Information Technology Reference
In-Depth Information
and establish a secure connection for data transfer;
FTP commands were modified to include TSRB
concepts such as HPL exchange and microcon-
tracts. The resulting system's performance is as
well as can be expected from a protocol that uses
encryption to protect data transferred from server
to client. Performance results are described in a
separate report (Coca, 2011).
One of the more difficult issues to address when
using our system, is how to decide whether a given
system setup is secure. We have experimented
with HPLs to describe various Linux systems. To
determine a system's security, we used informa-
tion obtained from the Common Vulnerability and
Exposures (CVE) vulnerability database (http://
cve.mitre.org), to locate potentially vulnerable
packages on the system. A vulnerability score
(Scarfone and Mell, 2009) is associated with each
entry in the CVE database, which indicates the
potential impact of a vulnerability on security of
the system. However, Grid systems generally have
different characteristics than desktop systems, for
which the scoring method was devised.
Grid clusters are typically batch systems, and
worker nodes within a cluster are usually not
directly exposed to the Internet. Rather, the most
important threats may originate from within the
cluster, for example from malicious jobs that
run concurrently with a job in the same cluster,
or from jobs that compromised a machine some
time earlier. We are currently studying whether the
CVE-based vulnerability scoring can be adapted to
Grid-specific characteristics.We are also studying
ways to facilitate dynamic evalutation of HPL-
based policies, such that users or administrators
do not have to be overly burdened by (manually)
updating policies or analyzing vulnerability re-
ports to assess a system's security.
ated metadata in a secure way. MDM is deployed
inside hospitals, and provides read-only access
to automatically de-identified DICOM images
to grid jobs outside the hospital's domain. Data
is encrypted before it becomes accessible to Grid
jobs, so jobs must first acquire a key from a key
store before they can access the data. However,
MDM does not constrain from which hosts jobs
may access the data or keys. MDM's reliance on
automatic de-identification of DICOM headers
may prove a vulnerability, e.g., in case of images
which contain facial features of a patient as part
of the binary data.
Globus MEDICUS (Erberich, Silverstein,
Chervenak, Schuler, Nelson, & Kesselman, 2007)
is an approach for sharing medical information
(metadata and files) through Grid infrastructure.
Encryption can be used to store information se-
curely on untrusted storage elements in the Grid.
One of the weak points of the system is that it
does not clearly describe where the different
components reside physically, i.e., what the trust
model is. For example, metadata is stored in a meta
catalog service which may be operated outside the
hospital domain. In addition, the system depends
on GSI for authentication, which makes the lack
of a clear trust model even more worrisome.
Blancquer et al. (2009) describe an approach
for managing encrypted medical data, building
upon Hydra (Xu, 2005) and the ideas presented in
Montagnat et al. (2007). The contribution of this
approach is that key management and authoriza-
tion are integrated with common Grid management
concepts such as Virtual Organizations. However,
like MDM and Hydra, the approach chosen by
Blancquer et al. does not deal with the problem
that the machine where the data is decrypted (by
the job) may be compromised.
None of the related work considers trust in the
hosts or clusters from which data are accessed,
nor with the properties of the software running
on these hosts.
RELATED WORK
Montagnat et al. (2007) describe a Medical Data
Manager (MDM) for DICOM images and associ-
Search WWH ::




Custom Search