Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning

require high-performance and complicated network and computer infrastructure to support distributed collaborating groups of researchers and applications that should be provisioned on-demand. The effective use and management of the dynamically provisioned services can be achieved by using the Service Delivery Framework (SDF) proposed by TeleManagement Forum that provides a good basis for defining the whole services life cycle management and supporting infrastructure services. The paper discusses conceptual issues, basic requirements and practical suggestions for provisioning consistent security services as a part of the general e-Science infrastructure provisioning, in particular Grid and Cloud based. The proposed Security Services Lifecycle Management (SSLM) model extends the existing frameworks with additional stages such as “Reservation Session Binding ” and “Registration and Synchronisation ” that specifically target such security issues as the provisioned resources restoration, upgrade or migration and provide a mechanism for remote executing environment and data protection by binding them to the session context. The paper provides a short overview of the existing standards and technologies and refers to the on-going projects and experience in developing dynamic distributed security services

Authorisation infrastructure for on-demand grid and network resource provisioning

The paper presents the Authorisation (AuthZ) infrastructure for combined multidomain on-demand Grid and network resource provisioning which we refer to as the Complex Resource Provisioning (CRP). The proposed CRP model provides a common abstraction of the resource provisioning process and is used as a basis for defining the major AuthZ mechanisms and components that extend the generic AAA AuthZ framework to support CRP (GAAA-CRP), in particular using XML-based AuthZ tickets and tokens to support access control and signalling during different CRP stages. The proposed GAAA-CRP framework is implemented as the GAAA Toolkit pluggable library and allows integration with the Grid and network service and control plane middleware. The proposed authorisation infrastructure allows using in-band binary tokens to extend network access control granularity to data plane and support binding applications to dataflows. The paper discusses the use of the ForCES network management model to achieve interoperability with the network control plane and define the GAAA-NRP interfaces to network control plane. This research was conducted as a part of the EU Phosphorus project