11 research outputs found
Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning
require high-performance and complicated network and computer infrastructure to support distributed collaborating groups of researchers and applications that should be provisioned on-demand. The effective use and management of the dynamically provisioned services can be achieved by using the Service Delivery Framework (SDF) proposed by TeleManagement Forum that provides a good basis for defining the whole services life cycle management and supporting infrastructure services. The paper discusses conceptual issues, basic requirements and practical suggestions for provisioning consistent security services as a part of the general e-Science infrastructure provisioning, in particular Grid and Cloud based. The proposed Security Services Lifecycle Management (SSLM) model extends the existing frameworks with additional stages such as “Reservation Session Binding ” and “Registration and Synchronisation ” that specifically target such security issues as the provisioned resources restoration, upgrade or migration and provide a mechanism for remote executing environment and data protection by binding them to the session context. The paper provides a short overview of the existing standards and technologies and refers to the on-going projects and experience in developing dynamic distributed security services
User-controlled access management to resources on the Web
PhD ThesisThe rapidly developing Web environment provides users with a wide set of rich services as
varied and complex as desktop applications. Those services are collectively referred to as "Web
2.0", with such examples as Facebook, Google Apps, Salesforce, or Wordpress, among many
others. These applications are used for creating, managing, and sharing online data between
users and services on the Web. With the shift from desktop computers to the Web, users create
and store more of their data online and not on the hard drives of their computers. This data
includes personal information, documents, photos, as well as other resources. Irrespective of
the environment, either desktop or the Web, it is the user who creates the data, who disseminates
it and who shares this data. On the Web, however, sharing resources poses new security
and usability challenges which were not present in traditional computing. Access control, also
known as authorisation, that aims to protect such sharing, is currently poorly addressed in this
environment. Existing access control is often not well suited to the increasing amount of highly
distributed Web data and does not give users the required flexibility in managing their data.
This thesis discusses new solutions to access control for the Web. Firstly, it shows a proposal
named User-Managed Access Control (UMAC) and presents its architecture and protocol. This
thesis then focuses on the User-Managed Access (UMA) solution that is researched by the User-
Managed Access Work Group at Kantara Initiative. The UMA approach allows the user to
play a pivotal role in assigning access rights to their resources which may be spread across
multiple cloud-based Web applications. Unlike existing authorisation systems, it relies on a
user’s centrally located security requirements for these resources. The security requirements are
expressed in the form of access control policies and are stored and evaluated in a specialised
component called Authorisation Manager. Users are provided with a consistent User Experience
for managing access control for their distributed online data and are provided with a holistic
view of the security applied to this data. Furthermore, this thesis presents the software that
implements the UMA proposal. In particular, this thesis shows frameworks that allow Web
applications to delegate their access control function to an Authorisation Manager. It also
presents design and implementation of an Authorisation Manager and discusses its evaluation
conducted with a user study. It then discusses design and implementation of a second, improved
Authorisation Manager. Furthermore, this thesis presents the applicability of the UMA approach
and the implemented software to real-world scenarios
Security in Distributed, Grid, Mobile, and Pervasive Computing
This book addresses the increasing demand to guarantee privacy, integrity, and availability of resources in networks and distributed systems. It first reviews security issues and challenges in content distribution networks, describes key agreement protocols based on the Diffie-Hellman key exchange and key management protocols for complex distributed systems like the Internet, and discusses securing design patterns for distributed systems. The next section focuses on security in mobile computing and wireless networks. After a section on grid computing security, the book presents an overview of security solutions for pervasive healthcare systems and surveys wireless sensor network security
XACML Policy Profile for Multidomain Network Resource Provisioning and Supporting Authorisation Infrastructure
Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the proposed XACML-NRP policy and attributes profile for network resource provisioning. In addition to specifying a set of subject, resource, action attributes that are required for consistent XACML policy definition, the proposed profile allows also handling network path information what is especially important for QoS enforcement. To overcome stateless character of XACML policies, the proposed authorisation infrastructure provides a number of security mechanisms to support such important for NRP functionality as authorisation session and interdomain security context management, simple delegation, conditional authorisation decisions, and policy obligations handling