The concept of grid computing is not new. In a way, it is nothing but parallel or distributed computing; however, the difference lies in the scale and complexity! So imagine parallel processing at a level where instead of sharing one or more resources, each and every computing resource is shared among all the computers within the network (as if they form an interconnected grid). Now imagine that the grid can consist of several different authorized heterogeneous systems, even owned by different organizations! It would be like a huge supercomputer with unmatched processing power, memory capacity and data storage capacity suitable for the most complex computations, but really it is just a network of interconnected computers. As far as the user of a grid computer is concerned, he/she is just using the local computer (now a supercomputer owing to the grid links) unaware of the links contributing to the power and enormous complexity of the network grid or cluster to which that machine belongs.
In order to provide: ◦ Confidentiality ◦ Authentication ◦ Message integrity ◦ Nonrepudiation But Grid Security is difficult: ◦ Use of valuable resources, solving sensitive problems ◦ Distinct domains (own policies, procedures) ◦ A single computation might require a large and unpredictable set of resources ◦ Broad availability and applicability
Motivations: Secure communication (authentication and perhaps confidentiality) between elements of a computational Grid. Security across organizational boundaries, thus prohibiting a centrally-managed security system. “Single sign-on" for users of the Grid, including delegation of credentials for computations that involve multiple resources and/or sites.
Also known as Public Key Infrastructure (PKI). User (or entity) gets a related key pair: ◦ A private key - known only to the user. ◦ A public key – in the public domain. A message encrypted with one key requires the other key for decryption.
Digitally "sign" a piece of information using public key cryptography. To sign a piece of information: ◦ The sender computes a mathematical hash of the information. ◦ Using the private key, he/she encrypts the hash, and attaches it to the message (the recipient has the public key). To authenticate the information: ◦ The recipient computes the hash using the same algorithm. ◦ Using the public key, he/she decrypts the encrypted hash. Match? – Then the sender has signed the message and it is intact.
The Certificate - a central concept in GSI authentication. It identifies and authenticates every user and service on the Grid. A GSI certificate includes four primary pieces of information: ◦ A subject name, which identifies the person or object that the certificate represents. ◦ The public key belonging to the subject. ◦ The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject. ◦ The digital signature of the named CA.
GSI certificates are encoded in the X.509 certificate format (a standard data format for certificates established by IETF). This certificate: ◦ identifies the subject and his/her institution; ◦ is created for the subject by the subject’s institution. An X.509 certificate includes: ◦ subject’s name; ◦ subject’s public key; ◦ name of the issuing CA; ◦ signature of issuing CA; ◦ validity dates (start and end dates); ◦ other - version information, etc.
At the end, Alice and Bob have established aconnection to each other and are certainthat they know each other’s identities.
GSI does not establish confidential (encrypted) communication between parties (by default). If it is desired, GSI can easily be used to establish a shared key for encryption. Related security feature – communication integrity. ◦ Integrity means that an eavesdropper may be able to read communication between two parties but is not able to modify the communication in any way. GSI provides communication integrity by default.
Delegation capability in GSI – an extension of the standard SSL protocol which reduces the number of times the user must enter his passphrase. A user needs to re-enter his/her passphrase if: ◦ several Grid resources are required for a computation; ◦ agents (local or remote) request services on behalf of a user; ◦ etc. How to avoid this? - Create a proxy. A proxy consists of a new certificate and a private key.
The new certificate (proxy certificate): ◦ contains the owners identity, modified slightly to indicate that it is a proxy; ◦ is signed by the owner, rather than a CA. Proxies have limited lifetimes. ◦ The proxy certificate includes a time notation after which the proxy should no longer be accepted by others.
The proxys private key might be stored in a local storage system without being encrypted (since the proxy is not valid for very long). Mutual authentication when using proxies: ◦ The remote party receives the proxys certificate (signed by the owner) and the owners certificate. ◦ The signature on the proxy certificate is validated using the owners public key (obtained from his/her certificate). ◦ The signature on the owners certificate is validated using the CAs public key. ◦ A chain of trust from the CA to the proxy through the owner is established. Single sign-on – used when there are service requests travelling through multiple security domains in GSI. GSI uses proxy certificates for single sign-on and delegation of rights to other entities.
What is really needed is to reduce the amount ofwork the service has to do to establishauthorization, without doing so by looking up theactual person. This is the sort of task that has beengiven to RBAC mechanisms. However the traditionalview of people being given roles does not work verywell in the grid either. The main issues are that it isvery difficult to give people meaningful roles, andpeople understand different things by those roles.They do however make authorization much simpler asyou are only checking whether a certain role can usea service.
