Dynamic, context-aware, least-privilege grid delegation
Pages 209 - 216
Abstract
Performing delegation in large scale, dynamic and distributed environments with large numbers of shared resources is more challenging than inside local administrative domains. In dynamic environments like Grids, on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility and dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. This issue has not yet been adequately addressed by current Grid security mechanisms and is becoming a very challenging and crucial issue for future Grid development. Therefore, providing an effective delegation mechanism which meets the requirements of the least privilege principle is becoming an essential need. Furthermore, we are witnessing a phenomenal increase in the automation of organizational tasks and decision making, as well as the computerization of information related services, requiring automated delegation mechanisms. In order to meet these requirements we introduce an Active Delegation Framework which extends our previous work on on-demand delegation, making it context-aware. The framework provides a just-in-time, restricted and dynamic delegation mechanism for Grids. In this paper we describe the development of this framework and its implementation and integration with the Globus Toolkit.
References
[1]
M. Ahsant, J. Basney, O. Mulmo, A. J. Lee, and L. Johnsson, "Toward an on-demand restricted delegation mechanism for grids." in Proceedings of the 7th IEEE/ACM International Conference on Grid Computing. IEEE Press, Sep. 2006, pp. 152-159.
[2]
M. Ahsant, J. Basney, and O. Mulmo, "Grid delegation protocol." in Proceedings of the Workshop on Grid Security Practice and Experience, vol. YCS-2004-380. Oxford, UK, July 2004, pp. 81-91.
[3]
N. Nagaratnam, P. Janson, J. Dayka, A. Nadalin, F. Siebenlist, V. Welch, I. Foster, and S. Tuecke, "The security architecture for open grid services. open grid services security architecture." http://forge.gridforum.org/projects/ogsa-wg, 2006.
[4]
D. W. Chadwick, "Delegation issuing service for x.509," in Proceedings of the 4th Annual PKI R&D Workshop. USA: NIST Technical Publication, IR 7224, April 2005, pp. 66-77.
[5]
R. K. Thomas and R. S. Sandhu, "Towards a task-based paradigm for flexible and adaptable access control in distributed applications," in NSPW '92-93: Proceedings on the 1992-1993 workshop on New security paradigms. New York, NY, USA: ACM Press, 1993, pp. 138-142.
[6]
D. Bell and L. L. Padula, "Secure computer systems: Unified exposition and multics interpretation," MITRE Corporation, Bedford, MA, Tech. Rep., March 1976.
[7]
H. M. Gladney, "Access control for large collections," ACM Trans. Inf. Syst., vol. 15, no. 2, pp. 154-194, 1997.
[8]
M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems," Commun. ACM, vol. 19, no. 8, pp. 461-471, 1976.
[9]
L. Kagal, "Rei : A Policy Language for the Me-Centric Project," HP Labs, Tech. Rep., September 2002, http://www.hpl.hp.com/techreports/2002/HPL-2002-270.html.
[10]
L. Kagal, T. Finin, and A. Joshi, "A Policy Language for A Pervasive Computing Environment," in IEEE 4th International Workshop on Policies for Distributed Systems and Networks, June 2003.
[11]
L. Kagal, "A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments," Ph.D. dissertation, University of Maryland Baltimore County, Baltimore MD 21250, September 2004.
[12]
WS-Trust, "Web service trust language." IBM, Microsoft, RSA and VeriSign, May 2004. {Online}. Available: http://www- 106.ibm.com/developerworks/webservices/library/specification/ws-trust/
[13]
S. Tuecke, V. Welch, D. Engert, L. Pearlman, and M. Thompson, "Internet x.509 public key infrastructure (pki) proxy certificate profile." RFC 3820 (Proposed Standard), jun 2004. {Online}. Available: http://www.ietf.org/rfc/rfc3820.txt
[14]
D. F. Snelling, S. van den Berghe, and V. Qian, "Explicit trust delegation: Security for dynamic grids." FUJITSU Sci.Tech.Journal, vol. 40, pp. 282-294, 2004.
