curbing
virtual private network (VPG) technology and applying it to grid computing. This infrastructure
function over heterogeneous, locally-peculiar security circumstances such as firewalls, private IP,
and Dynamic Host Configuration Protocol (DHCP) that would otherwise obstruct grid functionality.
VPG lends a rare nickname to exclusive machine on the grid that is not reliant on IPsec or DNS
name, lends job submissions to any nicknamed machine, and lends redirections to and from a file on
a nicknamed machine. VPG pipes between commands carried out on any nicknamed machine,
building up a self-stabilizing management tree among machines. VPG forwards messages via paths
in the tree. Authentication is exclusively performed when it constructs a tree, so there is less security
overhead. In short, this spontaneously establishes a private network for the grid environment that
grant users to ingress resources, while still granting them to be locally shielded by firewalls, private
IP, and other methods that would obstruct classical grid infrastructures (A.S. Grimshaw, et al. 2004,
pp.233-254).

Both of these methods provide security for grid resources; however they go about it in different
methods. These system-based clarifications isolate the physical resources and communications that
make up the grid system, in order to achieve a shield grid network. Entropia acts as polite security
by not letting anyone doctor with anything they shouldn't be doctoring with. The sandboxing
technique, such as that employed in (A. Chien, et al. 2003, pp.597-610), also does not abide the user
prospect of security, inclusive of such things as user identification and authorization. VPG employs a
more decentralized method of aboding grid resources. It grants local users to set their level of
security with firewalls, private IPs and other security devices that typically would not be adaptable
with permanence on a grid environment. This boosts the level of self-rule for grid resource
possessors, which is a desirable property within the grid structure. However, security issues of the
system as an entire are not extensively analyzed it implies that security is being left to the resource
possessors, now that VPG can grant grid users ingress around local users' security circumstances.
Perhaps VPG ought to have more security inherent in its own structure, comparatively than solely
renouncing the users' security applications intact (A. Chien, et al. 2003, pp.597-610).

Intrusion detection systems (IDS) in grid computing

This section gives overview of problems and their solution present in an intrusion detection
system (IDS) model for shielding the grid environment. For the context of this research, an inflator
into the grid is exemplified as any grid user who attempts to endanger the grid or its resources, or
attempts to employ the grid for objectives other than what it was devised for. Comparatively than
being a peculiar software package or brand name box product, intrusion detection is a technological
theory which can be enforced employing any one of numerous software and hardware methods. IDS
grid clarifications function in the computational and service grids (Table 2) and abode the security
clarifications of Ingression Grid Information, Setting/Inquiring Security Criterion, and Auditing Grid
Tasks (M. Humphrey, et al. 2005, pp. 644-652).

Some research efforts comprising intrusion detection in grid security are analyzed below. While
intrusion detection of a single node extensively is monitoring one resource, an intrusion on a grid
could involve numerous resources at once. Thus, coalition among resources on a grid network lends
the grid with essential information to seek out potential unauthorized ingress attempts. This
accession is not devoid of danger. Too less coalition impedes functionality, but too excessive
coalition concedes for intruders (M. Haynos, 2012). Communication among grid entities can take
three forms: manager/ subordinate, peer/peer, and friend/friend. Intrusions are detected either by the
assaulted entity or by other entities on the grid. In detection engaging other grid entities, detection
28 | P a g e

and summarizing of incident is reliant upon the cooperation and its repercussion on data
dissemination. Some entities can disseminate data with each other due to their rapport, but efficacy
not does it due to the cost of disseminating. Resources can have numerous cooperation levels with
other resources selfish, data-interdependence, reciprocal, and generous which is employed to find
out if a resource will disseminate data with another resource. Intrusion can be detected if cooperation
exists, because entities disseminate data. However if disseminate data is discerning, cooperation
could cause susceptibilities. If any agent in a cooperative ring is pernicious, or if a member has a
disseminating cooperation with an entity outside ring, the working is security-compromised.

Rectification policies analyzed in (M. Haynos, 2012), such as data reduction and data sanitization,
lessen danger in cooperation while maximizing cooperation's efficacy. Another paramount facet of
intrusion detection implicates the expiry of entree as a legitimate act or an intrusion. This typically
count on the ingress action being correlated to a listing of noted incursion strategy; while in many
instances this is effective, it would not detect an incursion which does not comply to any previously-
attempted incursion strategy. This complication maybe notably evident with grids, whose fluid
structure may make them susceptible to many kinds of incursions never attempted on single nodes or
traditional, tightly-over sighted networks. Using abstraction, known incursion signatures are
abstracted to cover possible incursions; abstraction of the known incursions will contribute to the
dominance of not having to devise new signatures for each incursion ( N. Peng, et al. 2001, pp.407-
452).Abstraction is error-prone due to its in exact nature, and also very interdependent on the
knowledge of the person writing the signatures. In order to magnify the efficacy of abstraction, the
IDS obligations to take into consideration the many components of incursions, such as the system
view, misuse signature, and view definition (N. Peng, et al. 2001, pp.407-452).

The system view lends a representation of observable information, such as event schema, and a
set of predicates associated with an event. The signature is a distributed event design that represents
incursion in a probable way. The view definition evolves information from the matches of a
signature and portrays it through a reciprocal system view. This matching up of signatures to system
views grants for abstractions. Having these three components, when a new incursion is discovered
we only obligation to specify new combinations of signatures and view definitions (to present the
signature through the appropriate system view) comparatively than creating new incursion signatures
or system views for the IDS to associate with the incursion. The following section accord with
behavioral clarifications, which focus on security by guideline and human action comparatively than
security via some boxed product. This section is further broken into Comprehensive Guideline
oversights and Reliance-Based security solution sections.

Behavioral Clarifications

The following section abodes kinds of clarifications that assert guideline and management
oversights over hardware/software clarifications to maintain a shield grid. Behavioral clarifications
are unreal and intuitive, comparatively than employing a physical technology to sustain security in
the grid. Account capability, group management, and reliance are all matters that are aboded here.
Within each section, instances are provided which helps the reader in comprehending the foundation
for each portion of the categorization (Fig. 3) which is analyzed. The findings are analyzed for
strengths, weaknesses, and directions for future obligational research.

Comprehensive Guideline Oversights

This portion of finding deals with security through guideline definition. The findings
suggesting reliance as a security solution could be examined as a subset of this portion. However,
those papers were peculiar to reliance, while the following papers cover numerous kinds of
29 | P a g e

guidelines in their clarifications, thus it seems more pertinent to group the reliance-based papers
isolated. Research falling into the guideline oversights portion, consequently, discusses guideline sets
controlling a broad range of grid computing actions, comparatively than centering on one area of
activity while participating in a grid. These guidelines abode all areas of grid computing, including
authorized user selection, sign-on strategy and ingress oversight, and local vs. global security
settings. Comprehensive guideline oversees function optimum in computational grids (Table 2) and
abode all security circumstances identified in (N. Peng, et al. 2001, pp.407-452) (Table 3).

As guideline oversights mainly affect the human component of the grid, comprehensive
guideline sets devised to administer groups of users are a rationale extension of this mechanism of
grid security. The Closed User Group (CUG) system described in (G. Goos, et al. 2002, pp.165-168)
employs guideline-driven entree oversight to support CUGs that are geographically dispersed.
Administrator nodes in each CUG oversee ingress to group by issuing certificates. Guidelines are
deployed to numerous CUGs in the domain by guideline objects. Imposition is left up to the
respective entities, granting guidelines to be compelled over heterogeneous systems. The system
merges aspects of both the guideline system and the CUG system. Each CUG has local prospect of a
global guideline system. Guideline objects are generated here and possessed by local administration
nodes. CUGs modify and interchange guideline information with each other, creating a global
guideline system that stretch over the entire grid. There can be CUG guidelines and local guidelines,
which are guidelines possessed by a member of the CUG. This merging and cooperating of
guidelines employed by one user or group of users with guidelines essential to the entire grid attains
the imperative grid-extensive security, while also maintaining the self-reliance of grid systems. The
grid computational processes involving numerous resources possessed by numerous possessors
aftermath in the obligation for security not just amid client and server, but amidst the client and any
of numerous thousand other clients. Inter domain grid security constraints must be interoperable with
local ingress oversight guidelines of individual resources. Grid-wide guidelines which can
accomplish this encompass the following: single sign-on for all grid resources, shielded accreditation
(passwords and private keys), inter-operability with local security clarifications (allowing for single
sign-on and giving local resource possessors control) and export capability (the capability to be used
in multinational clarifications, meaning that encryption must not be the bulk of the security
clarifications because of its current constraints on exportation) (I.Foster, et al. 1998, pp. 8392).

