The Enterprise Grid Alliance, which includes several top vendors trying to accelerate the use of grid computing by big businesses, has published its first paper on the unique security requirements of grids, it said on Monday.
The 37-page paper aims to help end users, vendors and standards groups identify the risks associated with enterprise grid computing. The group plans to discuss technologies and practices for mitigating the risks in a later version of the paper, it said.
The Alliance was formed in 2004 by Oracle, EMC, Hewlett-Packard and several other vendors. Its overall goal is to hammer out technical standards, best practices and other guidelines to help businesses build computing grids. Membership is open to all, although at least two big industry players, IBM and Microsoft, have not joined its ranks.
Some of the security requirements described in the paper apply also to traditional systems and simply become more prominent in grid set-ups. For example, a storage system might contain sensitive information that should only be accessible from one application, even though several applications link to that storage resource. Grid computing, by its nature, tends to increase the occurrences in which multiple applications access a single resource, making the security issues more prominent.
Others are unique to grids, and most of these have to do with what the paper calls the "grid management entity," or GME, responsible for the grid's operation. The GME provisions and configures grid components, such as servers and storage arrays, manages workloads and "decommissions" components when their work is done.
"Grid resources [or simply pools of networked resources] alone are not unique to a grid environment. What is unique is the way in which they are aggregated and managed. By introducing the GME with the ability to provision, manage and decommission pools of grid resources, we get to the heart of the unique threats and security requirements in a grid environment," the paper says.
It goes on to describe various risks and how they can affect grid environments. They include access control attacks, in which unauthorized users or components join a grid; denial-of-service attacks (against the grid management entity, for example); and object reuse, in which an unauthorized user accesses a grid component that has not been properly decommissioned or "sanitized."
The paper strikes a mostly positive tone -- perhaps not surprisingly, coming from a group whose members sell products for building grids. It argues that grids can enhance security in some areas. It notes that grids still need the types of security controls used in more traditional environments, in areas such as identification, authentication and confidentiality.
The alliance defines a grid as a collection of components, such as servers or disk arrays, which are networked together and managed centrally. Grids allow organizations to move resources around quickly to where they are needed, by providing extra processing power for a payroll application at the end of the month, for example.
The alliance has limited its focus to enterprise applications within a single data center -- far narrower than the definition used in academic and technical communities, which use grids to link computing centers that can be widely dispersed across different organizations.
Grids that conform to that broader definition could pose considerable security challenges for a business. But a grid that operates within the boundaries of a single organization would not necessarily be difficult to secure, said Andy Kellett, a senior research analyst for security at the analyst company Butler Group, in Hull, England.
"If you've got a decent security system in place, and if the boundaries of your grid are the boundaries of your data center, then your existing authentication and access control systems should take care of what's required," he said.
It is the second work published by the Enterprise Grid Alliance. In May it published a "reference model" for grid computing, including a lexicon of terms, a model for classifying the management and lifecycles of grid components, and a set of usage scenarios.
The group has said it will build on top of existing standards and research and not try to "reinvent the wheel." Other participants include Sun Microsystems, NEC, Cisco Systems and Novell.