[15]
V. Welch, I. Foster, K. C. M. O., P. L., T. S., G. J., and M. S. S. F., "X.509 proxy certificate for dynamic delegation." in Proceedings of the 3rd Annual PKI Workshop, Gaithersburg MD, USA, April 2004, pp. 20-25.
[16]
L. Pearlman, V. Welch, I. Foster, C. Kesselman, and S. Tuecke, "A community authorization service for group collaboration," in POLICY '02: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02). Washington, DC, USA: IEEE Computer Society, 2002, p. 50.
[17]
R. Alfieri, R. Cecchini, V. Ciaschini, L. dell'Agnello, A. Frohner, A. Gianoli, K. Lorentey, and F. Spataro, "Voms, an authorization system for virtual organizations." in European Across Grids Conference, 2003, pp. 33-40.
[18]
M. R. Thompson, A. Essiari, and S. Mudumbai, "Certificate-based authorization policy in a pki environment," ACM Trans. Inf. Syst. Secur., vol. 6, no. 4, pp. 566-588, 2003.
[19]
D. W. Chadwick, A. Otenko, and E. Ball, "Role-based access control with x.509 attribute certificates," IEEE Internet Computing, vol. 7, no. 2, pp. 62-69, 2003.
[20]
M. Lorch, D. B. Adams, D. Kafura, M. S. R. Koneni, A. Rathi, and S. Shah, "The prima system for privilege management, authorization and enforcement in grid environments," in GRID '03: Proceedings of the Fourth International Workshop on Grid Computing. Washington, DC, USA: IEEE Computer Society, 2003, p. 109.
[21]
O. TC, "extensible access control markup language (xacml) version 2.0," February 2005. {Online}. Available: http://docs.oasis-open.org/xacml/2.0/
[22]
R. Sandhu, "Rationale for the rbac96 family of access control models," in RBAC '95: Proceedings of the first ACM Workshop on Role-based access control. New York, NY, USA: ACM Press, 1996, p. 9.
[23]
R. K. Thomas, "Team-based access control (tmac): a primitive for applying role-based access controls in collaborative environments," in RBAC '97: Proceedings of the second ACM workshop on Role-based access control. New York, NY, USA: ACM Press, 1997, pp. 13-19.
[24]
C. K. Georgiadis, I. Mavridis, G. Pangalos, and R. K. Thomas, "Flexible team-based access control using contexts." in SACMAT, 2001, pp. 21-27.
[25]
R. K. Thomas and R. S. Sandhu, "Task-based authorization controls (tbac): A family of models for active and enterprise-oriented autorization management," in Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI. London, UK, UK: Chapman & Hall, Ltd., 1998, pp. 166-181.
[26]
W. Yao, K. Moody, and J. Bacon, "A model of oasis role-based access control and its support for active security," in SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologies. New York, NY, USA: ACM Press, 2001, pp. 171-181.
[27]
T. Yu, M. Winslett, and K.E. Seamons, "Automated trust negotiation over the internet." in The 6th World Multiconference on Systemics, Cybernetics and Informatics, Orlando, FL, July 2002.
- Dynamic, context-aware, least-privilege grid delegation
Recommendations
Dynamic Delegation Based on Temporal Context
Delegation is a very important part of the administrative process in access control systems; it provides resiliency and flexibility regarding to the management procedure. Delegation is the process of granting a specific authorization from a user to ...
Authorization with security attributes and privilege delegation
This paper focuses on authorization in distributed environments; the typical authorization scheme employs access control lists, however, the scheme has problems when it is applied to a large-scale network. We introduce a new authorization scheme, ...
Comments
Information & Contributors
Information
Published In
September 2007
339 pages
ISBN:9781424415595
Publisher
IEEE Computer Society
United States
Publication History
Published: 19 September 2007
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 136Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)6
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in