The security guidelines must also support uniform credential and certification infrastructure,
shield group communication, and multiple utilization i.e. one peculiar technology platform should
not be obligatory across all users and resources. There are numerous unique significance and
insignificance to this aspect of grid security. Comparatively than supporting black-box security
technology, guideline-driven security grants for the use of rules and regulations to accomplish the
goal of a shield grid network (I.Foster, et al. 1998, pp. 8392). This back both atop scrutiny in a
high-performance grid and the heterogeneous nature of the grid. The issues of heterogeneity and
control brought out in (I.Foster, et al. 1998, pp. 8392) are at the heart of the majority of research
concerning grid security, as heterogeneity and control themselves having become a chief goal of the
grid environment.

Some questions heightened by these kinds of security, however, encompass the severity to which
guideline sets are unvarying beyond the grid vs. set by the respective nodes or user groups. If they
are unvarying, it takes away control correlated with a grid. Interoperability with local security
clarifications is the primitive focal point of and is also analyzed in (T. Dimitrakos, et al. 2002,
pp.228-231). One solution would be to grant the users to determine their endemic guideline sets, as
protracted as they expedient some essential grid-wide regulation designed to not present such
essential security requirements as to pose a threat to the remainder of the grid. Authentication from
global to local resources was analyzed in (P.C.Moore, et al. 2001, p.21). Non-varying accreditation
and resource proxy/mapping tables grant single sign-on for global and local user authentication.
30 | P a g e

Some controversy that could heighten as a result of carrying out this structure encompasses the
impediment effect, as all resource demand must pass through a user proxy/resource proxy. Mapping
tables from global grid IDs to local IDs could also become exceptionally large as the grid sprout in
size.




Reliance-based security clarifications

The findings analyzed in this section all based their security clarifications on the enactment,
definition, assessment and utilization of reliance in grid computing environments. This contradicts
from the authentication-based security area, analyzed in the Hybrid section, in that authentication
try to uncover the identity of someone seeking to gain ingress to the grid. Reliance-based
clarifications, by contrast, go one step beyond providing an individual's identity, to associating a
level of reliance worthiness with that identity. In grid computing, resource possessors are often
hesitant to enter the grid environment because they will be disseminating resources. This distrust
leads many potential grid entrants to use their own closed-box system comparatively than a grid
system with other resources. This is an inept use of global computing resources, which can be
aboded through the use of reliance-based security clarifications in grid computing. By reliance
worthiness, these clarifications area are ascertaining the belief that a particular user will use the
resource in a non-pernicious manner. Reliance-based clarifications can be identification based or
behavior-based identification-based clarifications deal with who you are, while behavior-based
clarifications deal with what you do. Reliance-based clarifications function in computational and
data grids (Table 2) and abode the security circumstances of the ingression of grid information and
setting/inquiring security criterion (M. Humphrey, et al. 2005, pp. 644-652). The disparity among
reliance and non-reliance entities, the prerogative that should be given to each, and various methods
of earning (or losing) reliance, are all analyzed. A user of the system can make exceptional decisions
about the intercommunication with its peers if it knows the prominence of that peer in the system.
Creating the perception of a global reliance value for each user in the system can lead to apartheid of
the proper users of the system from the reprehensible users of the system. Issues of concern, such as
storing and ingress of these values must also be negotiated with. The Eigen reliance algorithm (S.D.
Kamvar, et al. 2003, pp. 640-651) recommended a distributed solution to the dilemma of reliance
management which can riposte the threats implied by pernicious users as well as commune. Reliance
tasks, inclusive of explicit experience, reputation, and time since the last intercommunication with
the entity in supplication, have arisen in grid security literature (E.J. Salles, et al. 2002, pp. 97-104).

Explicit reliance (reliance-based on rapport among entities) is asymmetric, so each entity decides
for its own self how reliance worthy the other is. A reliance agent evaluates the level of reliance-
based on the explicit reliance rapport, and on the reputation from recommender entities in the grid. A
decay function represents the passage of time since the last synergy and interrelated decay of reliance
level. All of the above cited aspects make up a reliance level, for both the client and the resource. A
resource sets its obligatory reliance level, or the minimal Reliance Level a client should have to
ingress a resource. Clients also set obligatory reliance levels for resources they plan to use.
Breaching these obligatory reliance level results in system abuse, like engrossing too many
resources, renouncing behind junk data after employment, going farther the designated boundary,
and commencing tasks that the breaching entities are not purported to start. Each local resource
comes up with reliance penalty levels pertinent to the effects the offense had on its system. For
example, a resource with adequate disk space possibly not be flaunted by junk data, but a resource
with restricted RAM efficacy be severely imitative by an entity engrossing superfluous resources.
Reliance levels can be efficiently updated, and entities can acquire reliance when infiltrating a
system. However acquiring reliance possibly not is as beneficial to others as earned reliance, so a
31 | P a g e

member-weight is ascribed based on how long entity has been in system. Reliance and reliance
worthiness levels can be determined numerically and used to constraint overhead and resources
devoted to hard security strategy (F. Azzedin and M. Maheswaran, 2002).

Current security strategy, such as encryption and data hiding, within grids bring out overhead that
degrades the high performance nature of the grid. If a client and resource have adaptable reliance
levels, the enterprise they are embroiled in goes on devoid of further security overhead. If either the
resource or the client has an obligatory reliance level above that of its opposite number reliance
level, then further security measures are enacted to allow the operation to take place, comparatively
than the incursion penalties analyzed in the literature review. Either domain can strengthen its
obligatory reliance level to maximal in order to impose embellish security 100% of the time (F.
Azzedin and M. Maheswaran, 2002). The notion of a reliance algorithm to embellish security
strategy, and scale down system-based security overhead, would be beneficial to use in conjunction
with the opinions expressed in (M. Haynos, 2012).

The reliance variable computed by these calculations would be very useful in ascertaining the
hazard correlated with collaborating with a given entity on the grid. The support of the suggestion
analyzed here encompasses the permanence that it is apprehensive of resource management and
security. It overture security when mandatory, but employs reliance as a reinstatement for hard
security in irrelevant circumstances. The numerical computations of reliance/ reputation for a user or
resource as mathematical variable for inclusion in resource management are precise and use
numerous considerations to find out a reliance level. All in all, the principle use of this system is that
it combines security and resource management comparatively than pits them contra to each other.
The solution implied here, however, is not perfect. The reliance/reputation variable may not be as
inattentive a variable as the author implies; reliance levels should be reexamined repeatedly to assure
that clients and resources have not been conceded.

Hybrid Clarifications

A thorough review of the literature concerning grid computing security issues will disclose that
the peculiar perception of authentication and authorization of grid users could be aboded evenly by
system-based clarifications and behavior-based clarifications analogous. Thus, it is more convenient
to create a Hybrid Solution sub-portion to abide this issue, since it falls analogous under System and
Behavioral grid security clarifications.

