Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)

Grid has emerged recently as an integration infrastructure for the sharing and coordinated use of diverse resources in dynamic, distributed virtual organizations (VOs). A Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. In this dissertation, role-based access control (RBAC) systems for heterogeneous data resources in Data Grid systems are proposed. The Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) is a widely used framework for the integration of heterogeneous data resources in Grid systems. However, in the OGSA-DAI system, access control causes substantial administration overhead for resource providers in VOs because each of them has to manage the authorization information for individual Grid users. Its identity-based access control mechanisms are severely inefficient and too complicated to manage because the direct mapping between users and privileges is transitory. To solve this problem, (1) the Community Authorization Service (CAS), provided by the Globus toolkit, and (2) the Shibboleth, an attribute authorization service, are used to support RBAC in the OGSA-DAI system. The Globus Toolkit is widely used software for building Grid systems. Access control policies need to be specified and managed across multiple VOs. For this purpose, the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML) is used; and for distributed administration of those policies, the Object, Metadata and Artifacts Registry (OMAR) is used. OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. The RBAC systems allow quick and easy deployments, privacy protection, and the centralized and distributed management of privileges. They support scalable, interoperable and fine-grain access control services; dynamic delegation of rights; and user-role assignments. They also reduce the administration overheads for resource providers because they need to maintain only the mapping information from VO roles to local database roles. Resource providers maintain the ultimate authority over their resources. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC systems add only a small overhead to the existing security infrastructure of OGSA-DAI

Design and evaluation of a scalable Internet of Things backend for smart ports

Internet of Things (IoT) technologies, when adequately integrated, cater for logistics optimisation and operations' environmental impact monitoring, both key aspects for today's EU ports management. This article presents Obelisk, a scalable and multi-tenant cloud-based IoT integration platform used in the EU H2020 PortForward project. The landscape of IoT protocols being particularly fragmented, the first role of Obelisk is to provide uniform access to data originating from a myriad of devices and protocols. Interoperability is achieved through adapters that provide flexibility and evolvability in protocol and format mapping. Additionally, due to ports operating in a hub model with various interacting actors, a second role of Obelisk is to secure access to data. This is achieved through encryption and isolation for data transport and processing, respectively, while user access control is ensured through authentication and authorisation standards. Finally, as ports IoTisation will further evolve, a third need for Obelisk is to scale with the data volumes it must ingest and process. Platform scalability is achieved by means of a reactive micro-services based design. Those three essential characteristics are detailed in this article with a specific focus on how to achieve IoT data platform scalability. By means of an air quality monitoring use-case deployed in the city of Antwerp, the scalability of the platform is evaluated. The evaluation shows that the proposed reactive micro-service based design allows for horizontal scaling of the platform as well as for logarithmic time complexity of its service time

SERVICE ID MANAGEMENT SYSTEM AND METHOD THEREOF

The method (300) outlines a systematic approach for the efficient deployment and management of a Hadoop environment. The method emphasizes the use of a script to generate unique Service IDs, incorporating a buffer to preemptively generate IDs and mitigate the risk of system downtime during high demand. The integration of Service IDs with the Name Node avoids locking or blocking essential Hadoop operations and implementing batch processes strategically. Continuous monitoring of both the Service ID and the Hadoop cluster is done for immediate alerts related to discrepancies, failures, or performance issues. Version management is underscored to ensure atomic changes and automatic reversion to the last consistent state in case of a partial failure. The method also prioritizes role-based access control for heightened security, incorporating features such as a user interface capable of handling concurrent requests and real-time data provision. Security measures, including regular system audits, patching, and encryption, contribute to a comprehensive protection strategy. The method concludes by emphasizing a robust testing process in a staging environment mirroring production, ensuring the identification and resolution of potential issues before deployment

Design and Implementation of Distributed Identity and Access Management Framework for Internet of Things (IoT) Enabled Distribution Automation

The smart grid and Internet of Things (IoT) technologies play vital roles in improving the quality of services offered in traditional electrical grid. They open a room for the introduction of new services like distribution automation (DA) that has a significant advantage to both utility companies and final consumers. DA integrates sensors, actuators, intelligent electrical devices (IED) and information and communication technologies to monitor and control electrical grid. However, the integration of these technologies poses security threats to the electrical grid like Denial of Service (DoS) attacks, false data injection attacks, and masquerading attacks like system node impersonation that can transmit wrong readings, resulting in false alarm reports and hence leading to incorrect node actuation. To overcome these challenges, researchers have proposed a centralized public key infrastructure (PKI) with bridged certificate authority (CA) which is prone to DoS attacks. Moreover, the proposed blockchain based distributed identity and access management (DIAM) in IoT domain at the global scale is adding communicational and computational overheads. Also. It is imposing new security threats to the DA system by integrating it with online services like IoTEX and IoTA. For those reasons, this study proposes a DIAM security scheme to secure IoT-enabled distribution automation. The scheme divides areas into clusters and each cluster has a device registry and a registry controller. The registry controller is a command line tool to access and manage a device registry. The results show that the scheme can prevent impersonated and non-legitimate system nodes and users from accessing the system by imposing role-based access control (RBAC) at the cluster level. Keywords: Distributed Identity and Access Management; Electrical Secondary Distribution Network; Internet of Things; IoT Enabled Distribution Automation; Smart Grid Securit

Cross-middleware Interoperability in Distributed Concurrent Engineering

Secure, distributed collaboration between different organizations is a key challenge in Grid computing today. The GDCD project has produced a Grid-based demonstrator Virtual Collaborative Facility (VCF) for the European Space Agency. The purpose of this work is to show the potential of Grid technology to support fully distributed concurrent design, while addressing practical considerations including network security, interoperability, and integration of legacy applications. The VCF allows domain engineers to use the concurrent design methodology in a distributed fashion to perform studies for future space missions. To demonstrate the interoperability and integration capabilities of Grid computing in concurrent design, we developed prototype VCF components based on ESA’s current Excel-based Concurrent Design Facility (a non-distributed environment), using a STEP-compliant database that stores design parameters. The database was exposed as a secure GRIA 5.1 Grid service, whilst a .NET/WSE3.0-based library was developed to enable secure communication between the Excel client and STEP database

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

SDN/NFV-enabled satellite communications networks: opportunities, scenarios and challenges

In the context of next generation 5G networks, the satellite industry is clearly committed to revisit and revamp the role of satellite communications. As major drivers in the evolution of (terrestrial) fixed and mobile networks, Software Defined Networking (SDN) and Network Function Virtualisation (NFV) technologies are also being positioned as central technology enablers towards improved and more flexible integration of satellite and terrestrial segments, providing satellite network further service innovation and business agility by advanced network resources management techniques. Through the analysis of scenarios and use cases, this paper provides a description of the benefits that SDN/NFV technologies can bring into satellite communications towards 5G. Three scenarios are presented and analysed to delineate different potential improvement areas pursued through the introduction of SDN/NFV technologies in the satellite ground segment domain. Within each scenario, a number of use cases are developed to gain further insight into specific capabilities and to identify the technical challenges stemming from them.Peer ReviewedPostprint (author's final draft