Grid Computing Cloud Computing Typically, grid infrastructures are accessed by A customer accessing a cloud infrastructure or multiple, heterogeneous organizations or project service will pay the cloud provider on a pay-per-use teams that typically share a common goal and need basis. The business model relies on optimizing access to a virtual supercomputer to work on a single utilization such that the cost makes sense for the task or a single set of tasks. However, the users or customer as well as brings profits to the provider. project sponsors would have to bear the enormous cost of setting up and maintaining and monitoring We can perhaps associate it to the use of utilities the grid. such as electricity, gas, etc., or purchasing in bulk,Business Model but only when theres a requirement or demand. The When compared to accessing a cloud infrastructure benefit is in achieving economies of scale. Its that charges only as per consumption of resources, independent of whether the task requires the set-up costs of a grid along with the cost of computational power or increased storage capacity. ownership of resources (like network administration, maintenance staff, etc.) are likely to be phenomenally The customer is ideally not involved with the building high. or maintenance of the cloud infrastructure or services. This feature of abstraction is common to both grid computing and cloud computing. Grid computing does not have universal standards Cloud computing has a more commercial focus and with regard to configuration of systems and software. is therefore, more flexible when compared to the grid Some software and most algorithms and codes model. For example, expansion of a business require major restructuring in order to use all the requiring more resources is as easy as informing benefits of "parallel processing" available with grid your provider to avail their seamless and mostly computing. automated expansion services. Computing Model Even data communication protocols are grid-specific. Even writing a new code etc., becomes less time- Since most resources are being shared, network consuming with the use of generic software. congestion control, fairness in allocation, reduction in latency, etc., are factors governing the Existing protocols such as Web Services (WSDL, development of grid protocols. Standard protocols SOAP), and some advanced Web 2.0 technologies are just not agile or flexible to support grid such as REST, RSS, AJAX, etc., can be utilized in infrastructures. cloud-based systems.
We have already seen that the grid infrastructure For obvious reasons (relative homogeneity of cloud comprises diverse configurations and platforms. Hence, systems), cloud security models are relatively simpler the security for such a system would be a consideration and less secure than that of grid computing. right from the setting up of the grid. It is a matter of mutual understanding where the Important factors considered are authentication (single provider ensures protection of the customers data sign-on), authorization, credential, conversion, and applications. Private cloud (where the auditing, and delegation. infrastructure is dedicated to a single customer) andSecurity community cloud (cloud infrastructure shared between Typically, a grid infrastructure has operational a finite set of multiple customers) are effective ways to autonomy which ensures greater security controls and restrict access to authorized, limited number of users. protocols. However, providing a security layer to a grid infrastructure is a time-consuming process. Cloud infrastructure typically use Web forms (over Secured Sockets Layer (SSL)) to create and manage account information for end-users. Encrypted communications ensure secure identity and password management. - Is there a possibility of lesser complexity in building - Does the cloud provider have a disaster grids? management and recovery mechanism in place to deal with loss of customers data? - Is there a possibility of developing ubiquitous Some standards for grid infrastructure? - Is there a backup/contingency plan in case ofPotential disasters to ensure business continuity? Issues - What if the cloud provider exits the business or is acquired by another company, what happens to the customers data and cloud operations? - The European Organization for Nuclear Research - Salesforce.com, Google App Engine, Microsoft Azure, (CERN) is one of the leading organizations running and Amazon EC2 are famous cloud providers in the major grid computing initiatives including analyzing public domain (they provide services to anyone who chemical compounds in the search for potential drugs needs them over the public Internet). for diseases such as avian flu.Examples - Other service providers include the open source - SETI (Search for Extraterrestrial Intelligence) @Home AbiCloud, Elastichosts and NASAs Nebula platform. project is one of the earliest grid initiatives that downloads and analyzes data from radio telescope. Participants simply need to download and run a program to join the grid network.
From the above discussion of contrasting factors betweengrid computing and cloud computing, it is clear that its nota simple matter of choosing one over the other.It seems as though cloud computing is more suited tobusinesses looking to derive value out of their IT operationsin a streamlined fashion. The agility that comes withutilizing services from the cloud complements its scalability.The grid computing paradigm on the other hand, has beenthe traditional arena of funded scientific research althoughthere are emerging instances of its use in biomedical,financial and industrial research. It now finds applications inweather modeling and weapons test simulations.In fact, web serving (serving requests of website contentfrom users located all over the world) is an example of acommercial application that benefits from the gridinfrastructure.