Authentication vs. authorization

Grid computing is exceptionally susceptible to authentication and authorization due to its
decentralized nature, and the matter that many grids do not have a single-sign-on mechanism in place
to let a user to utilize all resources. Although they are similar notions, authentication and
authorization each have distinct peculiar tasks that each work to shield a grid. According to (E.J.
Salles, et al. 2002, pp. 97-104), authentication is the verification of the identity of a person or
process. Authorization, however, is defined in (A. Chien, et al. 2003, pp.597-610) as being the
process by which an entity such as a user or a server gets the right to perform a privileged operation.
An Authentication and Authorization Infrastructure (AAI) is a significant yet eminently complicated
component of every Grid infrastructure. The AAI is the framework over which Grid resources, users
and Virtual Organizations can authenticate one another by means of their guidelines. Analyzed
below are grid security clarifications that accord with authentication and authorization of users. The
system-based clarifications encompass the Globus/Kerberos solution (N. Nagaratnam, et al. 2003),
Shield Highly Available Resource Peering (SHARP) (F. Yun, et al. 2003, pp. 133-148) and
LegionFS. The behavior-based clarifications encompass the Accounting System for Grids and the
32 | P a g e

Hierarchical vs. Flat Communication Structure. These hybrid clarifications works optimum within
computational and service grids (Table 2) and abode all six security circumstances found in (M.
Humphrey, et al. 2005, pp. 644-652)


Authentication and authorization based clarifications

This section deliberates implied clarifications which give security based on authentication and
authorization. Authentication-based and authorization-based security clarifications seek to shield a
grid environment by confining ingress to reliance members, and by abidance track of operations
performed by a peculiar user. Actions that could pinpoint a pernicious user encompass overwork of
system resources, applications that trespass by ingression of prohibited areas of the resource it is
running on, and numerous ingress demands over a short period of time (M. Humphrey, et al. 2005,
pp. 644-652). Authentication and authorization alone will not safeguard the grid from all modes of
incursion; however they act as a good first line of deterrence to aid in to preserve unauthorized users
from obtaining ingress to grid resources. Endorsement of accreditation for a grid user can be resource
consuming. Moore suggested a Globus system (which supports Grid Security Infrastructure) to
Kerberos to utilize Generic Security Services Application Program Interface (GSSAPI) which is
backed by both systems (P.C.Moore, et al. 2001, p.21). This also allows the application being
ingresses to see a credential, without having to physically get it and authenticate it; the authentication
is all controlled by GSSAPI. Since Kerberos accreditations are backed by numerous platforms, this
will boost the interoperability of the grid. Another Globus-based grid authorization and
authentication technology is conferred in (H. Jung, et al. 2005, pp. 61-77). This innovative system
abode the issues of static authentication and authorization which annoys the current Globus system
by recommends an adaptable security system which can work in the dynamic grid environment.
Similarly, (J.Watt, et al. 2006, pp.136-143) confers a technological authorization authentication
system for grid users based on the Shibboleth technology, which grants for a single-sign on for users
to ingress resources from various sites on the grid at the University in Scotland.

Furthermore, having a lone certifying agency or node grants for a single stage of nonsuccess on
the complete grid, as well as constituting a bottleneck ramification that could hamper the grid's
processing rate. This difficulty can be aboded through use of the Shield Highly Available Resource
Peering system, also known as SHARP (M. Haynos, 2012). The security facets of this resource AL
regions system are as follows: agents and resource managers are constrained to public-key signed
digital certificates, and assertion is cryptographically signed to enact them unforgeable. There is also
no in the middle verifying agency due to which each resource site acts as its own verifying agency,
sending and approving claims and verifying keys. This takes aside the single stage of failing
connected with the single certifying agency. Certainly, the LegionFS file system gives technological
security for grid environments through its three level naming schemes and cautiously oversee ingress
oversight lists. The three-level naming scheme shields users from low level data discovery, while
also not tying names accurately to the locality of data to lend for flawless movement of data from
one resource to some other. Each content of the LegionFS domain has its own security domain, with
ingress administered by the ACLs (B. White, et al. 2001, p.21). There is no super-user in Legion and
single objects are liable for implementing their security guidelines. This rapport the heterogeneity of
grid systems. Under the Legion infrastructure, a user logs on, acquires a short-lived, unforgeable
security credential. Using this credential, the ACLs of the objects find out who is authorized and who
are not. An identical system which predicament a grid user to a local guest account on each resource
employed is given in (B.A. Kirschner, et al. 2008, pp. 102-109).

The Walden system, as it is called governs authentication and authorization on a per-resource
basis, which also grants it the scalability and resilience obligational on the dynamic grid
33 | P a g e

environment. While system-based authentication and authorization clarifications use technology and
black-box security to absolutely authenticate potential users and to prevent unauthorized users off
the grid, guideline-based clarifications can achieve the same objectives. Although a much minor
segment of authentication and authorization literature reviewed is devoted to clarifications
established on guideline comparatively than hardware and software technology, the following
clarifications lend some intuition into the contributions made by clarifications that are guideline-
based in nature (B.A. Kirschner, et al. 2008, pp. 102-109). It is implied in an accounting system for
grid users, which preserves track of who is doing what on grid system. Due to the self-governing
nature of distributed computing, this system of account less accounting this means preserving track
of what users do without needing them to have a local account for each resource could be very
beneficial to the grid security network. Three prime principles for accounting and accountability are
implicit in a user accounting system: mapping resource employment to resource users, illustrating
resource economies or methods for resource exchange, and depicting implementation standards that
minimal and compartmentalize the effort obligatory for a site to cooperate on the grid (J.J. Mchugh
and B. Michael 2004). Similarly, (P. Samarati, et al. 2001, pp. 453-482) recommends a set of
guidelines and authorization regulation for public key management. This guideline set is suited to
grid systems in that it permits users to allow rights for use of their keys to other users or resource
possessors. This type is based on ownership and authority relationships in keys, employs simple
language that can allowed it to be ported to numerous divergent technological platforms. A divergent
path to guideline-based authentication and authorization associates the employ of a system
acknowledged as Delegation Logic (N. Li, et al. 2003, pp. 128-171). Delegation Logic accords
with authorization only. Authorization is adept by an authentication of consent method; i.e. when
an entity can specify accreditation to show that they have endorsed certain prerequisites (observed by
the resource or the grid) obligational for ingress. Management of users in grid systems often also
includes the management of numerous user groups; authenticating the identities of group members,
as well as preserving track of which group members are authorized to ingress which segments of a
peculiar grid, will in turn achieve authorization and authentication operations over the whole grid.
Most group management mode employ cryptographic clarifications as the justification by involving
key management. However, the view of group function is more significant than just a technology
solution. Setup a group-management guidelines which oversights ingress to diverse portions of the
grid based on association repute in certain user groups. Ingress oversight is established slightly by
the allocation method of information i-e when a user departs the group, they are no longer
disseminated information (J.J. Mchugh and B. Michael 2004).

Key change alone is not a good notion because it expects that all excluded members have been
single out and if this is not the case, some excluded members may obtain data about the new key.
Like their opposite technology based authentication and authorization clarifications elaborated
above, these behavioral authentication and authorization options have numerous beneficent and
pessimistic stages for each idea. The system of account less accounting set out in is also analyzed
here (M. Haynos, 2012). The audit logs and audit trails necessary to accomplish this are also
analyzed here and also indicate support for the methods prescribed in (P.C.Moore, et al. 2001, p.21).
The key beneficent factor in behavioral and guideline based authentication and authorization
clarifications is the case that, as sets of guidelines and logic assertion, these clarifications can be
ported across numerous varying hardware and software platforms, making them helpful in the
decentralized, heterogeneous grid environment.







34 | P a g e




Chapter 3

Research methodology

Introduction

In this chapter research methodology the researcher will first explain why he decided to employ
the qualitative research method instead of quantitative method. The researcher will give adequate
reason why qualitative method was preferred over quantitative method. What are the benefits of this
form of research above others in this instance? In this section reasons will further elaborate steps
taken to solve the security related issues in grid computing and finally selecting one optimum
solution and further investigating it in the primary research and comparing with secondary research
to arrive at next data analysis phase. Also hint at questionnaire content and sequence.

