A Conceptual Model for Service Availability. Judith E. Y. Rossebø Mass Soldal Lund Knut-Eilif Husa Atle Refsdal - PDF

Description
University of Oslo Department of Informatics A Conceptual Model for Service Availability Judith E. Y. Rossebø Mass Soldal Lund Knut-Eilif Husa Atle Refsdal Research Report 337 ISBN ISSN

Please download to get full document.

View again

of 23
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information
Category:

Kids & Toys

Publish on:

Views: 10 | Pages: 23

Extension: PDF | Download: 0

Share
Transcript
University of Oslo Department of Informatics A Conceptual Model for Service Availability Judith E. Y. Rossebø Mass Soldal Lund Knut-Eilif Husa Atle Refsdal Research Report 337 ISBN ISSN rd October 2006 3 Abstract Traditionally, availability has been seen as an atomic property asserting the average time a system is up or down. In order to model and analyse the availability of computerised systems in a world where the dependency on and complexity of such systems are increasing, this notion of availability is no longer sufficient. This report presents a conceptual model for service availability designed to handle these challenges. The core of this model is a characterisation of service availability by means of accessibility properties and exclusivity properties, which is further specialised into measurable aspects of service availability. We outline how this conceptual model may be refined to a framework for specifying and analysing availability requirements. 4 Contents Contents 1 Introduction 5 2 Requirements to a Refined Notion of Service Availability Classifying Availability Classification of Threats and Means Viewpoints for Analysing Availability Requirements of Different Services Measuring Availability The Requirements Summed Up 12 4 Properties of Service Availability Exclusivity Accessibility Means to Ensure Service Availability Incident Prevention Incident Detection Recovery from Incident Threats to Service Availability Active Threats Conceptual Model for Service Availability 19 8 Conclusions 21 References 23 A Definitions 25 B Abbreviations 28 1 Introduction 5 1 Introduction Availability is an important aspect of today s society. Vital functions as e.g. air traffic control and telecom systems, especially emergency telecommunications services, are totally dependent on available computer systems. The consequences are serious if even parts of such systems are unavailable when their services are needed. Traditionally, the notion of availability has been defined as the probability that a system is working at time t, and the availability metric has been given by the uptime ratio, representing the percentage of time that a system is up during its lifetime [20]. This system metric has been applied successfully worldwide for years in the PSTN/ISDN 1 telephony networks along with failure reporting methodologies [8]. This metric does not sufficiently measure important aspects of service availability. With this traditional understanding, a web-based application such as a concert ticket sales service may have 99, 999% availability, however if it is down for the 5 minutes when concert tickets to a popular artist are put out for online sale while at the same tickets can be purchase via competing distributors, this means a considerable loss of profit for the adversely affected ticket sales website even though the service is considered to be highly available along traditional lines [2]. Service availability needs a more enhanced metric in order to measure availability in a way that meets the demands of today s services which have been shown to have much more bursty patterns of use than traditional PSTN/ISDN services [6]. Such burstiness in usage patterns also affects the ability of the service to provide to all users requiring the use of a service at a given moment, as illustrated in the following example. The Norwegian tax authorities provide on-line services for delivery of tax returns. In recent years, the service has been broadened to allow individuals to make changes to the return on-line (prior to this a report return had to be completed). In 2005 there was an increase in web-based returns to in 2005 from in However, the service was not able to handle the increase in demand on the final day, resulting in a large number of users being refused by the server. As a result, the tax authorities had to extend the deadline by 24 hours [21]. In the traditional sense, the service was still up and running, and the hardware and software were still functioning correctly. Yet, a large number of users were being refused by the server, so that it was not available to a significant number of authorised users. The situation was exacerbated by the fact that the new users had much longer holding times than users filing web-based returns in 2004 due to the filling out of different forms in order to complete the changes to the tax return online. Up until 2005, only single form returns could be filed electronically. More complicated returns that require the user to fill out supplementary forms could not be filed electronically and had to be submitted on paper returns in the traditional way. In 2005, the online submission service allowed users with more complicated returns to file electronically. The result was that the number of users filing electronically increased, and many of the new users completing returns online had much longer holding times in order to fill out the additional forms as well as the main form. The increase in both penetration and usage parameters that was not foreseen 1 Public Switched Telephone Network/Integrated Services Digital Network 6 2 Requirements to a Refined Notion of Service Availability resulted in loss of availability for a large number of users. Indeed, as the environment where services are deployed becomes more and more complex [1] a more fine-grained view on what is availability is needed. Several global virus attacks have recently showed that availability is indeed affected by security breaches, e.g., when servers are flooded by infected s, the availability for real s decreases. Another example is the so called denial of service (DoS) attack, for which a service is overloaded with requests with the only purpose of making the service unavailable for other users. In this report we motivate and introduce an augmented notion of service availability. In the heart of the resulting conceptual model lies a characterisation of availability as aspects of accessibility and exclusivity. Further, we seek to preserve well-established definitions from our main sources of inspiration to the extent possible: security, dependability, real-time systems, and quality of service (QoS). The report shows how the conceptual model may be used as a basis for specifying service availability requirements in a practical setting. In