Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.

Slides:



Advertisements
Similar presentations
Definitions Innovation Reform Improvement Change.
Advertisements

Joint CASC/CCI Workshop Report Strategic and Tactical Recommendations EDUCAUSE Campus Cyberinfrastructure Working Group Coalition for Academic Scientific.
Workpackage 2: Norms
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.
Introduction to Databases
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
File Systems and Databases
Environmental Management Systems Refresher
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
1 Computer Systems & Architecture Lesson 1 1. The Architecture Business Cycle.
Understanding Active Directory
Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.
Semantic Web Technologies Lecture # 2 Faculty of Computer Science, IBA.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Week 1 Lecture MSCD 600 Database Architecture Samuel ConnSamuel Conn, Asst. Professor Suggestions for using the Lecture Slides.
Ontology Development Kenneth Baclawski Northeastern University Harvard Medical School.
Digital Object Architecture
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.
1 Supporting the development of distributed systems CS606, Xiaoyan Hong University of Alabama.
Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.
Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.
Environmental Management System Definitions
Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
CLARIN work packages. Conference Place yyyy-mm-dd
5 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved.
Access Control for Federation of Emulab-based Network Testbeds Ted Faber, John Wroclawski 28 July 2008
D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Windows Role-Based Access Control Longhorn Update
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.
Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
An Overview of Scientific Workflows: Domains & Applications Laboratoire Lorrain de Recherche en Informatique et ses Applications Presented by Khaled Gaaloul.
Introduction to Active Directory
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Ocean Observatories Initiative OOI Cyberinfrastructure Life Cycle Objectives Milestone Review, Release 1 San Diego, CA February 23-25, 2010.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.
An Architecture-Centric Approach for Software Engineering with Situated Multiagent Systems PhD Defense Danny Weyns Katholieke Universiteit Leuven October.
Ocean Observatories Initiative Common Operating Infrastructure (COI) Overview Michael Meisinger, Munindar Singh September 29, 2009.
Models of the OASIS SOA Reference Architecture Foundation Ken Laskey Chair, SOA Reference Model Technical Committee 20 March 2013.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Data Grids, Digital Libraries and Persistent Archives: An Integrated Approach to Publishing, Sharing and Archiving Data. Written By: R. Moore, A. Rajasekar,
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
File Systems and Databases
Presentation transcript:

Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski USC Information Sciences Institute Aug 27-28, 2014

Information Sciences Institute Internet and Networked Systems Outline Motivation: Security Policy Issues for Federated Cyber Infrastructure Technology: Attribute Based Access Control Experience: DETER and GENI Current Focus: User Interface Tools and Community-centric Policy Metaphors

Information Sciences Institute Internet and Networked Systems Properties of Federated Cyberinfrastructure Flexible dynamic set of participating organizations and facilities Sustainable evolves over various timescales Brings resources of both similar and disparate types… together for ephemeral duration… to accomplish a specific function or purpose.

Information Sciences Institute Internet and Networked Systems What do we mean by Federated Cyberinfrastructure? GENI Federation GENI Federation Oversight GENI Meta-Operations GENI Clearinghouse GENI I&M and Other Services Operations Policies & Procedures Clearinghouse Policies & Procedures I&M, other services Policies ProtoGENI PlanetLab Orca/Ben … Aggregate Provider Agreements Resources Project Leader Experimenter Slices GENI Responsible Use Policy Identity Portal Agreements Identity Portal Credentials

Information Sciences Institute Internet and Networked Systems What security problems are we solving? 1. Policy Structure and Vocabulary  Ability to Express Interesting Policies  Basic Constructs: Hierarchy, Roles, Delegation, Groups, etc.  Reflections of Organizational Structure  Mirrors the organizational complexities and interactions of inherent complexity arising in large-scale scientific endeavors and projects  Vocabulary  Terminology defined by and meaningful in the context of individuals, projects, research communities and institutions  Different vocabularies or extensions used by different sub-communities

Information Sciences Institute Internet and Networked Systems What security problems are we solving? 2. Federated Facilities retain Local Control Definition: Federation – an organization or group within which smaller divisions have some degree of internal autonomy. Policy rules are defined locally Policies may inherit, share, reuse or adapt global rules Federations may require compliance with some aspects of their overall federation policy

Information Sciences Institute Internet and Networked Systems What security problems are we solving? 3. Auditability and Formal Verification Every decision should be accountable, leaving a record that is: Transparent: Access is Granted or Denied based upon a definitive set of policy assertions and trusted facts. Auditable: Operators, Policy Makers, Security Authorities, and 3 rd Parties may examine logs to determine why a specific decision (access granted or denied) was made. Changes to policy may be reviewed (formally, in advance) to ensure compliance with organizational objectives or external commitments.