Qualitative Research Method

Monette et al (2005, p.428) credits qualitative methods with the acknowledgement of abstraction
and generalisation, categorize vision, images, forms and structures in various media, as well as
spoken and printed word and recorded sound into qualitative data collection methods. According to
William (2005, p.85) qualitative data collection methods emerged after it has become known that
traditional quantitative data collection methods were unable to express human feelings and emotions.


Quantitative Research Method

Quantitative research is defined by Bryman and Bell (2005, p. 154) that entailing the collection
of numerical data and exhibiting the view of relationship among theory and research as deductive, a
predilection for natural science approach, and as having an objectivist conception of social reality.
So the quantitative research employs the quantitative data to analysis.
Reason for choosing Qualitative research method
The main reason for selecting qualitative research in our dissertation is that we are investigating
the security requirements in grid computing regarding behavioral, system and hybrid aspects and
after evaluation selecting optimum possible solution. The above statement strengthen our selection of
qualitative research method in form of questionaries on basis of which survey will be conducted in
order find out extensive reason behind security related issues encountered in above aspects like
authentication and authorization, encryption and decryption, resource employment in Intrusion
detection system employed in grid computing environment. Also finding security related
requirements in grid computing. The extensive filed work is obligatory to attain desired results and
arrive at a desired conclusion. As opposed to quantitative research method which detaches the
researcher from subjects in form of hypothesis, surveys and mathematical calculations. In our
35 | P a g e

instance as time is limited thats why we have chosen to get large sample of primary data in short
period of time in instance of qualitative research as opposed to quantitative research method.

To get answer to above queries the researcher conducted surveys consisting of questionnaires
from different people working in different organization. The numerous surveys were conducted to
arrive at better result by having large sample of data. The large sample of approximately 200 people
will help the researcher to arrive at an accurate result as possible. The survey from people was
conducted in person while a few surveys were conducted through use of survey monkey software
through email. The people who answered survey questionnaire were located demographically in big
companies like IBM, Oracle in country abroad.
Limitation
The limitation associated with our research concerning evaluation of security related issues
encountered in grid computing and its best solution selection. The main concern is shortage of time
period in conducting research.
Summary
In order to get answer to above crucial question the researcher conduction survey in getting
answer to above queries this will help us in getting to the discussion part and conclusion of our
dissertation. The information attained will help us in arriving at a result and help us to analyze it in
findings/result and data analysis section. This will help us further strengthen our claim of security
related issues present in grid computing and our selection of best possible solution to each
encountered problems. The research conducted in collection of primary data also touches the grid
computing employed by bonic grid computing and volunteer computing by researcher also installing
it on system and reviewing its authentication and authorization mechanism.











36 | P a g e


CHAPTER 4
FINDINGS

Introduction
In this section the researcher will show the results attained during survey conducted regarding
security related issues and their best possible solutions. The results will contain positive and negative
aspects of our primary data collection.
Results
The required numbers of survey were taken from various participants in different companies
concerning our research questions. According to survey 80% of the participants were happy with the
security of globus toolkit employing GSI for authentication and authorization purposes. While 20%
of then were not happy with GSI which uses PKI which is based x.509 certificates. The 77% the
participants were mostly developers and grid researchers. The survey portrayed that the sharing of
resources with people sitting outside their domain in various company outlets internationally are
based on resilience among the host and client systems. Mostly there is need of trust between the user
and service provider grid. The chances of allocating grid resources with associate diminished
because of distant distances. Most of them share resources with associates from farther then their
offices (77%), about 67% with users from out of their company and less than half with others from
out of their country. The majority of todays Grid Communities employing globus toolkit seems to
be very little in use. While conducting survey most people were happy with GIS system being used
in grid computing in order to prevent hackers and intruders to steal important information or
manipulate the senders data. The users who were happy with single sign on mechanism were 70%
and who were not are 25%.The users who were unsure of problem with security in grid computing
were 5%. The Grid computing society capacity is given as follows: The 50% of participants are
developers, while 30% are researchers and rest others.
The majority of grid users decide for themselves with whom they want to cooperate and want to
work in project. The usage of delegation method is also in use in companies. The privileges are
delegated and assigned in a ranked manner through a grid computing community administrator,
which might be proof of the dearth of backing for adequate administration of privileges in ad-hoc
grid cooperation cases. The majority of participants (41%) decide for themselves with whom they
37 | P a g e

portion out resources, as 37.5% have to approach an administrator in order to grant the proportionate
access rights. Forty-six percent of grid computing societies use a resource administered authorization
mechanism such as the Grid Security Infrastructure (GSI), 18% use communities administered
authorization mechanism such as the experimental Community Authorization Service (CAS) or the
Virtual Organization Membership Service (VOMS), a limited portion (5%) employs distributed
authorization e.g. as in AKENTI and another 5% were not sure what they use. While 8% gave their
verdict they clout other systems, such as DCE and Kerberos. When inquired about the security
specs provided by grid computing softwares in cooperative cases, 53% answered that existing grid
security solutions do not lend satisfactory services for cooperative grid computing societies. The
logic given extends from the dearth of a fundamental hazard model to the ramifications and payment
of inter-site reliance communication that are presently obligatory. Then 59% accept that existent grid
security solutions enforce more than enough administrative overhead for adequate collective use and.
47% perceive that the level of security lend by existent solutions i-e encryption strength, security of
the protocol, non-repudiation guarantees are not adequate, however 38% inclined that they admit it
is adequate. The 48% of participants did not admit that continuing a public key infrastructure (PKI)
for grid services is costly vs. exclusively 20% that doubted the adequacy of maintaining a PKI.
The means for a user to administer his peculiar privileges and credentials assume to be
inadequate. The above opinions of survey in terms suggest 200 participants out of which 12% were
not sure about this security issue, while 80% were convinced about security issues and possible
solutions. While most of data collected regarding security requirements and security issues
encountered in grid computing whether in computational grid, service grid and data grid points to the
trust relationship among users and hosts of these systems. While 95% participants were supportive of
the security policy should be implemented strictly in order to solve the security incursions by
intruders. Most participants were of the view that in addition to GSI there should be GIDS to prevent
the intrusion also.

Summary
The above data collected by surveyor will further help us in arriving at a best possible solution to
security issues in grid computing when compared to literature review i-e secondary research. The
Security guidelines and trust are pivotal point of the security authentication and authorization in grid
computing whether computational, data and services grid in practice.




38 | P a g e



Chapter 5

SUMMARY


Discussion

In order to find the security requirements of grid computing and security concerns associated with
it, to attain best possible solution to them which are related authentication and authorization. The
primary data collected in findings section strongly supports our notion that main problem of security
breach in grid computing regarding computational grid is attributed to the reliance based between the
host and guest user of the system located at physically dispersed location in case of BONIC software
which is related to grid computing society which let you decide which project you want to take part
in and utilize nonproductive resources. The mechanism used in this to check security breaches and
authorize the usage of resources without being hacked is done by community authorization service
(CAS). In which the control is done by the administrator who first verifies the user and then
authenticates the user whether local or global to access the files and store data, in order to contribute
to the project as a whole. As also found that bonic grid middleware are mostly privately owned and
publically in offices that use sandboxing method to ascertain the user behavior of accessing resources
on the server and if any unusual occurrence then they trace it back to the source from where it came
to catch the intruder. While in case of operation of some program on the host system in case of
execution the programs are digitally signed and then verified before letting them work on the server.
While the using of resources with unknown users located globally also showed some security
loopholes which are based on the trust between the users and other unknown users. The solution to
this is solved by the strict security guidelines enforced by the organization employing Globus,
BOINC or other grid middleware for grid computing purpose in virtual or non-virtual organization.
The major findings in accordance with literature review was that in globus toolkit middleware that
the major mechanism used to detect the authentication and authorization in grid security
infrastructure (called globus security infrastructure) is using PKI mechanism by using X.509
certificates for digital signatures in order to verify the user logging on the grid in order to access data
and share resources. While most of the grid middleware used in grid computing use this approach to
allow users to access sensitive information for which they have rights to access. This basically
operates to prevent intrusion in grid like intrusion detection system i-e GIDS. Another aspect of
authentication is authorization of using set of resources on behalf of other user is by giving certain
set of privileges for this the GSI allows creation of another key which assigns certain set of actions
on resources to the other user to use them. This property is called delegation of delegation of
authorization. During the primary and secondary research another important aspect came to prevent
this security concern was usage of transport layer security could well be used in order to protect the
data from being hacked by intruder by using eavesdropping technique and man in the middle attacks.
In order to secure the communication between sender and user the message level security could have
been employed in this grid computing usage. The message is encrypted and decrypted at sender and
receiver of information in grid computing communities. Another possible solution to this slowing the
process of authentication in grid computing is single sign on mechanism in which user logs in once
and remains logged in as long as needed. The usage of cryptographic smart cards in conjunction with
GSI in order to ensure that the hacker might not be able to steal the key which is saved on card rather
than file system and actually securing the password required for authentication. In the scenario of
mutual authentication the grid user id of user has to be mapped to global id in order to gain access to
the resources.
39 | P a g e


