15 research outputs found

    Strategic Latency Unleashed: The Role of Technology in a Revisionist Global Order and the Implications for Special Operations Forces

    Get PDF
    The article of record may be found at https://cgsr.llnl.govThis work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory in part under Contract W-7405-Eng-48 and in part under Contract DE-AC52-07NA27344. The views and opinions of the author expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC. ISBN-978-1-952565-07-6 LCCN-2021901137 LLNL-BOOK-818513 TID-59693This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory in part under Contract W-7405-Eng-48 and in part under Contract DE-AC52-07NA27344. The views and opinions of the author expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC. ISBN-978-1-952565-07-6 LCCN-2021901137 LLNL-BOOK-818513 TID-5969

    Proceedings of the 5th bwHPC Symposium

    Get PDF
    In modern science, the demand for more powerful and integrated research infrastructures is growing constantly to address computational challenges in data analysis, modeling and simulation. The bwHPC initiative, founded by the Ministry of Science, Research and the Arts and the universities in Baden-WĂĽrttemberg, is a state-wide federated approach aimed at assisting scientists with mastering these challenges. At the 5th bwHPC Symposium in September 2018, scientific users, technical operators and government representatives came together for two days at the University of Freiburg. The symposium provided an opportunity to present scientific results that were obtained with the help of bwHPC resources. Additionally, the symposium served as a platform for discussing and exchanging ideas concerning the use of these large scientific infrastructures as well as its further development

    Architectural approaches to a science network software-defined exchange

    Get PDF
    To interconnect research facilities across wide geographic areas, network operators deploy science networks, also referred to as Research and Education (R&E) networks. These networks allow experimenters to establish dedicated circuits between research facilities for transferring large amounts of data, by using advanced reservation systems. Intercontinental dedicated circuits typically require coordination between multiple administrative domains, which need to reach an agreement on a suitable advance reservation. To enhance provisioning capabilities of multi-domain advance reservations, we propose an architecture for end-to-end service orchestration in multi-domain science networks that leverages software-defined networking (SDN) and software-defined exchanges (SDX) for providing multi-path, multi-domain advance reservations. Our simulations show our orchestration architecture increases the reservation success rate. We evaluate our solution using GridFTP, one of the most popular tools for data transfers in the scientific community. Additionally, we propose an interface that domain scientists can use to request science network services from our orchestration framework. Furthermore, we propose a federated auditing framework (FAS) that allows an SDX to verify whether the configurations requested by a user are correctly enforced by participating SDN domains, whether the configurations requested are correctly removed after their expiration time, and whether configurations exist that are performing non-requested actions. We also propose an architecture for advance reservation access control using SDN and tokens.Ph.D

    Contributions to the privacy provisioning for federated identity management platforms

    Get PDF
    Identity information, personal data and user’s profiles are key assets for organizations and companies by becoming the use of identity management (IdM) infrastructures a prerequisite for most companies, since IdM systems allow them to perform their business transactions by sharing information and customizing services for several purposes in more efficient and effective ways. Due to the importance of the identity management paradigm, a lot of work has been done so far resulting in a set of standards and specifications. According to them, under the umbrella of the IdM paradigm a person’s digital identity can be shared, linked and reused across different domains by allowing users simple session management, etc. In this way, users’ information is widely collected and distributed to offer new added value services and to enhance availability. Whereas these new services have a positive impact on users’ life, they also bring privacy problems. To manage users’ personal data, while protecting their privacy, IdM systems are the ideal target where to deploy privacy solutions, since they handle users’ attribute exchange. Nevertheless, current IdM models and specifications do not sufficiently address comprehensive privacy mechanisms or guidelines, which enable users to better control over the use, divulging and revocation of their online identities. These are essential aspects, specially in sensitive environments where incorrect and unsecured management of user’s data may lead to attacks, privacy breaches, identity misuse or frauds. Nowadays there are several approaches to IdM that have benefits and shortcomings, from the privacy perspective. In this thesis, the main goal is contributing to the privacy provisioning for federated identity management platforms. And for this purpose, we propose a generic architecture that extends current federation IdM systems. We have mainly focused our contributions on health care environments, given their particularly sensitive nature. The two main pillars of the proposed architecture, are the introduction of a selective privacy-enhanced user profile management model and flexibility in revocation consent by incorporating an event-based hybrid IdM approach, which enables to replace time constraints and explicit revocation by activating and deactivating authorization rights according to events. The combination of both models enables to deal with both online and offline scenarios, as well as to empower the user role, by letting her to bring together identity information from different sources. Regarding user’s consent revocation, we propose an implicit revocation consent mechanism based on events, that empowers a new concept, the sleepyhead credentials, which is issued only once and would be used any time. Moreover, we integrate this concept in IdM systems supporting a delegation protocol and we contribute with the definition of mathematical model to determine event arrivals to the IdM system and how they are managed to the corresponding entities, as well as its integration with the most widely deployed specification, i.e., Security Assertion Markup Language (SAML). In regard to user profile management, we define a privacy-awareness user profile management model to provide efficient selective information disclosure. With this contribution a service provider would be able to accesses the specific personal information without being able to inspect any other details and keeping user control of her data by controlling who can access. The structure that we consider for the user profile storage is based on extensions of Merkle trees allowing for hash combining that would minimize the need of individual verification of elements along a path. An algorithm for sorting the tree as we envision frequently accessed attributes to be closer to the root (minimizing the access’ time) is also provided. Formal validation of the above mentioned ideas has been carried out through simulations and the development of prototypes. Besides, dissemination activities were performed in projects, journals and conferences.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: María Celeste Campo Vázquez.- Secretario: María Francisca Hinarejos Campos.- Vocal: Óscar Esparza Martí