Information Sciences Institute Internet and Networked Systems What security problems are we solving? 4. Selective Exposure of Policy Security Attributes and Policies may reveal sensitive information about individuals or organizations Limiting sharing of attributes and policy rules through selective revelation enables disclosure only when appropriate Policies govern exposure: when, with whom, and under what circumstances attributes and policy relevant information may be exchanged

Information Sciences Institute Internet and Networked Systems Technology: Simple Authorization Credentials Policy Researcher Identity Can I get what I need? Resource Provider Applying policy answers these questions. This policy can be simple or ad hoc, but… Enforcement mechanisms are tightly integrated Policy checks depend on implicit state Resources Can I let him have it?

Information Sciences Institute Internet and Networked Systems ABAC Prover Technology: Attribute Based Access Control ABAC Rules (Formal Policy Encoded in Credentials) ABAC Attributes & ABAC Rules (Encoded in Credentials) Researcher Identity ABAC cleanly separates and defines policy and enforcement Attributes and Inference Rules: signed, stored, forwarded Enforcement Checks make Explicit Use of information Resource Provider Resources Request

Information Sciences Institute Internet and Networked Systems What is ABAC? An effort to realize attribute based authorization for trust management in a packaged deployable system Theoretical roots in trust logic and formal semantics Attribute-Based Access Control investigated under a string of collaborative research projects (DARPA, NSF) with academic and industry collaborators Li, Mitchell, Winsborough. “Design of a Role-Based Trust Management System”, IEEE S&P Refinement and subsequent research culminating in current practical and portable implementation NSF GENI and DHS DETER sponsorship Libabac software distribution

Information Sciences Institute Internet and Networked Systems ABAC Capabilities – Current capabilities in the latest release – Formal Expressive Attribute Logic – Expresses authorization policy – Used to make authorization decisions – Local authorities (``relying parties’’) use a combination of their own assertions (policy) and received assertions (policy and trusted facts) to grant or deny a request – Records reasoning of decisions Success: auditable record of decision process Failure: tells why not, suggests path to success Command line and common language bindings X.509 and XML credential formats Source, binaries, documentation:

Information Sciences Institute Internet and Networked Systems Experience DETER Federation Daemon Examples: ProtoGENI, Starbed (Japan), Oscars (I2 Provisioning), Desktop Federation Gateway (Any Researcher) GENI Security Policy for Distributed (Federated) Collection of Resources

Information Sciences Institute Internet and Networked Systems DETER Federation Use Case

Information Sciences Institute Internet and Networked Systems GENI Use Case Delegation and the ``SpeaksFor’’ credential GENI Authorization must reflect the emerging needs of the research community Key point: Simple authorization schemes became unwieldy because these approaches do NOT reflect the pattern of use crucial to the GENI project

Information Sciences Institute Internet and Networked Systems Lessons Learned Based on DETER and GENI experience Importance of Software fitting into eco-system (build process, library dependencies, range of programming language bindings) Recognizing requirements and serving the needs of the stakeholders

Information Sciences Institute Internet and Networked Systems Current Focus Fundamental Software Performing as Discussed Current Task: Accessibility for Non-Security Experts User Interface Tools and Human Factors Reflect to Community of Users Community-centric Language and Policy Metaphors Adapt the Tools to the Humans Vocabularies Policy Concepts and Tools for Tailored Vocabularies Extensible and serving a specific domain or community

Information Sciences Institute Internet and Networked Systems Questions ?

Information Sciences Institute Internet and Networked Systems Backup

Information Sciences Institute Internet and Networked Systems Why Different Policies? Resources Legal Reasons Resources Unique resource model Resources Side Agreements Resource Owners and Operators want Researchers to use their Facilities Need a Basis for Analyzing and Creating Many Policies

Information Sciences Institute Internet and Networked Systems Can I get what I need? What features do these policies have? How do I use them? Are these policies compatible? More Users and More Servers, More Questions

Information Sciences Institute Internet and Networked Systems ABAC Principals Slice Authority TIED Administrator GPO Certifier Service Request Researcher Establishes Policy Attests facts

Information Sciences Institute Internet and Networked Systems Attested Attributes Principals attest attributes about principals – Principal has attribute ↔ Principal in set – ABAC syntax: Q.admin ← P Each Principal Defines An Attribute Space – P.admin differs from Q.admin – Each Principal Controls Its Attribute Space Attributes can have parameters – Q.owner(chevy) Attribute name: Principal.Role

Information Sciences Institute Internet and Networked Systems Rules to Derive Attributes Direct connection – Q says “P assigns Q.friend by assigning P.friend” “P's friends are Q's friends” Controlling Principal (Q) Delegates to a Principal – ABAC syntax: Q.friend ← P.friend Indirect connection – Q says “anyone with P.friend can assign Q.friend by assigning friend in their namespace” “Friends of P's friends are Q's friends” Controlling Principal (Q) Delegates to a set of principals – ABAC syntax: Q.friend ← (P.friend).friend

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.