The firewall and virtual private network is also a hindrance to the overall working of grid
computing and slows down the speed of processing. The solution to this problem is use of PKI X.509
certificate to solve this problem. The other is regarding data confidentiality and integrity of the
information being shared over the grid which could be saved by using the message authentication
algorithm. This method is distinct from digital signatures as mac values both accumulated and
authenticated from same secret keys. The other major incursion is Distributed denial of service attack
which uses other resources which are required by other users and consumes the resources. This
globus middleware solution for grid computing also uses SSL authentication protocol for secure
authentication and communication for its wide range of distributed services in grid computing
environment. The researcher finds the globus solution for grid computing more effective than the
legion, glite, Kerberos, DCE, CRISIS and SSH. While the problem regarding reliance deficit
between users of the grid computers using resources of other systems in achieving higher goals. This
scenario could be better solved having an eye on behavior of users by keeping auditing trail of their
activities on the system by keeping log files of their actions to counter any suspicious attack by
intruder. The Security procedures for physical protection of sensitive data regarding login in and
supervision by the administrator of the system should be controlled by strict surveillance of the
administrator activities. In grid computing the administer activities should be audited and monitored
to avoid physical attack by the intruder in impersonating himself in order to get details of other users
by intruders. The IDS of grid is enough to detect intruders but there is need for an intrusion
prevention system to prevent any incursions.

After carefully reviewing primary and secondary data regarding security related issues in grid
computing and its requirements and possible solution to it. The best basic solution for authentication
and authorization is globus defined OGF protocols at the moment consisting of GSI. The grid
computing is more susceptible to cyber based attacks and more susceptible to inner related security
leaks by the administrator. The most important point is that it still uses the asymmetric encryption for
secure and authenticated communication. As the use of PKI with X.509 certificate for authentication
with digital signature is lightweight as compared to Kerberos and other options. The need to further
strengthen the security of grid computing regarding authentication and authorization, in addition
operations is vital as the grid technology is being applied at enterprise and national grid projects as
well in major companies like IBM, Oracle etc.




Recommendations and Conclusion

After the reviewing of grid computing concept that is a mature then cloud computing and cluster
computing. The grid computing is collection of loosely coupled heterogeneous computers located at
physically dispersed locations globally to cooperate and attain common goal like supercomputers.
The globus middleware which authentication and authorization of security are based on Public Key
infrastructure using X.509 certificates and using proxy methods should be replaced by more advance
emerging technology like eye based identification methods to further minimize any incursions by the
intruder or hackers. The grid computing middleware globus should use Identity based key
infrastructure (IBKG) for grids. A number of researchers have recently started exploring the use of
IBC in grid security.
Also the researchers are investigating and testing the dynamic key identity grid DKIG, which is a
hybrid mechanism by linking of identity-based methods at the user level and conventional PKI to
endorsing key management above the user level. There is need of further improvement in grid
computing security aspects and researcher are still to date doing research in this fields. The literature
40 | P a g e

reviewed regarding the security requirements of the various types of grid computing whether
computational grid, data grid and service grid their requirement regarding authentication and
authorization are almost same. The application of grid technology is being employed in electric grid
at international level projects in various countries worldwide. The grid computing technology is
being used in various research purposes and medical field. The exercise of this research the
researcher out that the use of GSI using PKI and employing X.509 certificate used for authentication
and authorization is best solution being employed but need to review considering current situation.

As the grid computing consisted of loosely coupled computers which share resources to achieve a
common goal in various projects going worldwide. The overall security solution for authentication
and authorization being used is globus based GSI technology which uses public key infrastructure
PKI with X.509 certificate in order to authenticate users using digital signatures. The same use of
SSL protocol for authentication and TLS for secure message communication between users and
hosts. The technology used by globus to protect various purpose like GridFTP i-e secure file transfer
protocol in which sharing of files between hosts and users, also between users and other users of this
grid computing technology. As the researcher has not found the firewall method appropriate for the
grid computing and it slows the overall processing speed of the systems. The research has given the
result that the Grids needs a new revamped intrusion detection system with intrusion prevention
system IPS is needed.






























41 | P a g e

References

I. Foster (July 2002). What is the grid? : A three point checklist, GRID today, Vol. 1, No. 6,
pp. 817- 840

I.Foster, C.Kesselman, G.Tsudik, S. Tuecke (1998). A security architecture for computational
grids. In: CCS 98: Proceedings of the 5th ACM conference on Computer and communications
security, New York, NY, USA, ACM pp. 8392

Andera Stein (2013) .eHow Tech, What is Grid Middleware?, Available:
http://www.ehow.com/facts_7669786_grid-middleware.html [Accessed 1
st
August 2013]

Choi-Hong Lai, Frdric Magouls (2009). Introduction to Grid Computing, London UK:
CHAPMAN& HALL/CRC.

S.Burke, Campana, S.Lorenzo, P.M., Nater, C. Santinelli, R. Sciaba (April 2008). : GLite3.1 user
guide. Members of the EGEE-II Collaboration. 1.2 edn.


R.Butler, V.Welch, Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C. (2000). : A
national-scale authentication infrastructure, Computer, Vol.33, No. 12, pp. 6066

M.Humphrey, M, Thompson (2001): Security implications of typical grid computing usage
scenarios, Cluster Computing, Vol.5, No. 3,pp. 257-264

N.Park, K.Moon, S.Sohn (2003): Certificate validation service using xkms for computational grid.
In: XMLSEC 03: Proceedings of the 2003 ACM workshop on XML security, New York, NY, USA,
ACM pp. 112120

Novotny, J., Tuecke, S., Welch, V. (2001): An online credential repository for the grid: My proxy
pp.104- 111

V.Welch: Globus toolkit version 4 grid security infrastructure: A standards perspective. Technical
report, Globus Alliance (2005)

Xue, Y., Wan, W., Li, Y., Guang, J., Bai, L., Wang, Y., Ai, J. (2008) : Quantitative retrieval of
geophysical parameters using satellite data. IEEE Computer, Vol. 41, No. 4, pp. 3340

Xie, T., Qin, X. Feitelson, D.G., Frachtenberg, E., Rudolph, L., Schwiegelshohn, U. (2005):
Enhancing security of real-time applications on grids through dynamic scheduling. JSSPP. Lecture
Notes in Computer Science, Springer Vol. 3834, pp. 219237


Xie, T., Qin, X. (2007): Security-driven scheduling for data-intensive applications on grids. Cluster
Computing. Vol. 10, No.2, pp. 145153


Chakrabarti, A., Damodaran, A., Sengupta, S. (2008): Grid computing security: A taxonomy. IEEE
Security and Privacy Vol. 6, No. 6, pp. 4451

42 | P a g e

EGEE JRA3 team (2005): EGEE Global Security Architecture for web and legacy services, EU
Deliverable DJRA3.3.