    SInCom 2015

    Get PDF
    2nd Baden-WĂĽrttemberg Center of Applied Research Symposium on Information and Communication Systems, SInCom 2015, 13. November 2015 in Konstan

    Integriertes Management von Security-Frameworks

    Get PDF
    Security-Frameworks sind baukastenähnliche, zunächst abstrakte Konzepte, die aufeinander abgestimmte technische und organisatorische Maßnahmen zur Prävention, Detektion und Bearbeitung von Informationssicherheitsvorfällen bündeln. Anders als bei der Zusammenstellung eigener Sicherheitskonzepte aus einer Vielzahl punktueller Einzelmaßnahmen wird bei der Anwendung von Security-Frameworks das Ziel verfolgt, mit einem relativ geringen Aufwand auf bewährte Lösungsansätze zur Absicherung von komplexen IT-Diensten und IT-Architekturen zurückgreifen zu können. Die praktische Umsetzung eines Security-Frameworks erfordert seine szenarienspezifische Adaption und Implementierung, durch die insbesondere eine nahtlose Integration in die vorhandene Infrastruktur sichergestellt und die Basis für den nachhaltigen, effizienten Betrieb geschaffen werden müssen. Die vorliegende Arbeit behandelt das integrierte Management von Security-Frameworks. Im Kern ihrer Betrachtungen liegen folglich nicht individuelle Frameworkkonzepte, sondern Managementmethoden, -prozesse und -werkzeuge für den parallelen Einsatz mehrerer Frameworkinstanzen in komplexen organisationsweiten und -übergreifenden Szenarien. Ihre Schwerpunkte werden zum einen durch die derzeit sehr technische Ausprägung vieler Security-Frameworks und zum anderen durch die fehlende Betrachtung ihres Lebenszyklus über die szenarienspezifische Anpassung hinaus motiviert. Beide Aspekte wirken sich bislang inhibitorisch auf den praktischen Einsatz aus, da zur Umsetzung von Security-Frameworks immer noch ein erheblicher szenarienspezifischer konzeptioneller Aufwand erbracht werden muss. Nach der Diskussion der relevanten Grundlagen des Sicherheitsmanagements und der Einordnung von Security-Frameworks in Informationssicherheitsmanagementsysteme werden auf Basis ausgewählter konkreter Szenarien mehr als 50 Anforderungen an Security-Frameworks aus der Perspektive ihres Managements abgeleitet und begründet gewichtet. Die anschließende Anwendung dieses Anforderungskatalogs auf mehr als 75 aktuelle Security-Frameworks zeigt typische Stärken sowie Schwächen auf und motiviert neben konkreten Verbesserungsvorschlägen für Frameworkkonzepte die nachfolgend erarbeiteten, für Security-Frameworks spezifischen Managementmethoden. Als Bezugsbasis für alle eigenen Konzepte dient eine detaillierte Analyse des gesamten Lebenszyklus von Security-Frameworks, der zur grundlegenden Spezifikation von Managementaufgaben, Verantwortlichkeiten und Schnittstellen zu anderen Managementprozessen herangezogen wird. Darauf aufbauend werden an den Einsatz von Security-Frameworks angepasste Methoden und Prozesse u. a. für das Risikomanagement und ausgewählte Disziplinen des operativen Sicherheitsmanagements spezifiziert, eine Sicherheitsmanagementarchitektur für Security-Frameworks konzipiert, die prozessualen Schnittstellen am Beispiel von ISO/IEC 27001 und ITIL v3 umfassend ausgearbeitet und der Einsatz von IT-Sicherheitskennzahlen zur Beurteilung von Security-Frameworks demonstriert. Die praktische Anwendung dieser innovativen Methoden erfordert dedizierte Managementwerkzeuge, die im Anschluss im Detail konzipiert und in Form von Prototypen bzw. Simulationen umgesetzt, exemplifiziert und bewertet werden. Ein umfassendes Anwendungsbeispiel demonstriert die praktische, parallele Anwendung mehrerer Security-Frameworks und der spezifizierten Konzepte und Werkzeuge. Abschließend werden alle erreichten Ergebnisse kritisch beurteilt und ein Ausblick auf mögliche Weiterentwicklungen und offene Forschungsfragestellungen in verwandten Bereichen gegeben.Security frameworks at first are modular, abstract concepts that combine technical as well as organizational measures