Sect. 2 we provide the basis for our analysis of availability including our analysis of different viewpoints and approaches on availability and other aspects in the fields of security and dependability. Motivated by this discussion on related work in the fields of dependability and security research, we identify the requirements a conceptual model of service availability should satisfy. These requirements are summed up in Sect. 3. In Sect. 4 the properties of service availability are discussed, in Sect. 5 the means to achieve service availability are classified, and in Sect. 6 we present some of the threats to service availability. In Sect. 7 the overall conceptual model including a service availability measure is presented. Summary and conclusions are provided in Sect. 8. A list of definitions is provided in Appendix A as well as a list of acronyms and abbreviations in Appendix B. 2 Requirements to a Refined Notion of Service Availability The setting for our availability analysis is derived from the fields of dependability and security, and we therefore strive to conform to the well-established concepts and definitions from these fields where there is a consensus. We also look to different approaches and viewpoints in dependability and security research to motivate and derive a set of requirements for a service availability concept model which enables an augmented treatment of availability that is more suited to securing availability in today s and future services. 2.1 Classifying Availability Availability has been treated by the field of dependability and the field of security. The definitions of availability commonly used in these fields are: 1. Readiness for correct service [3]. 2. Ensuring that authorised users have access to information and associated assets when required [11]. 2.2 Classification of Threats and Means 7 3. The property of being accessible and usable on demand by an authorised entity [9,12]. We find the first of these definitions to be insufficiently constraining for practical application to design of services with high availability requirements. An integral part of securing availability is ensuring that that the service is provided to authorised users ; this is not addressed by the first definition. It is, however, addressed by the second, but neither the first nor the second captures the aspect of a service being usable. The third definition captures all of these aspects, and therefore is the basis for our analysis of availability and development of a more refined availability model. In order to ensure service availability, it is essential to refine this notion to include addressing the aspect of ensuring that the service is provided to the authorised users only. The example of the on-line service for delivering tax returns given in Sect. 1 illustrates the importance of this aspect. Anyone may browse the Norwegian tax authorities information pages, although it is mainly for the use of Norwegian tax payers. However, access to the online submission service is for authorized taxpayers only. More importantly, a particular taxpayers forms must be available to that user only. The system must know how many authorised users are expected to access the service at the critical time, and the users holding times must be correctly estimated. For example, in order to calculate penetration and usage parameters, the total number of authorised users that are expected to access the service at a given time must be known. This is important to prevent the service from being overloaded. Additionally, it is also important to ensure that an individual tax form with details about a particular user s tax return is available to that particular user only. The emergency telecommunications service (ETS) is an example that clearly shows the need to guarantee that authorised users only (in this case authorised emergency services personnel) can access and user the service during a disaster situation. As already argued, there is a need to provide an enhanced classification and model of service availability in order to thoroughly analyse and enable the rigourous treatment of availability throughout the design process depending on the requirements of the individual services. Our refined availability model should therefore characterise the properties/attributes of service availability including that services should be provided to the authorised users only. 2.2 Classification of Threats and Means The IFIP WG 10.4 view on dependability is elaborated in [3]. Fig. 1 shows the concept model of dependability as shown in [3]. This conceptual model of dependability consists of three parts: the attributes of, the threats to and the means by which dependability is attained [3]. This is a nice approach which motivates us to use a similar approach in our classification of service availability. Clearly, threats to availability such as denial of service, and means to availability such as applying redundancy dimensioning techniques, have an important place in our availability model. In [3], the means by which dependability can be attained are fault prevention, fault tolerance, fault removal and fault forecasting. Fault prevention: how to prevent introduction of faults. Fault tolerance: how to deliver correct service in 8 2.2 Classification of Threats and Means Safety Reliability Attributes Availability Confidentiality Integrity Maintainability Security Dependability Means Fault prevention Fault tolerance Fault removal Fault forecasting Threats Faults Errors Failures Figure 1: Conceptual model of dependability [3] the presence of faults. Fault removal: how to reduce the number of faults, and finally fault forecasting: how to estimate the present number, future incidents and likely consequences of faults. This approach does not address all of the means by which service availability can be obtained. This is because, incidents resulting in loss of service availability do not necessarily transpire due to faults and therefore classification of means in terms of faults as in [3] is, in our view, insufficient for availability analysis. An example is the hijacking of user sessions by an attacker or group of attackers, preventing the authorised user or group of users from accessing the service. This incident results in loss of service availability for a set of users, without incurring a fault in the system. An unwanted incident is defined in [25] as an incident such as loss of confidentiality, integrity and/or availability. A fault is an example of an unwanted incident. Therefore, in order to classify threats to availability and means to achieve availability in a security setting, we are also motivated by the approach used in the security field of risk analysis and risk management as in [7,15]. The availability model should classify the means to achieve availability in terms of countering unwanted incidents. In [3], the threats to dependability are defined as faults, errors and failures, and these are seen as a causal chain of threats to dependability: fault error failure This understanding of threats serves nicely in the dependability model, however, we use the definition of threat, as defined in [12]: a threat is a potential cause of an unwanted event, which may result in harm to a system or organisation 2.3 Viewpoints for Analysing Availability 9 and its assets. Unlike [3], we do not consider such a causal chain alone as the sole threats to availability, as service availability may be reduced by e.g. a denial of service (DoS) attack which reduces the service availability without causing a fault, error, or failure to the actual service itself. The conceptual model of service availability should classify known threats to availability while conforming to existing literature on the classification of security threats. 