Shibboleth-based access to and usage of grid resources

Security underpins grids and e-research. Without a robust, reliable and simple grid security infrastructure combined with commonly accepted security practices, large portions of the research community and wider industry will not engage. The predominant way in which security is currently addressed in the grid community is through public key infrastructures (PKI) based upon X.509 certificates to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorization). In this paper we outline how we have successfully combined Shibboleth and advanced authorization technologies to provide simplified (from the user perspective) but fine grained security for access to and usage of grid resources. We demonstrate this approach through different security focused e-science projects being conducted at the National e-Science Centre (NeSC) at the University of Glasgow. We believe that this model is widely applicable and encourage the further uptake of e-science by non-IT specialists in the research communitie

Dynamic trust negotiation for decentralised e-health collaborations

In the Internet-age, the geographical boundaries that have previously impinged upon inter-organisational collaborations have become decreasingly important. Of more importance for such collaborations is the notion and subsequent nature of security and trust - this is especially so in open collaborative environments like the Grid where resources can be both made available, subsequently accessed and used by remote users from a multitude of institutions with a variety of different privileges spanning across the collaboration. In this context, the ability to dynamically negotiate and subsequently enforce security policies driven by various levels of inter-organisational trust is essential. Numerous access control solutions exist today to address aspects of inter-organisational security. These include the use of centralised access control lists where all collaborating partners negotiate and agree on privileges required to access shared resources. Other solutions involve delegating aspects of access right management to trusted remote individuals in assigning privileges to their (remote) users. These solutions typically entail negotiations and delegations which are constrained by organisations, people and the static rules they impose. Such constraints often result in a lack of flexibility in what has been agreed; difficulties in reaching agreement, or once established, in subsequently maintaining these agreements. Furthermore, these solutions often reduce the autonomous capacity of collaborating organisations because of the need to satisfy collaborating partners demands. This can result in increased security risks or reducing the granularity of security policies. Underpinning this is the issue of trust. Specifically trust realisation between organisations, between individuals, and/or between entities or systems that are present in multi-domain authorities. Trust negotiation is one approach that allows and supports trust realisation. The thesis introduces a novel model called dynamic trust negotiation (DTN) that supports n-tier negotiation hops for trust realisation in multi-domain collaborative environments with specific focus on e-Health environments. DTN describes how trust pathways can be discovered and subsequently how remote security credentials can be mapped to local security credentials through trust contracts, thereby bridging the gap that makes decentralised security policies difficult to define and enforce. Furthermore, DTN shows how n-tier negotiation hops can limit the disclosure of access control policies and how semantic issues that exist with security attributes in decentralised environments can be reduced. The thesis presents the results from the application of DTN to various clinical trials and the implementation of DTN to Virtual Organisation for Trials of Epidemiological Studies (VOTES). The thesis concludes that DTN can address the issue of realising and establishing trust between systems or agents within the e-Health domain, such as the clinical trials domain

Organisational and cross-organisational identity management

We are all familiar with the overwhelming number of usernames and passwords needed in our daily life in the networked world. Services need to identify their end users and keep record on them. Traditionally, this has been done by providing the end user with an extra username and password for each new service. Managing all these isolated user identities is painful for the end user and work-intensive for the service owner. Having out-of-date user accounts and privileges is also a security threat for an organisation. Identity management refers to the process of representing and recognising entities as digital identities in computer networks. In an organisation, an end user s identity has a lifecycle. An identity is created when the user enters the organisation; for example, a new employee is hired, a student is admitted in a school or a company gets a new customer. Changes in the end user s affiliation to the organisation are reflected to his identity, and when the end user departs, his identity needs to be revoked. Organisational identity management develops and maintains an architecture that supports maintenance of user identities during their life cycle. In crossorganisational identity management, these identities are used also when accessing services that are outside the organisation. This thesis studies identity management in organisational and cross-organisational services. An organisation s motivations for improving identity management are presented. Attention is paid to how the person registries in an organisation should be interconnected to introduce an aggregated view on an end user s identity. Connection between identity management and introduction of more reliable authentication methods is shown. The author suggests what needs to be taken into account in a usable deployment of single sign-on and PKI for authentication. Federated identity management is a new way to implement end user identity management in services that cross organisational boundaries. This thesis studies how to establish a federation, an association of organisations that wants to exchange information about their users and services to enable cross-organisational collaborations and transactions. The author presents guidelines for organising a federation and preserving an end user s privacy in it. Finally, common use scenarios for federated identity management are presented

