Using SAML and XACML for Complex Resource Provisioning in Grid Based Applications

This paper presents ongoing research and current results on the development of flexible access control infrastructure for complex resource provisioning (CRP) in Grid-based applications. The paper proposes a general CRP model and specifies major requirements to the Authorisation (AuthZ) service infrastructure to support multidomain CRP, focusing on two main issues – policy expression for complex resource models and AuthZ session support. The paper provides suggestions about using XACML and its profiles to describe access control policies to complex resources and briefly describes proposed XML based AuthZ ticket format to support extended AuthZ session context. Additionally, the paper discusses what specific functionality can be added to the gLite Java Authorisation Framework (gJAF), to handle dynamic security context including AuthZ session support. The paper is based on experiences gained from major Grid based and Grid oriented projects such as EGEE

A Dynamic Access Control Model Using Authorising Workfow and Task Role-based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use Web enabled remote access coupled with applications access distributed across various networks. These networks face various challenges including increase operational burden and monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information, whilst not being allowed access in other contexts. The current access control models are static and lack Dynamic Segregation of Duties (SoD), Task instance level of Segregation, and decision making in real time. This thesis addresses these limitations describes tools to support access management in borderless network environments with dynamic SoD capability and real time access control decision making and policy enforcement. This thesis makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control (AW-TRBAC) using existing task and workflow concepts. This new workflow integrates dynamic SoD, whilst considering task instance restriction to ensure overall access governance and accountability. It enhances existing access control models such as Role Based Access Control (RBAC) by dynamically granting users access rights and providing access governance. ii) Extension of the OASIS standard of XACML policy language to support dynamic access control requirements and enforce access control rules for real time decision making. This mitigates risks relating to access control, such as escalation of privilege in broken access control, and insucient logging and monitoring. iii) The AW-TRBAC model is implemented by extending the open source XACML (Balana) policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that AW-TRBAC is scalable, can process relatively large numbers of complex requests, and meets the requirements of real time access control decision making, governance and mitigating broken access control risk

Dynamic deployment of web services on the internet or grid

PhD ThesisThis thesis focuses on the area of dynamic Web Service deployment for grid and Internet applications. It presents a new Dynamic Service Oriented Architecture (DynaSOAr) that enables the deployment of Web Services at run-time in response to consumer requests. The service-oriented approach to grid and Internet computing is centred on two parties: the service provider and the service consumer. This thesis investigates the introduction of mobility into this service-oriented approach allowing for better use of resources and improved quality of service. To this end, it examines the role of the service provider and makes the case for a clear separation of its concerns into two distinct roles: that of a Web Service Provider, whose responsibility is to receive and direct consumer requests and supply service implementations, and a Host Provider, whose role is to deploy services and process consumers' requests on available resources. This separation of concerns breaks the implicit bond between a published Web Service endpoint (network address) and the resource upon which the service is deployed. It also allows the architecture to respond dynamically to changes in service demand and the quality of service requirements. Clearly defined interfaces for each role are presented, which form the infrastructure of DynaSOAr. The approach taken is wholly based on Web Services. The dynamic deployment of service code between separate roles, potentially running in different administrative domains, raises a number of security issues which are addressed. A DynaSOAr service invocation involves three parties: the requesting Consumer, a Web Service Provider and a Host Provider; this tripartite relationship requires a security model that allows the concerns of each party to be enforced for a given invocation. This thesis, therefore, presents a Tripartite Security Model and an architecture that allows the representation, propagation and enforcement of three separate sets of constraints. A prototype implementation of DynaSOAr is used to evaluate the claims made, and the results show that a significant benefit in terms of round-trip execution time for data-intensive applications is achieved. Additional benefits in terms of parallel deployments to satisfy multiple concurrent requests are also shown

Towards a secure service provisioning framework in a Smart city environment

© 2017 Elsevier B.V. Over the past few years the concept of Smart cities has emerged to transform urban areas into connected and well informed spaces. Services that make smart cities “smart” are curated by using data streams of smart cities i.e., inhabitants’ location information, digital engagement, transportation, environment and local government data. Accumulating and processing of these data streams raise security and privacy concerns at individual and community levels. Sizeable attempts have been made to ensure the security and privacy of inhabitants’ data. However, the security and privacy issues of smart cities are not only confined to inhabitants; service providers and local governments have their own reservations — service provider trust, reliability of the sensed data, and data ownership, to name a few. In this research we identified a comprehensive list of stakeholders and modelled their involvement in smart cities by using the Onion Model approach. Based on the model we present a security and privacy-aware framework for service provisioning in smart cities, namely the ‘Smart Secure Service Provisioning’ (SSServProv) Framework. Unlike previous attempts, our framework provides end-to-end security and privacy features for trustable data acquisition, transmission, processing and legitimate service provisioning. The proposed framework ensures inhabitants’ privacy, and also guarantees integrity of services. It also ensures that public data is never misused by malicious service providers. To demonstrate the efficacy of SSServProv we developed and tested core functionalities of authentication, authorisation and lightweight secure communication protocol for data acquisition and service provisioning. For various smart cities service provisioning scenarios we verified these protocols by an automated security verification tool called Scyther

