Integrated security services for dynamic coalitions (original) (raw)
Related papers
dRBAC: distributed role-based access control for dynamic coalition environments
Proceedings 22nd International Conference on Distributed Computing Systems
Distributed Role-Based Access Control (dRBAC) is a scalable, decentralized trust-management and access-control mechanism for systems that span multiple administrative domains. dRBAC represents controlled actions in terms of roles, which are defined within the trust domain of one entity and can be transitively delegated to other roles within a different trust domain. dRBAC utilizes PKI to identify all entities engaged in trust-sensitive operations and to validate delegation certificates. The mapping of roles to authorized name spaces obviates the need to identify additional policy roots. dRBAC distinguishes itself from previous trust management and role-based access control approaches in its support for three features: (1) third-party delegations, which improve expressiveness by allowing an entity to delegate roles outside its namespace when authorized by an explicit delegation of assignment; (2) valued attributes, which modulate transferred access rights via mechanisms that assign and manipulate numerical values associated with roles; and (3) credential subscriptions, which enable continuous monitoring of established trust relationships using a pub/sub infrastructure to track the status of revocable credentials. This paper describes the dRBAC model, its scalable implementation using a graph-based model of credential discovery and validation, and its application in a larger security context.
Administering access control in dynamic coalitions
2005
Dynamic coalitions enable autonomous domains to achieve common objectives by sharing resources based on negotiated resource-sharing agreements. A major requirement for administering dynamic coalitions is the availability of a comprehensive set of access control tools. In this paper we discuss the design, implementation, evaluation, and demonstration of such tools. In particular, we have developed tools for negotiating resource-sharing agreements, access policy specification, access review, wholesale and selective distribution and revocation of privileges, and policy decision and enforcement.
2005
Today, there is an increasing need for dynamic, efficient and secure sharing of resources among organizations. In a dynamic coalition environment, participants (including users and systems) of an organization may need to gain access quickly to resources of other organizations in an unplanned manner to accomplish the task at hand. Typically, when entities agree to share their information resources, the access control policies are agreed upon at the coalition level. These coalition level agreements are not at the level of fine-grained policies, in the sense that they do not specify which specific users can access which data object. In this paper, we propose a dynamic coalition-based access control (DCBAC) model that allows automatic access to resources of one coalition entity by users from another coalition entity. To make the model applicable to true ad-hoc dynamic coalitions, we employ a coalition service registry, where coalition entities publicize their coalition level access policies. Any coalition entity wishing to access a specific resource of another coalition entity can obtain a ticket by submitting its entity credentials which are subsequently evaluated by the coalition service registry. DCBAC employs a policy mapper layer that computes the exact credentials required by remote users that are comparable to those required by local users. We demonstrate how the coalition and resource level access policies can be specified in XML-based languages and evaluated.
A Distributed Service Registry for Resource Sharing Among Ad-Hoc Dynamic Coalitions
In a dynamic coalition environment, it is essential to allow automatic sharing of resources among coalition members. The challenge is to facilitate such sharing while adhering to the security policies of each coalition. To accomplish this, a dynamic coalition-based access control (DCBAC) has been proposed earlier, where security policies enforced by each coalition member are published in a centralized coalition service registry (CSR). In this paper, we propose a distributed coalition service registry (DCSR) system. In the DCSR system, several service registry agents cooperate to provide controlled access to resources. Distribution of the registries results in improved availability, higher concurrency, better response times to user queries, and enhanced flexibility. We employ secure group multicasting to communicate among the DCSR agents. The paper outlines the DCSR system, the supported functionalities and its underlying infrastructure.
Interoperable semantic access control for highly dynamic coalitions
Security and Communication Networks, 2009
A coalition consists of independent organizations that share resources and skills to achieve significant mission objectives. Dynamic coalition formations occur in response to some market demands, business requests, or disaster responses, to name a few. Partners forming a coalition are automatically selected given some business criteria and become active participants from the time the coalition is formed. Highly dynamic coalitions (HDCs) form a sub class of dynamic coalitions where the coalition formation and operation are strictly bound by time in order to provide a prompt reaction to some events. This type of dynamism poses the necessity of underlying security models and technologies allowing for automated coalition formation and operation. This paper presents a platform-driven approach to HDCs. It first defines a life cycle inherent to HDC formations, and then presents a platform-driven access control model that takes advantage of semantics of partners' requirements to provide interoperable access control to resources shared in a coalition. Coalition partners can achieve a high level of service interoperation by enhancing their access control requirements with semantics of usage, and interlinking their semantics using class relations based on standard ontology.
Dynamic privilege management infrastructures utilising secure attribute exchange
2005
Technologies which implement dynamic privilege management infrastructures will be crucial to the secure sharing of resources on the Grid, especially as the number of resources and participating sites increases. The DyVOSE project has successfully deployed Grid services secured with the PERMIS authorisation software implementing a static Privilege Management Infrastructure (PMI) model. The second stage of this project focuses on the extension of the current PERMIS infrastructure to include dynamic delegation of authority and cross-certification of institutional security policies. This paper describes the existing static PMI that has been used within the Grid Computing module as part of the advanced MSc at Glasgow University. We also outline an e-Science education use case that will be used to highlight how dynamic PMIs can be established using an extended version of PERMIS and utilising the Internet2 Shibboleth software to transfer user attributes and authentication tokens across institutional boundaries. This work addresses one of the key challenges in the Grid, supporting the dynamic establishment of secure Virtual Organisations (VOs).
A Trust Framework for Security Collaboration among Infrastructures
Proceedings of The International Symposium on Grids and Clouds (ISGC) 2013 — PoS(ISGC 2013)
The Security for Collaborating Infrastructures (SCI) group is a collaborative activity of information security officers from several large-scale distributed computing infrastructures, including EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, and XSEDE. SCI is developing a framework to enable interoperation of collaborating Grids with the aim of managing cross-Grid operational security risks and to build trust and develop policy standards for collaboration especially in cases where we cannot just share identical security policy documents.
2007
Federations of autonomous domains allow resource sharing in a highly dynamic manner, improving organizational response times and facilitating cooperation between different information systems. To accomplish this, it is essential to provide a scalable and flexible mechanism that allows security management and acts at application level independently of operating system or platform. In this paper we present a scalable solution that enables interoperation between different systems participating in a dynamic federation, while it also allows the participating systems to retain their autonomy; we present the software architecture of this distributed access control enforcement mechanism and describe our implementation choices.