La gestion de l'identité fédérée et hiérarchique pour le paradigme IaaS

Au fur et à mesure que les nuages informatiques gagnent en popularité, de plus en plus de services tendent à être hébergés sur de telles plateformes. Il est même possible d’héberger une infrastructure informatique complète sur une plateforme de nuages informatiques. Ceci constitue le paradigme IaaS (Infrastructure as a Service). Or, à force d’être utilisées dans différents contextes, des failles dans le modèle d’opération des plateformes de nuages informatiques actuelles commencent à ressortir. L’une d’entre elles concerne le fait qu’ils ne s’intéressent qu’à un seul fournisseur et conséquemment, ne prennent pas en compte l’interopérabilité entre ces fournisseurs de ressources. Cette fonctionnalité peut être spécialement utile pour des petits fournisseurs voulant unir leurs ressources limitées afin de réaliser un objectif commun par exemple. L’interopérabilité interfournisseur permet aussi aux clients de faire affaire avec plusieurs fournisseurs, sans jamais être indéfiniment liés à un seul d’entre eux. Dans l’état actuel des choses, il est généralement très difficile pour un client de migrer ses ressources d’un nuage à un autre. Afin de résoudre ces lacunes, les fournisseurs de nuages informatiques devraient adopter le modèle des nuages informatiques fédérés. Ce modèle leur permettrait de bâtir des nuages complètement distribués, de collaborer et de partager des ressources entre eux de manière transparente. Dans ce mémoire, une architecture de gestion de l’identité et de contrôle d’accès flexible destinée à de tels environnements est décrite. L’approche utilise des technologies de gestion de l’identité fédérée afin de faciliter la création de nuages informatiques fédérées et d’organisations virtuelles dynamiques. Elle s’appuie aussi sur le modèle de contrôle d’accès basé sur les attributs ABAC qui dispose d’une grande flexibilité et fournit un haut degré de flexibilité aux fournisseurs en ce qui concerne leurs actifs. Des fournisseurs membres d’une collaboration sont ainsi en mesure de partager des ressources en fonction des politiques de sécurité établies

Exploring the automatic identification and resolution of software vulnerabilities in grid-based environments

Security breaches occur due to system vulnerabilities with numerous reasons including; erro- neous design (human errors), management or implementation errors. Vulnerabilities are the weaknesses that allow an attacker to violate the integrity of a system. To address this, system administrators and security professionals typically employ tools to determine the existence of vulerabilities. Security breaches can be dealt with through reactive or proactive methods. Reactive approaches are passive, in which when a breach occurs, site administrators respond to provide damage control, tracking down how the attacker got in, resolving the vulnerability and fixing the system. On the other hand, proactive approaches preemptively discover and fix vulnerabilities in their systems and networks before attacks can occur. For many research and business areas, organizations need to collaborate with peers by sharing their resources (storage servers, clusters, databases etc). This is often achieved through formation of Virtual Organisations (VO). For successful operation of such endeavors, security is a key issue and system configuration is vital. A faulty or incomplete configuration of a given site can cause hinderances to their normal operation and indeed be a threat to the whole VO. Management of such infrastructures is complex since they should ideally address the overall configuration and management of a dynamic set of VO-specific resources across multiple sites, as well as configuration and management of the underlying infrastructure upon which the VO exists - referred to in this thesis as the fabric. This thesis investigates the feasibility of using a proactive approach towards detecting vulner- abilities across VO resources. First, it investigates whether vulnerability assessment tools can preemptively help in detecting fabric level weaknesses. Then it explores how the combina- tion of advanced authorisation infrastructures with configuration management tools can allow distributed site administrators to address the challenges associated with vulnerabilities. The primary contribution of this work is a novel approach for vulnerability management which addresses the specific challenges facing VO-wide security and incorporation of fabric man- agement security considerations

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

Greenpass Client Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project seeks to provide strong access control to a wireless network while simultaneously providing flexible guest access; to do so, it augments the Wi-Fi Alliance\u27s existing WPA standard, which offers sufficiently strong user authentication and access control, with authorization based on SPKI certificates. SPKI allows certain local users to delegate network access to guests by issuing certificates that state, in essence, he should get access because I said it\u27s okay. The Greenpass RADIUS server described in Kim\u27s thesis [55] performs an authorization check based on such statements so that guests can obtain network access without requiring a busy network administrator to set up new accounts in a centralized database. To our knowledge, Greenpass is the first working delegation-based solution to Wi-Fi access control. My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work.My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work