Globus Alliance (March 2008): GT 4.0 Reliable File Transfer (RFT) Service.


The University of Edinburgh (2007): OGSA-DAI 3.0 Documentation.


Vecchio, D.D., Hazlewood, V., Humphrey, M. (2006): Evaluating grid portal security. In: SC 06:
Proceedings of the 2006 ACM/IEEE conference on Supercomputing, New York, NY, USA, ACM p.
114

Marty Humphrey, Mary R. Thompson. (February 2009) Security Implications of Typical Grid
Computing Usage Scenarios. Cluster Computing, Vol.5, No. 3, pp. 257-264

I.Foster, Yong Zhao, Raicu, I., Lu, S. (2008): Cloud Computing and Grid Computing 360-Degree
Compared. Grid Computing Environments Workshop. GCE 08, Vol.5, No.4, pp.1-16


T. Dimitrakos, I. Djordjevic, B. Matthews. (2002): Policy driven access control over a distributed
firewall architecture, Proc. of the 3
rd
International Workshop on Policies for Distributed Systems and
Networks, 2002. pp. 228231.

A.R. Butt, A. Sumalatha, N.H. Kapadia. (2003) :Grid computing portals and security issues, Journal
of Parallel and Distributed Computing , Vol.63, No.10, pp.10061014.

B.A. Kirschner, T.J. Hacker, W.A. Adamson, B.D. Athey. (Nov 8, 2004) WALDEN: a scalable
solution for grid account management, Proceedings of the Fifth IEEE/ACM International Workshop
on Grid Computing. pp. 102-109


N. Li, B. Grosof, J. Feigenbaum. (2003) Delegation logic: a logic-based approach to distributed
authorization ACM Transactions on Information and System Security. Vol.6, No.1, pp.128171.

Oracle. Sun Grid. (2010) Available: http://www.sun.com/2006-0320/feature/index.jsp [Accessed 7th
July 2013].

P.Shread (2013).Server Watch, Survey finds grid becoming strategic IT investment, Available:
http://www.gridcomputingplanet.com/news/article.php/3323731 [Accessed 10th July 2013]

K. Kaneda, K. Taura, A. Yonezawa. (2002) Virtual Private Grid: A Command Shell for Utilizing
Hundreds of Machines, Proceeding CCGRID '02 Proceedings of the 2nd IEEE/ACM International
Symposium on Cluster Computing and the Grid. p. 212

A.S. Grimshaw, A.S. Humphrey, A. Natrajan. (2004) A philosophical and technical comparison of
Legion and Globus, IBM J. Res. Develop. Vol. 48, No. 2, pp. 233-254


M. Humphrey, M.R. Thompson, K.R. Jackson. (2005) Security for grids, Proc. of IEEE Vol. 93, No.
3 , pp. 644652.
43 | P a g e



K. Amin, G.V. Laszewski, A.R. Mikler. (2008) Grid computing for the masses: an overview. Vol.
44, No.4, pp. 749-764


M. Haynos (2012). IBM, Developer Works, Whats the difference between grid computing, P2P,
CORBA, cluster computing and DCE? Available:
http://www.ibm. com/developer works/grid/library/grheritage/? Open&ca=daw [Accessed 12
th
July
2013]


B. White, M. Walker, M. Humphrey (November 2001) LEGION FS: a secure and scalable file
system supporting cross-domain high-performance applications, Proc. of the ACM/IEEE conference
on Supercomputing. Denver, Colorado. p. 21

K. Connelly, A. Chien (2002). Breaking the barriers: high performance security for high
performance computing, Proc. of the 2002 Workshop on New Security Paradigms, pp. 3642

D. Frincke (February 2000). Balancing cooperation and risk in intrusion detection, ACM
Transactions on Information and System Security (TISSEC). Vol. 3, No. 1, pp. 129.

N. Peng , S. Jajodia, X.S. Wang (2001) Abstraction-based intrusion detection systems in distributed
environments, ACM Transactions on Information and System Security (TISSEC). Vol.4, No. 4, pp.
407452.

P.C.Moore, R.J.Wilbur, R.R.Detry (2001) Adapting globus and Kerberos for a secure asci grid, Proc.
of the ACM/IEEE Conference on Supercomputing. p. 21

F. Azzedin, M. Maheswaran (2002) Integrating trust into grid resource management systems, Proc.
of the International Conference on Parallel Processing. pp. 4754.

A. Chien, B. Calder, S. Elder (2003) ENTROPIA: architecture and performance for an Enterprise
desktop grid system, Journal of Parallel and Distributed Computing. Vol. 65, No.5, pp. 597610.


J.J. Mchugh, B. Michael, Secure group management in large distributed systems: what is a group and
what does it do? Proc. of the 2004 Workshop on New Security Paradigms, Caledon Hills,
Ontario, Canada. pp. 8089.

E.J. Salles, J.B.Michael, M. Capps (2002) Security of runtime extensible virtual environments, Proc.
of the 4th International Conference on Collaborative Virtual Environments, Bonn, Germany. pp. 97
104

H. Jung, H. Han, H. Jung, H. Yeoum (2005) Flexible authentication and authorization architecture
for grid computing, ICPP Workshops. International Conference Workshops on Parallel Processing.
pp. 61-77

S.D. Kamvar, M.T. Schlosser, H.G. Molina (2003) The Eigen trust algorithm for reputation
management in P2P networks, Proceedings of the Twelfth International World Wide Web
Conference. pp. 640-651

44 | P a g e

G. Goos, J. Hartmanis, and J. van Leeuwen (2002) Policy driven access control over a distributed
firewall architecture, Proc. of the 3
rd
International Workshop on Policies for Distributed Systems and
Networks. Vol. 7, No.4, pp. 165168.

N. Nagaratnam, P. Janson, J. Dayka, A. Nadalin, F. Siebenlist, V.Welch, S. Tuecke, I. Foster (2003)
Security architecture for open grid services, Global Grid Forum (GGF) OGSA Security Working
Group.

F. Yun, J. Chase, B. Chun (2003) SHARP: an architecture for secure resource peering, Proc. of the
19th ACM Symposium on Operating Systems Principles, Bolton Landing, NY, USA, Session:
Scheduling and resource allocation. pp. 133148.

J.Watt, O. Ajayi, J. Jiang, J. Koetsier, R.O. Sinnott (2006) A shibboleth protected privilege
management structure for e-science education. Proceedings of the Sixth International Symposium on
Cluster Computing and the Grid (CCGRID'06). pp. 136-143

P. Samarati, M. Reiter, S. Jajodia (2001) An authorization model for a public key management
service, ACM Transactions on Information and System Security. Vol. 4, No. 4, pp. 453482.

William N 2005. Your research project, 2nd edition. Sage
Monette, DR, Sullivan, TJ, DeJong, CR, 2005, Applied Social Research. A Tool for the Human
Services, 6th edition
Barry Wilkinson (2010), Grid Computing, Techniques and Applications: CRC Press.
I. Foster, K. Kesselman (1999), The Grid, Blueprint for a Future Computing Infrastructure: Morgan
Kaufmann in Computer Architecture and Design.

I. Foster, K. Kesselman (2004), The Grid 2, Blueprint for a Future Computing Infrastructure:
Morgan Kaufmann in Computer Architecture and Design.

Luis Ferreira, Viktors Berstis, Jonathan Armstrong, Mike Kendzierski, Andreas Neukoetter,
MasanobuTakagi, Richard Bing-Wo, Adeeb Amir, Ryo Murakawa, Olegario Hernandez, James
Magowan, Norbert Bieberstein (2003), Introduction to Grid Computing with Globus : IBM
Redbooks.

Bart Jacob, Michael Brown, Kentaro Fukui, Nihar Trivedi (2005), Introduction to Grid Computing:
IBM Redbooks.

