Scalable trust: engineering challenge or complexity barrier?

We consider the challenges of developing and deploying trusted computing platforms that can be operated on a large scale. The core question concerns scalability of trust properties: do these revolve around engineering challenges (which can potentially be overcome by clever design), complexity barriers (which might require completely new approaches), or other kinds of obstacles?Scalable trust means different things to different users; unless we limit the topic, we run the risk of scalability problems of our own. Accordingly, we'll narrow attention to the forms of trust needed in a hypothetical electronic medical records system that interconnects multiple institutions and includes telemetry or even active devices for monitoring patents. There are several efforts underway to develop prototype systems with this functionality.We begin by asking what trust means in the context of such a system. Then, we match technology to the needs, and finally ask whether the available options can scale under the demands that a successful deployment might impose.For our purposes, we'll look at two categories of trust properties, although one can identify others. The first involves quality of service guarantees, such as high availability, fault-tolerance and timely responsiveness. Clearly, an electronic medical records system needs to be highly available and rapidly responsive, particularly if it is "in the loop" for patient monitoring or treatment. High availability can be reduced to data and service replication, and rapid responsiveness under scalable load is typically achieved by balancing the load over a set of cloned services. Our question can now be rephrased: rather than asking about the scalability of trust, at least in these respects, we should ask about the scalability of replication technologies.A system can scale well in some dimensions while scaling poorly in others. At Cornell, the QuickSilver and Ricochet projects have explored this question, asking what forms of scalability are actually required. If data and services are replicated in groups, using multicast (or pub-sub technology) to disseminate updates, components may need to belong to many groups (or topics), and some of these groups may be very large. Moreover, the properties desired of groups will vary: some should stress rapid data delivery, others strong delivery properties such as virtual synchrony, and some may need to support a transactional persistence guarantee (the so-called ACID properties). The systems we've developed respond to these requirements. Ricochet focuses on time-critical scenarios, while QuickSilver emphasizes performance and has an extensible framework for developing groups with strong properties.Armed with the perspective offered by this work on scalable replication, we can now return to the original question and ask about other forms of trust. The most obvious issue involves security and authorization relationships: a medical system will support large numbers of users (patients, care providers, other kinds of service providers, etc), and will mediate access to resources (sensors, databases, applications, medication dispensers, etc) subject to policies maintained by the various agencies involved: the medical practices, hospitals, etc. Each entity potentially maintains its own security policies, hence the challenge involves enforcing a composed set of rules.Goals of a policy enforcement solution include high availability, dynamicism (the policies and participants will change over time), decentralization (it will often be important for system components to be able to "act locally" on behalf of the global policy), minimal disclosure (decisions should be feasible with access to just the relevant subset of a database of security rules), performance (decisions should be reached rapidly), etc. By scalability, we mean that, given adequate hardware, these goals should be sustained as we scale in the dimensions just enumerated.We will suggest that consistent application of a security policy maps to the same underlying consistency questions seen when replicating data. This perspective makes it possible to apply the insights gained studying scalable data replication to the scalability of security policy enforcement. A series of challenge problems can be identified. Some are primarily engineering challenges, in the sense that the problem can apparently be solved, but implementing the solution might not be easy. Others pose algorithmic challenges or non-trivial complexity issues. The talk will identify several open questions.The need for scalable trust is pressing: It would have been easy to pose similar questions about any of a great variety of critical infrastructure systems used in financial settings, air traffic control, military intelligence, etc. At least some of these problems are solvable. But understanding which can be solved and which expose fundamental barriers is a matter of vital importance if our community is to offer the guidance that developers of these critical systems will need.