A Privacy Trust and Policy Based Authorization Framework for Services in Distributed Environments (original) (raw)

Trust Based Authorization Framework for Grid Services

Grid computing allows sharing of services and resources distributed over geographically dispersed, heterogeneous, autonomous administrative domains. As a domain generally has no idea about the trustworthiness of other domains, it may hesitate in accessing shared services and resources provided by other domains. Accessing resources and services from untrusted domains may pose dangerous consequences to the source domain. Trust is an important parameter in achieving faithful domain to domain interaction. Domains must be able to determine the trustworthiness of each other for the access of a particular service. Domains must also provide trust based access to resources and services that they expose in the environment. This paper describes different facets associated with trust issues among different entities in a grid environment and proposes a trust model to establish and manage trust relationships. The trust model provides support to calculate direct as well as recommended trust. Based on this model, a trust based authorization framework is proposed that can be used to provide trust based access to grid services. The goal of the model is to encourage trust based domain to domain interaction and increase the confidence of domains in accessing shared resources provided by other domains. The framework has been implemented in .NET environment with the support of WSE 3.0 toolkit. The framework has been evaluated by implementing a scenario that involves enforcement of different trust policies. The time taken by the enforcement component to evaluate trust policies has been noted. The results obtained from the implementation imply that the approach is workable and can be used to provide trust based access to grid services.

An Authorization Architecture for Web Services

Data and Applications Security XIX, 2005

This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The proposed architecture has several benefits. It is able to support legacy applications exposed as Web services as well as new Web service based applications built to leverage the benefits offered by the service oriented architecture; it can support multiple access control models and mechanisms and is decentralized and distributed and provides flexible management and administration of Web services and related authorization information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to exposed Web services. The architecture is currently being implemented within the .NET framework.

Design and Evaluation of Policy Based Authorization Model for large scale Distributed Systems

Large scale distributed systems enable sharing of resources and services scattered over geographically dispersed, heterogeneous, autonomous administrative domains. Two main entities interacting with each other over a distributed system are service requesters and service providers. The service requesters belonging to a particular administrative domain may request access to resources/services available over same or other administrative domains. Similarly a service provider belonging to a particular administrative domain may expose its resources/services over same or other administrative domains. The service requesters belonging to one administrative domain generally have different access rights in different administrative domains. Determining what a service requester is authorized to do in the same or other administrative domains is a difficult task. The overall authorization and access control becomes more complex when service providers attach authorization and access control related policies with their resources/services and provide access to those resources/services based on conformance to established policies. These policies may include authentication, privacy, trust, network workload, business and management etc. related aspects of authorization and access control. Designing an authorization and access control system for such an environment is a complex task and introduces many challenging technology and management related issues. In this paper we have made an attempt to define and implement a policy based authorization and access control framework that can be used to determine the access rights of a subject in different administrative domains and supports policy-based access to resources/services scattered over a distributed system. The framework proposed is scalable, flexible and has been implemented through web services. The paper also discusses prototype implementation of the proposed framework.

An Architecture for Unifying Web Services Authentication and Authorization

2005 International Conference on Service Oriented Computing, 2005

Security issues are one of the major deterrents to Web Services adoption in mission critical applications and to the realization of the dynamic e-Business vision of Service Oriented Computing. Role Based Access Control (RBAC) is a common approach for authorization as it greatly simplifies complex authorization procedures in enterprise information systems. However, as most RBAC implementations rely on the manual setup of pre-defined user-ID and password combinations to identify the particular user, this makes it very hard to conduct dynamic e-Business as the service requestor and service provider must have prior knowledge of each other before the transaction. This paper proposes a new Web Services security architecture which unifies the authorization and authentication processes by extending current digital certificate technologies. It enables secure Web Service authorization decisions between parties even if previously unknown to each other and it also enhances the trust-worthiness of service discovery.

WSACT-A Model for Web Services Access Control incorporating Trust

2006

Abstract Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is towards implementing collaborating applications that are supported by web services technology. Even though web services technology is rapidly becoming a fundamental development paradigm, adequate security constitutes the main concern and obstacle to its adoption as an industry solution.

A policy-based authorization system for web services: integrating x-gtrbac and ws-policy

2006

Access control in Web services is a neglected frontier that has not seen the development and adoption of many standards, as opposed to the number of current and emerging specifications for authentication aspects of Web services security [13, 14, 16]. These specifications allow one to express preferences for use of security attributes to establish trusted and authenticated connections between multiple service providers or end users. While authentication and privacy can ensure the security of connections and privacy of ...

A Multipolicy Authorization Framework for Grid Security

Fifth IEEE International Symposium on Network Computing and Applications (NCA'06), 2006

A Grid system is a Virtual Organization that is composed of several autonomous domains. Authorization in such a system needs to be flexible and scalable to support multiple security policies. Basing on the Web Services security specifications such as XACML, SAML, and the special security needs of the Grid computing, we have constructed an authorization framework in the Globus Toolkit 4 that can support multiple policies. This paper describes the concepts of our design and introduces the structure and the components of the authorization framework. To show the flexibility and scalability of the framework, we introduce a new blacklist/whitelistbased authorization mechanism that can be seamlessly integrated into the framework.

A Conceptual Authorization Model for Web Services 1

2008

This paper describes a conceptual authorization model for Web Services. It is an adaptation of those of Taos [Lamp92] and SDSI [Lamp96] with terms changed to correspond more closely to those introduced with the WS-Security model . In contrast to the more formal and mathematical presentation used for Taos and SDSI, this presentation is conceptual and informal, which hopefully may provide more intuition for some readers; it also might provide an outline for the class hierarchy of an object-oriented implementation.

Engineering Authorization Services for the Service Oriented Architecture

2005

The service-oriented architecture (SOA) can be used to build new solutions leveraging services, to cleave together existing applications or to cleave apart existing applications. The SOA provides many benefits such as cost saving to organizations by increasing the speed of implementation of any application(s) required and reducing the expenditure on integration technologies. However, security is one of the main roadblocks for enterprises to delay development and deployment of their services. Although there are standards for providing confidentiality, integrity and message authentication for services, there is not yet a standard specification for authorization services for the SOA. We address this important gap in the area of security for the SOA. In particular, we will propose an authorization policy language as well as an authorization framework