Industry group identifies grid security risks

IDG News Service - The Enterprise Grid Alliance, which includes several top vendors trying to accelerate the use of grid computing by big businesses, has published its first paper (download PDF) on the unique security requirements of grids.
The 37-page paper aims to help end users, vendors and standards groups identify the risks associated with enterprise grid computing. The group plans to discuss technologies and practices for mitigating the risks in a later version of the paper, the Alliance said today.
The Alliance was formed last year by Oracle Corp., EMC Corp., Hewlett-Packard Co. and several other vendors. Its overall goal is to hammer out technical standards, best practices and other guidelines to help businesses build computing grids. Membership is open to all, although at least two big industry players, IBM Corp. and Microsoft Corp., have not joined its ranks.
Some of the security requirements described in the paper apply also to traditional systems and simply become more prominent in grid set-ups. For example, a storage system might contain sensitive information that should only be accessible from one application, even though several applications link to that storage resource. Grid computing, by its nature, tends to increase the occurrences in which multiple applications access a single resource, making the security issues more prominent.
Other issues are unique to grids, and most deal with what the paper calls the "grid management entity," or GME, responsible for the grid's operation. The GME provisions and configures grid components, such as servers and storage arrays, manages workloads and "decommissions" components when their work is done.
"Grid resources [or simply pools of networked resources] alone are not unique to a grid environment. What is unique is the way in which they are aggregated and managed. By introducing the GME with the ability to provision, manage and decommission pools of grid resources, we get to the heart of the unique threats and security requirements in a grid environment," the paper said.
It goes on to describe various risks and how they can affect grid environments. They include access control attacks, in which unauthorized users or components join a grid; denial-of-service attacks (against the grid management entity, for example); and object reuse, in which an unauthorized user accesses a grid component that has not been properly decommissioned or "sanitized."
The paper strikes a mostly positive tone -- perhaps not surprisingly, coming from a group whose members sell products for building grids. It argues that grids can enhance security in some areas and notes that grids still need the types of security controls