User-controlled Identity Management Systems using mobile devices

Thousands of websites providing an array of diversified online services have been the crucial factor for popularising the Internet around the world during last 15 years. The current model of accessing the majority of those services requires users to register with a Service Provider - an administrative body that offers and provides online services. The registration procedure involves users providing a number of pieces of data about themselves which are then stored at the provider. This data provides a digital image of the user and is commonly known as the Identity of the user in that provider. To access different online services, users register at different providers and ultimately end up with a number of scattered identities which become increasingly difficult to manage. It is one of the major problems of the current setting of online services. What is even worse is that users have less control over the data stored in these providers and have no knowledge how their data is treated by providers. The concept of Identity Management has been introduced to help users facilitate the management of their identities in a user-friendly, secure and privacy-friendly way and thus, to tackle the stated problems. There exists a number of Identity Management models and systems, unfortunately, none of them has played a pivotal role in tackling the problems effectively and comprehensively. Simultaneously, we have experienced another trend expanding at a remarkable rate: the consumption and the usage of smart mobile devices. These mobile devices are not only growing in numbers but also in capability and capacity in terms of processing power and memory. Most are equipped with powerful hardware and highly-dynamic mobile operating systems offering touch-sensitive intuitive user-interfaces. In many ways, these mobile devices have become an integrated part of our day-to-day life and accompany us everywhere we go. The capability, portability and ubiquitous presence of such mobile devices lead to the core objective of this research: the investigation of how such mobile devices can be used to overcome the limitations of the current Identity Management Systems as well as to provide innovative online services. In short, this research investigates the need for a novel Identity Management System and the role the current generation of smart mobile devices can play in realising such a system. In this research it has been found that there exist different inconsistent notions of many central topics in Identity Management which are mostly defined in textual forms. To tackle this problem, a comprehensive mathematical model of Identity and Identity Management has been developed. The model has been used to analyse several phenomenons of Identity Management and to characterise different Identity Management models. Next, three popular Identity Management Systems have been compared using a taxonomy of requirements to identify the strength and weakness of each system. One of the major findings is that how different privacy requirements are satisfied in these systems is not standardised and depends on a specific implementation. Many systems even do not satisfy many of those requirements which can drastically affect the privacy of a user. To tackle the identified problems, the concept of a novel Identity Management System, called User-controlled Identity Management System, has been proposed. This system offers better privacy and allows users to exert more control over their data from a central location using a novel type of provider, called Portable Personal Identity Provider, hosted inside a smart mobile device of the user. It has been analysed how the proposed system can tackle the stated problems effectively and how it opens up new doors of opportunities for online services. In addition, it has been investigated how contextual information such as a location can be utilised to provide online services using the proposed provider. One problem in the existing Identity Management Systems is that providers cannot provide any contextual information such as the location of a user. Hosting a provider in a mobile device allows it to access different sensors of the device, retrieve contextual information from them and then to provide such information. A framework has been proposed to harness this capability in order to offer innovative services. Another major issue of the current Identity Management Systems is the lack of an effective mechanism to combine attributes from multiple providers. To overcome this problem, an architecture has been proposed and it has been discussed how this architecture can be utilised to offer innovative services. Furthermore, it has been analysed how the privacy of a user can be improved using the proposed provider while accessing such services. Realising these proposals require that several technical barriers are overcome. For each proposal, these barriers have been identified and addressed appropriately along with the respective proof of concept prototype implementation. These prototypes have been utilised to illustrate the applicability of the proposals using different use-cases. Furthermore, different functional, security and privacy requirements suitable for each proposal have been formulated and it has been analysed how the design choices and implementations have satisfied these requirements. Also, no discussion in Identity Management can be complete without analysing the underlying trust assumptions. Therefore, different trust issues have been explored in greater details throughout the thesis

CAFS: A Framework for Context-Aware Federated Services

In this paper we explore two issues: Federated Identity Management and Context-Aware Services. In the last decade or so we have seen these two technologies gaining considerable popularities as they offer a number of benefits to the user and other stakeholders. However, there are a few outstanding security and privacy issues that need to be resolved to harness the full potential of such services. We believe that these problems can be reduced significantly by integrating the federated identity architecture into the context-aware services. With this aim, we have developed a framework for Context-Aware Federated Services based on the Security Assertion Markup Language (SAML) and extensible Access Control Markup Language (XACML) standards. We have illustrated the applicability of our approach by showcasing some use-cases, analysed the security, privacy and trust issues involved in the framework and the advantages it offers