for the prevention, detection, and handling of information security incidents in a coordinated manner. Unlike the creation of scenario-specific security concepts from scratch, for which one has to choose from a plethora of individual measures, using security frameworks pursues the goal of reducing the required time and effort by applying proven solutions for securing complex IT services and IT architectures. The practical realization of a security framework requires its scenario-specific customization and implementation, which especially need to ensure its seamless integration into the existing infrastructure and provides the basis for sustained, efficient operations. This thesis highlights the integrated management of security frameworks. Therefore, it does not focus on individual security framework concepts, but on innovative management methods, processes, and tools for operating multiple security framework instances in complex enterprise-wide and inter-organizational scenarios. Its core contributions are motivated by the very technically oriented characteristics of current security frameworks on the one hand and by the lack of a holistic view on their life cycle that reaches beyond the customization phase on the other hand. These two aspects still inhibit the wide-spread practical application of security frameworks because still significant scenario-specific conceptual efforts have to be made in order to operate and manage the framework instances. After the discussion of the relevant fundamentals of security management and the classification of security frameworks into information security management systems, more than 50 management-specific requirements for security frameworks are derived from practical scenarios and get reasonably weighted. The application of the resulting criteria catalogue to more than 75 current security frameworks points out their typical strengths and weaknesses; besides improvement proposals for the analyzed security frameworks, it also motivates the security-framework-specific management methods that are developed afterwards. For each of the proposed concepts, a detailed analysis of the complete security framework life cycle serves as a reference base. It is also used to specify the basic management tasks, responsibilities, and interfaces to related management processes. Based on this life cycle specification, security-framework-specific management methods and processes, e. g., for risk management and for selected security operations tasks are specified, a security management architecture for security frameworks is designed, process-related interfaces based on ISO/IEC 27001 and ITIL v3 are elaborated, and the application of security metrics to quantitatively assess security frameworks is demonstrated. The practical application of the proposed innovative methods requires several dedicated management tools, which are devised in detail, implemented as prototypes or as simulations, exemplified, and evaluated. An extensive usage example demonstrates the practical application of multiple security frameworks in parallel based on the specified concepts and tools. Finally, all achieved results are critically assessed and an outlook to further research as well as open issues in related disciplines is given

    Shibboleth based Authentication, Authorization, Accounting and Auditing in Wireless Mesh Networks

    Full text link
    We present the basic architectural elements of the Captive Portal integrating Shibboleth based Authentication, Authorization, Accounting and Auditing into Wireless Mesh Networks. The Captive Portal is built upon the SWITCHaai/Shibboleth architecture especially designed to protect web based services. The architecture is secure, eavesdropping protected and does not require any specialized software installation on the client side

    The Future of Information Sciences : INFuture2009 : Digital Resources and Knowledge Sharing

    Get PDF
    corecore