Self-adaptive Authorisation Infrastructures

Traditional approaches in access control rely on immutable criteria in which to decide and award access. These approaches are limited, notably when handling changes in an organisation’s protected resources, resulting in the inability to accommodate the dynamic aspects of risk at runtime. An example of such risk is a user abusing their privileged access to perform insider attacks. This thesis proposes self-adaptive authorisation, an approach that enables dynamic access control. A framework for developing self-adaptive authorisation is defined, where autonomic controllers are deployed within legacy based authorisation infrastructures to enable the runtime management of access control. Essential to the approach is the use of models and model driven engineering (MDE). Models enable a controller to abstract from the authorisation infrastructure it seeks to control, reason about state, and provide assurances over change to access. For example, a modelled state of access may represent an active access control policy. Given the diverse nature in implementations of authorisation infrastructures, MDE enables the creation and transformation of such models, whereby assets (e.g., policies) can be automatically generated and deployed at runtime. A prototype of the framework was developed, whereby management of access control is focused on the mitigation of abuse of access rights. The prototype implements a feedback loop to monitor an authorisation infrastructure in terms of modelling the state of access control and user behaviour, analyse potential solutions for handling malicious behaviour, and act upon the infrastructure to control future access control decisions. The framework was evaluated against mitigation of simulated insider attacks, involving the abuse of access rights governed by access control methodologies. In addition, to investigate the framework’s approach in a diverse and unpredictable environment, a live experiment was conducted. This evaluated the mitigation of abuse performed by real users as well as demonstrating the consequence of self-adaptation through observation of user response

Privacy trust access control infrastructure using XACML

The use of personal, sensitive information, such as privileges and attributes, to gain access to computer resources in distributed environments raises an interesting paradox. On one hand, in order to make the services and resources accessible to legitimate users, access control infrastructure requires valid and provable service clients' identities or attributes to make decisions. On the other hand, the service clients may not be prepared to disclose their identity information or attributes to a remote party without determining in advance whether the service provider can be trusted with such sensitive information. Moreover, when clients give out personal information, they still are unsure of the extent of propagation and use of the information. This thesis describes an investigation of privacy preserving options in access control infrastructures, and proposes a security model to support the management of those options, based on extensible Access Control Markup Language (XACML) and Security Access Markup Language (SAML), both of which are OASIS security standards. Existing access control systems are typically unilateral in that the enterprise service provider assigns the access rights and makes the access control decisions, and there is no negotiation between the client and the service provider. As access control management systems lean towards being user-centric or federated, unilateral approaches can no longer adequately preserve the client's privacy, particularly where communicating parties have no pre-existing trust relationship. As a result, a unified approach that significantly improves privacy and confidentiality protection in distributed environments was considered. This resulted in the development of XACML Trust Management Authorization Infrastructure (XTMAI) designed to handle privacy and confidentiality mutually and simultaneously using the concept of Obligation of Trust (OoT) protocol. The OoT enables two or more transaction parties to exchange Notice of Obligations (NoB) (obligating constraints) as well as Signed Acceptance of Obligation (SAO), a proof of acceptance, as security assurances before exchange of sensitive resources.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

User-controlled access management to resources on the Web

PhD ThesisThe rapidly developing Web environment provides users with a wide set of rich services as varied and complex as desktop applications. Those services are collectively referred to as "Web 2.0", with such examples as Facebook, Google Apps, Salesforce, or Wordpress, among many others. These applications are used for creating, managing, and sharing online data between users and services on the Web. With the shift from desktop computers to the Web, users create and store more of their data online and not on the hard drives of their computers. This data includes personal information, documents, photos, as well as other resources. Irrespective of the environment, either desktop or the Web, it is the user who creates the data, who disseminates it and who shares this data. On the Web, however, sharing resources poses new security and usability challenges which were not present in traditional computing. Access control, also known as authorisation, that aims to protect such sharing, is currently poorly addressed in this environment. Existing access control is often not well suited to the increasing amount of highly distributed Web data and does not give users the required flexibility in managing their data. This thesis discusses new solutions to access control for the Web. Firstly, it shows a proposal named User-Managed Access Control (UMAC) and presents its architecture and protocol. This thesis then focuses on the User-Managed Access (UMA) solution that is researched by the User- Managed Access Work Group at Kantara Initiative. The UMA approach allows the user to play a pivotal role in assigning access rights to their resources which may be spread across multiple cloud-based Web applications. Unlike existing authorisation systems, it relies on a user’s centrally located security requirements for these resources. The security requirements are expressed in the form of access control policies and are stored and evaluated in a specialised component called Authorisation Manager. Users are provided with a consistent User Experience for managing access control for their distributed online data and are provided with a holistic view of the security applied to this data. Furthermore, this thesis presents the software that implements the UMA proposal. In particular, this thesis shows frameworks that allow Web applications to delegate their access control function to an Authorisation Manager. It also presents design and implementation of an Authorisation Manager and discusses its evaluation conducted with a user study. It then discusses design and implementation of a second, improved Authorisation Manager. Furthermore, this thesis presents the applicability of the UMA approach and the implemented software to real-world scenarios