A Decentralized Authorization and Security Framework for Distributed Research Workflows

Research challenges such as climate change and the search for habitable planets increasingly use academic and commercial computing resources distributed across different institutions and physical sites. Furthermore, such analyses often require a level of automation that precludes direct human interaction, and securing these workflows involves adherence to security policies across institutions. In this paper, we present a decentralized authorization and security framework that enables researchers to utilize resources across different sites while allowing service providers to maintain autonomy over their secrets and authorization policies. We describe this framework as part of the Tapis platform, a web-based, hosted API used by researchers from multiple institutions, and we measure the performance of various authorization and security queries, including cross-site queries. We conclude with two use case studies -- a project at the University of Hawaii to study climate change and the NASA NEID telescope project that searches the galaxy for exoplanets.Comment: 10 pages. Short version of this paper to be published on COMPSAC 2023 proceeding

Web service authorization framework

Web Services represent an important technology for distributed applications and will replace various other technologies for distributed application development soon. A lot of problems of the early days of Web Services are solved now. However, for authorization no appropriate solution is available and ready to use. We define requirements for authorization of Web Services and investigate existing authorization solutions concerning these requirements. Based on existing authorization solutions and the defined requirements, a Web Service Authorization framework is developed. We describe concepts and the design of the proposed framework and give an overview of selected implementation aspects (e.g. authorization data access, descriptive deployment). The framework emphasizes easy deployment of Web Service authorization and is ready to use. Practical experience using the framework concludes the paper

Semantic-Based Access Control Mechanisms in Dynamic Environments

The appearance of dynamic distributed networks in early eighties of the last century has evoked technologies like pervasive systems, ubiquitous computing, ambient intelligence, and more recently, Internet of Things (IoT) to be developed. Moreover, sensing capabil- ities embedded in computing devices offer users the ability to share, retrieve, and update resources on anytime and anywhere basis. These resources (or data) constitute what is widely known as contextual information. In these systems, there is an association between a system and its environment and the system should always adapt to its ever-changing environment. This situation makes the Context-Based Access Control (CBAC) the method of choice for such environments. However, most traditional policy models do not address the issue of dynamic nature of dynamic distributed systems and are limited in addressing issues like adaptability, extensibility, and reasoning over security policies. We propose a security framework for dynamic distributed network domain that is based on semantic technologies. This framework presents a flexible and adaptable context-based access control authoriza- tion model for protecting dynamic distributed networks’ resources. We extend our secu- rity model to incorporate context delegation in context-based access control environments. We show that security mechanisms provided by the framework are sound and adhere to the least-privilege principle. We develop a prototype implementation of our framework and present the results to show that our framework correctly derives Context-Based au- thorization decision. Furthermore, we provide complexity analysis for the authorization framework in its response to the requests and contrast the complexity against possible op- timization that can be applied on the framework. Finally, we incorporate semantic-based obligation into our security framework. In phase I of our research, we design two lightweight Web Ontology Language (OWL) ontologies CTX-Lite and CBAC. CTX-Lite ontology serves as a core ontology for context handling, while CBAC ontology is used for modeling access control policy requirements. Based on the two OWL ontologies, we develop access authorization approach in which access decision is solely made based on the context of the request. We separate context operations from access authorization operations to reduce processing time for distributed networks’ devices. In phase II, we present two novel ontology-based context delegation ap- proaches. Monotonic context delegation, which adopts GRANT version of delegation, and non-monotonic for TRANSFER version of delegation. Our goal is to present context del- egation mechanisms that can be adopted by existing CBAC systems which do not provide delegation services. Phase III has two sub-phases, the first is to provide complexity anal- ysis of the authorization framework. The second sub-phase is dedicated to incorporating semantic-based obligation

Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures (Full version)

A widespread design approach in distributed applications based on the service-oriented paradigm, such as web-services, consists of clearly separating the enforcement of authorization policies and the workflow of the applications, so that the interplay between the policy level and the workflow level is abstracted away. While such an approach is attractive because it is quite simple and permits one to reason about crucial properties of the policies under consideration, it does not provide the right level of abstraction to specify and reason about the way the workflow may interfere with the policies, and vice versa. For example, the creation of a certificate as a side effect of a workflow operation may enable a policy rule to fire and grant access to a certain resource; without executing the operation, the policy rule should remain inactive. Similarly, policy queries may be used as guards for workflow transitions. In this paper, we present a two-level formal verification framework to overcome these problems and formally reason about the interplay of authorization policies and workflow in service-oriented architectures. This allows us to define and investigate some verification problems for SO applications and give sufficient conditions for their decidability.Comment: 16 pages, 4 figures, full version of paper at Symposium on Secure Computing (SecureCom09

A performance measurement tool for the resource access decider authorization service prototype

The RAD (Resource Access Decider) authorization service is implemented at CADSE (Center for Advanced Distributed Systems Engineering) as a prototype based on the OMG (Object Management Group) CORBA (Common Object Reference Broker Architecture) specification for RAD (Resource Access Decider) facility. It is a part of the research towards developing performance efficient and available distributed authorization service. In order to test the performance of such an implementation, measurements have to be made to obtain data, which can be used to analyze the resource consumption and system behavior under different configurations. Such tests will have to be performed throughout the development process and this requires automating the performance measurement process to streamline the different stages of data gathering, analysis and interpretation. This thesis presents a performance measurement tool based on the DOVE (Distributed Object Visualization Environment) framework, capable of running the tests, gathering the data, computing and interpreting the data into graphical formats. The tool also provides a view of the system behavior by monitoring the performance of the individual components within the RAD prototype

Authorization Strategies for Grid Security: Attribute-Based Multipolicy Access Control (ABMAC) Model

The emergence of Grid computing technology is being followed by three main security concerns: the independence of the domains where the resource providers (RPs) are situated; the need for supporting different security policies andthe non-necessity of the science gateways for user authentication. Great effort has been involved in order to solve these concerns through the appearance of different access control models, like Identity-Based Authorization Control (IBAC) and Role-Based Authorization Control (RBAC), which based their access request decisionson user identity, that is, on user authentication. However, these models proved asinflexible, non-scalable and unmanageable in a distributed environment.Accordingly, a novel approach, known as Atrribute-Based MultipolicyAuthorization Control (ABMAC) model has appeared. ABMAC, which is beingdescribed in this paper, uses the attributes of the Grid entities for user authorization,based on the concepts of service-oriented architecture (SOA) and the eXtensibleMarkup Language (XML) standards - eXtensible Access Control Markup Language(XACML) and Security Assertion Markup Language (SAML). Moreover, ABMAChas been partly implemented in the Globus Toolkit 4 (GT4) Authorization Framework, and consequently it is expected to be outstanding contributor to Gridsecurity

Decomposition techniques for policy refinement.

The automation of policy refinement, whilst promising great benefits for policy-based management, has hitherto received relatively little treatment in the literature, with few concrete approaches emerging. In this paper we present initial steps towards a framework for automated distributed policy refinement for both obligation and authorization policies. We present examples drawn from military scenarios, describe details of our formalism and methods for action decomposition, and discuss directions for future research. © 2010 IEEE.Accepted versio