BONIC (2012). Available: http://boinc.berkeley.edu [Accessed 26
th
August 2013]

Globus (2004). Globus Toolkit Available: http://www.globus.org/toolkit/ [Accessed 26
th
August
2013]

Wikipedia (2012).Authentication Available: http://en.wikipedia.org/wiki/Authentication [Accessed
25th August 2013]

Wikipedia (2005).Authorization Available: http://en.wikipedia.org/wiki/Authorization [Accessed
26
th
August 2013]

45 | P a g e

Wikipedia (2005).Eavesdropping Available: http://en.wikipedia.org/wiki/Eavesdropping [Accessed
26
th
August 2013]

Wikipedia (2005).PKI Available: http://en.wikipedia.org/wiki/Public_key_infrastructure [Accessed
27
th
August 2013]

Wikipedia (2005).Grid Middleware Available: http://en.wikipedia.org/wiki/GridMiddleware
[Accessed 26
th
August 2013]

Wikipedia (2005).Virtual Organization Available: http://en.wikipedia.org/wiki/Virtual_organization
[Accessed 26
th
August 2013]

Wikipedia (2005).API Available: http://en.wikipedia.org/wiki/API [Accessed 26
th
August 2013]

Wikipedia (2005).X.509 Available: http://en.wikipedia.org/wiki/X.509 [Accessed 26
th
August 2013]

Wikipedia (2005).GSI Available: http://en.wikipedia.org/wiki/Grid_Security_Infrastructure
[Accessed 27
th
August 2013]

Wikipedia (2005).TLS Available: http://en.wikipedia.org/wiki/Transport_Layer_Security [Accessed
27
th
August 2013]

Wikipedia (2005).FTP Available: http://en.wikipedia.org/wiki/FTP [Accessed 27
th
August 2013]

Wikipedia (2005).ACL Available: http://en.wikipedia.org/wiki/Access_control_list [Accessed 27
th

August 2013]

Wikipedia (2005).OpenLdap Available: http://en.wikipedia.org/wiki/Openldap [Accessed 27
th

August 2013]

Wikipedia (2005).MAC algorithm Available:
http://en.wikipedia.org/wiki/Message_authentication_code [Accessed 27th 2013]



Wikipedia (2005).SSL Available: http://en.wikipedia.org/wiki/Secure_Socket_Layer [Accessed 28
th

August 2013]

Wikipedia (2005).VPN Available: http://en.wikipedia.org/wiki/VPN [Accessed 28
th
August 2013]

Wikipedia (2005).Firewall Available: http://en.wikipedia.org/wiki/Firewall_(computing) [Accessed
28
th
August 2013]

Wikipedia (2005).DNS Available: http://en.wikipedia.org/wiki/DNS [Accessed 28
th
August 2013]

Wikipedia (2005).IPsec Available: http://en.wikipedia.org/wiki/IPSEC [Accessed 28
th
August 2013]

Wikipedia (2005).Single_sign_on mechanism Available: http://en.wikipedia.org/wiki/Single_sign-on
[Accessed 29
th
August 2013]

Wikipedia (2005).Denial of service Available: http://en.wikipedia.org/wiki/Denial_of_service
[Accessed 29
th
August 2013]

46 | P a g e

Wikipedia (2005).Hybrid computing Available: http://en.wikipedia.org/wiki/Hybrid_computing
[Accessed 29
th
August 2013]

Wikipedia (2005).Confidentiality Available: http://en.wikipedia.org/wiki/Confidentiality [Accessed
29
th
August 2013]

Wikipedia (2005).Kerberos Available: http://en.wikipedia.org/wiki/Kerberos_(protocol) [Accessed
29
th
August 2013]


Wikipedia (2005).DHCP Available: http://en.wikipedia.org/wiki/DHCP [Accessed 29
th
August
2013]


Wikipedia (2005).SSH Available: http://en.wikipedia.org/wiki/Secure_Shell [Accessed 30
th
August
2013]

Akenti homepage (2005). Akenti Available: http://acs.lbl.gov/software/Akenti/ [Accessed 30
th

August 2013]

Wikipedia (2005).Virtualization Available: http://en.wikipedia.org/wiki/Virtualization [Accessed
30
th
August 2013]





























47 | P a g e

Appendix A


Appendix A Survey Questions

The results consist of Questions asked from participants of survey conducted between July 14
th
and
August 31
st
, 2013.

Part 1: Individual demography, computer use and their association to grid computing
30 (8%) grid users
70 (23%) grid project managers
80 (77%) grid systems researcher / developer
20 ( 3%) other
Q1. How long have you been engaged with grid technologies?

Q2. What kinds of authorization methods are being employed in the communities you are a
representative of?


The following group of questions deal with the relevance of existent grid security solutions to
collective synopsis.

Q3. Do you assume that currently existent grid security solutions lend sufficient security for
collective grid communities?

Q4. Do you admit that current grid security solutions enforce plenty of administrative
overhead for adept collective employment (e.g. require centralized administration)?

Q5. Do you assume that existent grid security solutions do not lend sufficient service with
regard to the level of security they lend ( like encryption strength, secure protocol,
nonrepudiation guarantee)?

Q6. Do you assume that sustaining a public-key infrastructure for grid security is costly?

Q7. Do you assume that the way existent grid security mechanisms permit you to administer your
privileges and credentials is sufficient?

Q8. Do you assume that the real world reliance connection among institutions that have
collaborating entities can be designed sufficiently employing existent grid security solutions.

Q9. What do you about the firewall and VPN being used to analyze packets of data and stop
unwanted programs to enter the grid computing environment adequate or slows down the grid
computing application?

Q10. What do you think that GSI using PKI with X.509 certificates is enough to provide secure
authentication and authorization is adequate or not ?
Q11. Why do you believe that the globus GSI using PKI with X.509 certificate is better solution then
the Kerberos solution and DCE solution for authentication and authorization?

Q12. Whether the use of smart card is needed in GSI using PKI for securing the private key?

48 | P a g e

Q13. Do you think that Community Authorization Service is adequate used in bonic grid computing?

Q14. How important is the induction of revamped GIDS in conjunction with GIPS to prevent
intrusion?

Q15. Are you satisfied with the working of single sign on mechanism used for authenticating access?

Q16. Are the delegation mechanism used in GSI for authorization is adequate?

Q17. Also whether security provided for reliable transfer for file between two nodes sharing
resources is enough secure by using TLS protocol?





























49 | P a g e




Appendix B

Glossary of terms

AUTHENTICATION: The verification of the identity of a person or process. In a communication
system, authentication verifies that messages really come from their stated source, like the signature
(Wikipedia, 2012).
AUTHORIZATION: It is the function of specifying access rights to resources, which is related to
information security and computer security in general and to access control in particular. More
formally, "to authorize" is to define access policy (Wikipedia, 2005).
EAVESDROPPING: is the act of secretly listening to the private conversation of others without
their consent. It can be done over methods of communication considered private (Wikipedia, 2005).
PKI : A system of public key encryption using digital certificates from Certificate Authorities and
other registration authorities that verify and authenticate the validity of each party involved in an
electronic transaction(Wikipedia, 2005).
BONIC: Berkeley Open Infrastructure for Network Computing is an open source middleware system
for volunteer and grid computing (Bonic, 2012 ).
GRID MIDDLEWARE: A Grid Middleware Distribution is a software stack or a set of cooperating
components, services and protocols which enable users access to the distributed resources of a grid
(Wikipedia, 2005).