2.3 Viewpoints for Analysing Availability For our availability analysis, it is appropriate to evaluate whether we should consider a system from a black box or white box perspective. In [14], E. Jonsson provides a conceptual model for security/dependability with a black box view as shown in Fig. 2. environmental influence system behaviour Threat fault introduction integrity Object system vulnerability delivery-of-service reliability/availability (safety) denial-of-service confidentiality/exclusivity (safety) User Non-user Figure 2: Jonsson s conceptual model [14] In this system model view, Jonsson considers availability to be a purely behavioural aspect related to the outputs of the system, solely with respect to the users. As can been deduced from Fig. 2, exclusivity is a means to ensure availability. This viewpoint is valid and useful for some aspects of availability analysis; however, we see the need for evaluating availability from other viewpoints as well. Availability aspects of the internal components of the system must also be analysed. We claim that aspects of availability must indeed be observed from both the input and output sides as well as the internal components of the system. For example, denial of service attacks can be observed as malicious input to a system to either flood the system and render it unavailable, or in order to alter the integrity of the system, e.g., by deleting a group of users from the database of authorised users. In the latter case, the input messages of the intruder can be observed, and the changes to the internal database, resulting in a loss of availability for those users that were deleted, will also be registered. It is also important to observe and analyse the internal behaviour in the system in order to analyse the availability aspects of components, in particular service components which collaborate to deliver the service. Motivated by a service-oriented system view, only a whitebox view allows and facilitates the specification of the internal means to achieve availability and the examination of internal causes that affect availability. The conceptual model should therefore address internal as well as external concerns of availability. Requirements of Different Services Viewpoint of the user Black box view White box view Service viewpoint Service component + Service availability component System viewpoint System component + System availability component Figure 3: Viewpoints for analysing availability Fig. 3 summarizes the different concerns for analysing availability. From the point of view of the user, the service is either available, or it is not. The system view is well understood in the dependability field, and as discussed above, Johnson provides an evaluation from a system viewpoint and with a security point of view. The Service Availability Forum (SAF) is working on standardising middleware for the open interfaces between the layers [22], as shown in Fig. 4 and discussed in Sect In our work on securing availability in service composition, we are analysing availability from the decomposed service viewpoint, according to requirements of the users. 2.4 Requirements of Different Services In the current and future telecommunications market, there are many different types of services each of which may have different requirements with respect to availability. Telephony services, and in particular, emergency services, are examples of services with stringent availability requirements. Internet-based services, however, have somewhat different requirements. Requirements for what may be tolerated of delays or timing out of services are rather lax currently for e.g., online newspaper services. Yet, a citizen who leaves the tax return to the last minute before the deadline for filing requires urgently that the online tax return submission service is available at that particular moment [21]. For traditional telecommunications services, the availability requirement of 99, 999% availability is still valid, however, it does not sufficiently address all of the differentiated requirements with respect to service availability. More precisely, as advocated by the Service Availability Forum (SAF) [22], there is also a need for a customer centric approach to defining availability requirements. The availability concern of the Service Availability Forum is readiness for correct service and in particular continuity of service, with a focus on the demands of 2.5 Measuring Availability 11 the customers. Applications Service Availability Middleware Operating System Platform Drivers Application Interface Platform Interface Hardware Figure 4: The SAF framework [22] Service availability as defined by the SAF aims to meet the following demands: Customers demand and expect continuous service availability. Customers want always-on services and connections that are maintained without disruption-regardless of hardware, software, or operator-caused system faults or failures. The availability concern of the SAF is readiness for correct service and in particular continuity of service, with a focus on the demands of the customers. The SAF is concerned with availability of today s systems from the dependability perspective providing a transition from the application of dependability to traditional telecommunications systems to current systems which are distributed. We intend to incorporate the ideas of the SAF in our model, to enable customer oriented availability requirements, however, extending these to include the aspects of ensuring that unauthorised users cannot interrupt, hijack, or prevent the authorised users from accessing a service. The model must address the service availability requirements in a flexible manner, in order to address the different aspects of availability. 2.5 Measuring Availability As discussed
Related Search
Similar documents
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks