Context-Driven, User-Centric Access Control for Smart Spaces

In this paper, we describe a user-centric access control process for devices and services in smart space environments. The M-Zones Access Control (MAC) Process is driven by context information relating to the activities of the users present in a smart space, and by user-defined policies reflecting these users' preferences. As well as dynamically assigning access rights in response to context changes, the process provides for automatic reconfiguration of resources in order to protect a user's privacy as other users enter/leave his/her vicinity. To illustrate the implementation of the process we discuss its realisation in a test bed emulating an office-based smart space

Negotiating Trust on the Grid

Grids support dynamically evolving collections of resources and users, usually spanning multiple administrative domains. The dynamic and crossorganizational aspects of Grids introduce challenging management and policy issues for controlling access to Grid resources. In this paper we show how to extend the Grid Security Infrastructure to provide better support for the dynamic and cross-organizational aspects of Grid activities, by adding facilities for dynamic establishment of trust between parties. We present the PeerTrust language for access control policies, which is based on guarded distributed logic programs, and show how to use PeerTrust to model common Grid trust needs

Uma interface para refinamento de pesquisas de políticas de segurança em ambientes de grid services

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico. Programa de Pós-Graduação em Ciência da Computação.A computação em grid (ou computação em grade) consiste em uma forma de computação distribuída onde o foco principal é o compartilhamento coordenado de recursos em larga escala e resolução de problemas em organizações virtuais dinâmicas e multi-institucionais. Porém, tal compartilhamento deve ser altamente controlado, para garantir a segurança dos recursos envolvidos. Este trabalho se baseia na especificação OGSA (Open Grid Service Architecture) proposta pelo GGF (Global Grid Forum), em particular no Globus Toolkit 3 que a implementa, e apresenta uma proposta de extensão ao módulo de monitoramento e descoberta de recursos (MDS), para filtrar os resultados retornados baseado nos atributos do usuário e nas políticas do recurso

Dynamic deployment of web services on the internet or grid

PhD ThesisThis thesis focuses on the area of dynamic Web Service deployment for grid and Internet applications. It presents a new Dynamic Service Oriented Architecture (DynaSOAr) that enables the deployment of Web Services at run-time in response to consumer requests. The service-oriented approach to grid and Internet computing is centred on two parties: the service provider and the service consumer. This thesis investigates the introduction of mobility into this service-oriented approach allowing for better use of resources and improved quality of service. To this end, it examines the role of the service provider and makes the case for a clear separation of its concerns into two distinct roles: that of a Web Service Provider, whose responsibility is to receive and direct consumer requests and supply service implementations, and a Host Provider, whose role is to deploy services and process consumers' requests on available resources. This separation of concerns breaks the implicit bond between a published Web Service endpoint (network address) and the resource upon which the service is deployed. It also allows the architecture to respond dynamically to changes in service demand and the quality of service requirements. Clearly defined interfaces for each role are presented, which form the infrastructure of DynaSOAr. The approach taken is wholly based on Web Services. The dynamic deployment of service code between separate roles, potentially running in different administrative domains, raises a number of security issues which are addressed. A DynaSOAr service invocation involves three parties: the requesting Consumer, a Web Service Provider and a Host Provider; this tripartite relationship requires a security model that allows the concerns of each party to be enforced for a given invocation. This thesis, therefore, presents a Tripartite Security Model and an architecture that allows the representation, propagation and enforcement of three separate sets of constraints. A prototype implementation of DynaSOAr is used to evaluate the claims made, and the results show that a significant benefit in terms of round-trip execution time for data-intensive applications is achieved. Additional benefits in terms of parallel deployments to satisfy multiple concurrent requests are also shown

Evolving a secure grid-enabled, distributed data warehouse : a standards-based perspective

As digital data-collection has increased in scale and number, it becomes an important type of resource serving a wide community of researchers. Cross-institutional data-sharing and collaboration introduce a suitable approach to facilitate those research institutions that are suffering the lack of data and related IT infrastructures. Grid computing has become a widely adopted approach to enable cross-institutional resource-sharing and collaboration. It integrates a distributed and heterogeneous collection of locally managed users and resources. This project proposes a distributed data warehouse system, which uses Grid technology to enable data-access and integration, and collaborative operations across multi-distributed institutions in the context of HV/AIDS research. This study is based on wider research into OGSA-based Grid services architecture, comprising a data-analysis system which utilizes a data warehouse, data marts, and near-line operational database that are hosted by distributed institutions. Within this framework, specific patterns for collaboration, interoperability, resource virtualization and security are included. The heterogeneous and dynamic nature of the Grid environment introduces a number of security challenges. This study also concerns a set of particular security aspects, including PKI-based authentication, single sign-on, dynamic delegation, and attribute-based authorization. These mechanisms, as supported by the Globus Toolkit’s Grid Security Infrastructure, are used to enable interoperability and establish trust relationship between various security mechanisms and policies within different institutions; manage credentials; and ensure secure interactions