VO: Virtual Organization is a virtual entity whose users and servers are geographically apart but
share their resources collectively as a larger grid. The users of the grid can be organized dynamically
into a number of virtual organizations, each with different policy requirements (Wikipedia, 2005).
API: It specifies how some software components should interact with each other (Wikipedia, 2005).
X.509: In cryptography is an ITU-T standard for a public key infrastructure (PKI) and Privilege
Management Infrastructure (PMI) (Wikipedia, 2005).
GSI: The Grid Security Infrastructure contains components to secure your grid network (Wikipedia,
2005).
WMS: a component of the globus middleware stack for grid computing (Globus, 2004).
ACCOUNT BASED SANDBOXING: It is also bonic second line of defense. Is a technique in
which BOINC applications run in an unprivileged user account, to limit the ability of project
applications to access files outside of the BOINC directory or to cause other problems (Bonic, 2012).
50 | P a g e

VIRTUALIZATION: In computing, refers the act of creating a virtual (rather than actual) version
of something, including but not limited to a virtual hardware platform, operating system (OS),
storage device, or network resources.
SANDBOXING: In computer security, a sandbox is a security mechanism for separating running
programs. It is often used to execute untested code, or untrusted programs from unverified third-
parties, suppliers, untrusted users and untrusted websites (Bonic, 2012).

GridFTP: The Grid File Transfer Program provides high-performance and reliant data transfer
(Globus, 2004).
TLS: Transport Layer Security is a protocol that provides privacy and data integrity between two
communicating applications, layered on top of TCP/IP (Wikipedia, 2005).
RFT (Reliable file transfer): Submit and monitor a 3rd party GridFTP transfer (Globus, 2004).
FTP: is a standard network protocol used to transfer files from one host to another host over a TCP-
based network, such as the Internet (Wikipedia, 2005).
ACL: determining how access control lists are edited, namely which users and processes are granted
ACL-modification access (Wikipedia, 2005).
Gsidcap: The GSIdCap protocol is the dCap protocol with a GSI authentication wrapper (tunnel)(
Globus, 2004).
GridICE: It is a monitoring service for the Grid (Globus, 2004).
OpenLdap: The Lightweight Directory Access Protocol builds on TCP/IP to define a query-
response protocol for querying the state of remote databases (Wikipedia, 2005).

MAC ALGORITHMS: In cryptography, a message authentication code (often MAC) is a short
piece of information used to authenticate a message and to provide integrity and authenticity
assurances on the message. Integrity assurances detect accidental and intentional message changes,
while authenticity assurances affirm the message's origin. A MAC algorithm, sometimes called a
keyed (cryptographic) hash function (however, cryptographic hash function is only one of the
possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be
authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a
message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret
key) to detect any changes to the message content (Wikipedia, 2005).
SSL: Secure Socket Layer is a security protocol that provides communication privacy. SSL enables
client/server applications to communicate in a way that is designed to prevent eavesdropping,
tampering, and message forgery. SSL was developed by Netscape Communications Corp. and RSA
Data Security (Wikipedia, 2005).


51 | P a g e

VPN: A virtual private network extends a private network across a public network, such as the
Internet. It enables a computer to send and receive data across shared or public networks as if it were
directly connected to the private network, while benefiting from the functionality, security and
management policies of the private network (Wikipedia, 2005).
FIREWALL: In computing, a firewall is software or hardware-based network security system that
controls the incoming and outgoing network traffic by analyzing the data packets and determining
whether they should be allowed through or not, based on a rule set. A firewall establishes a barrier
between a trusted, secure internal network and another network (e.g., the Internet) that is not
assumed to be secure and trusted (Wikipedia, 2005).
SMART CARDS: can be used to solve private key management issues to improve security of the
grid environment (Globus, 2004).
DNS: The Domain Name System is a hierarchical distributed naming system for computers, services,
or any resource connected to the Internet or a private network. It associates various information with
domain names assigned to each of the participating entities. Most prominently, it translates easily
memorized domain names to the numerical IP addresses needed for the purpose of locating computer
services and devices worldwide. By providing a worldwide, distributed keyword-based redirection
service, the Domain Name System is an essential component of the functionality of the Internet
(Wikipedia, 2005).
IPSEC: Internet Protocol Security is a technology protocol suite for securing Internet Protocol (IP)
communications by authenticating and/or encrypting each IP packet of a communication session.
IPsec also includes protocols for establishing mutual authentication between agents at the beginning
of the session and negotiation of cryptographic keys to be used during the session. IPsec is an end-to-
end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in
protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host) (Wikipedia,
2005).
SINGLE SIGN-ON MECHANISM: It is a property of access control of multiple related, but
independent software systems. With this property a user logs in once and gains access to all systems
without being prompted to log in again at each of them. Conversely, Single sign-off is the property
whereby a single action of signing out terminates access to multiple software systems. As different
applications and resources support different authentication mechanisms, single sign-on has to
internally translate to and store different credentials compared to what is used for initial
authentication (Wikipedia, 2005).
COMMUNITY AUTHORIZATION SERVICE (CAS): Building on GSI, the CAS component of
the Globus Toolkit allows resource providers to specify coarse-grained access control policies in
terms of communities as a whole, delegating fine-grained access control policy management to the
community itself. Resource providers maintain ultimate authority over their resources (including per-
user control and auditing) but are spared most day-to-day policy administration tasks (e.g., adding
and deleting users in groups, modifying user privileges) (Globus, 2004).
DENIAL OF SERVICE (DOS): It is an attempt to make a machine or network resource unavailable
to its intended users. Although the means to carry out, motives for, and targets of a attack may vary,
52 | P a g e

it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host
connected to the Internet (Wikipedia, 2005).
HYBRID COMPUTING: A hybrid computing platform lets customers connect the packaged small
business software applications that they run on their own internal desktops or servers to applications
that run in the cloud (Wikipedia, 2005).

GRID ID: is a simple, effective two-factor authentication method based on security grids. A security
grid contains a matrix of numbers and letters in easily marked columns and rows (Globus, 2004).
CONFIDENTIALITY: It prevents sensitive information from reaching the wrong people, while
making sure that the right people can in fact get it (Wikipedia, 2005).
KERBEROS: is a computer network authentication protocol which works on the basis of 'tickets' to
allow nodes communicating over a non-secure network to prove their identity to one another in a
secure manner. Its designers aimed it primarily at a clientserver model and it provides mutual
authenticationboth the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key
cryptography and requires a trusted third party, and optionally may use public-key cryptography
during certain phases of authentication (Wikipedia, 2005).
DHCP: The Dynamic Host Configuration Protocol is a network protocol used to configure devices
that are connected to a network so they can communicate on that network using the Internet Protocol
(IP). The protocol is implemented in a client-server model, in which DHCP clients request
configuration data, such as an IP address, a default route, and one or more DNS server addresses
from a DHCP server (Wikipedia, 2005).
AAI: An Authentication and Authorization Infrastructure (AAI) is a vital yet highly complex
component of every Grid infrastructure. The AAI is the central framework over which Grid
resources, users and Virtual Organizations can authenticate one another by means of their policies.
Policies include distributed specifications of identity (certificates) and authorization (attributes). An
AAI has both integrated certification and directory services and provides access protocols for them
(Globus, 2004).
GSSAPI: is an application programming interface for programs to access security services (Globus,
2004).

SSH : is a cryptographic network protocol for secure data communication, remote command-line
login, remote command execution, and other secure network services between two networked
computers that connects, via a secure channel over an insecure network, a server and a client
(Wikipedia, 2005).

AKENTI: is a security model and architecture that is intended to provide scalable security services
in highly distributed network environments (Akenti homepage, 2005).

53 | P a g e


Appendix C




Digital Certificate Figure (Luis Ferreira, et al. 2003)




























cc
Grid Host Certificate Authority
CAs Public Key
Your certificate
signing request
Your Private
Key
Your
Certificate
GSI
CAs Public Key
Your
certificate
signing
request
Your
Certificate
CAs
Private
Key
54 | P a g e

Preparation procedure for GSI (Luis Ferreira, et al. 2003)







Authentication method (Luis Ferreira, et al. 2003)





55 | P a g e




Delegation method of users proxy (Luis Ferreira, et al. 2003)





















56 | P a g e






Figure: Authentication process (Luis Ferreira, et al. 2003)