● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Slides:

Advertisements

Similar presentations

Building Portals to access Grid Middleware National Technical University of Athens Konstantinos Dolkas, On behalf of Andreas Menychtas.

Advertisements

GT 4 Security Goals & Plans Sam Meder

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

James Martin CpE 691, Spring 2010 February 11, 2010.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Authz work in GGF David Chadwick

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Technical Architectures

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Understanding Active Directory

Chapter 2 Database System Concepts and Architecture

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Database Systems: Design, Implementation, and Management Ninth Edition

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

Overview of Access and Information Protection

Methodology and Tools for End-to-End SOA Configurations By: Fumiko satoh, Yuichi nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi ono.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Systems Analysis – Analyzing Requirements.  Analyzing requirement stage identifies user information needs and new systems requirements  IS dev team.

Database Design - Lecture 1

James Cabral, David Webber, Farrukh Najmi, July 2012.

Module 14: Configuring Print Resources and Printing Pools.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Configuring Directory Certificate Services Lesson 13.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

COMPAS Compliance-driven Models, Languages, and Architectures for Services "The COMPAS project will design and implement novel models, languages, and an.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Federated Database Set Up Greg Magsamen ITK478 SIA.

MagicNET: Security System for Protection of Mobile Agents.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS Instructor Ms. Arwa Binsaleh.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 1 Database Systems.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

MyGrid/Taverna Provenance Daniele Turi University of Manchester OMII f2f Meeting, London, 19-20/4/06.

Academic Year 2014 Spring Academic Year 2014 Spring.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

ATLAS Database Access Library Local Area LCG3D Meeting Fermilab, Batavia, USA October 21, 2004 Alexandre Vaniachine (ANL)

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Advanced Higher Computing Science The Project. Introduction Worth 60% of the total marks for the course Must include: An appropriate interface using input.

Building Enterprise Applications Using Visual Studio®

Chapter 2 Database System Concepts and Architecture

A gLite Authorization Framework

XACML and the Cloud.

Database Management System (DBMS)

Chapter 1 Database Systems

Chapter 1 Database Systems

Presentation transcript:

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0 ● Scope ● Progress ● Work Done

 Access Right Delegation For Secure Group Information System  In a large enterprise, security policy has many elements and many points of enforcements. Elements of policy may be managed by different departments within that enterprise. In Group centric Secure Information Systems, common language for expressing security policy makes it easier to share resources among different departments or different enterprises.

In a Group-centric Secure Information System (g-SIS) multiple groups need to collaborate and share each other’s sensitive resources. These groups may use different Access Control Models. Communication between different groups is not possible in g-SIS due to heterogeneous access control environment.

To make communication possible between groups having different ACMs we have to introduce an intermediate layer which will be provided by our System. So that various groups can delegate rights independent of their individual ACM’s.

 XACML v3.0 Administration and Delegation Profile Version 1.0  Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains David W Chadwick, Sassa Otenko, and Tuan Anh Nguyen (Sep. 2011)  eXtensible Access Control Markup Language (XACML) Version 3.0 (January 2013)  User-to-User Delegation in a Federated Identity Environment Hong Qian Karen Lu SERVICE COMPUTATION 2011 : The Third International Conferences on Advanced Service Computing

 This profile distinguishes XACML 2.0 from XACML 3.0 and discusses the enhancements which have been incorporated in the newer version. Furthermore it discusses in detail the dynamic delegation module, working of context handler and the formation of reduction graph and decisions taken on the basis of those reductions.  Techniques for policy validation and back tracking are also discussed.

 This paper discusses a way to add dynamic delegation to an authorization infrastructure containing XACML 2.0 PDP, without changing XACML 2.0 or its policy, this paper is concerned with dynamic delegation of authority from one user to another by the use of credentials. One important feature of a credential is that it requires validation before the user can be attributed with the asserted property.  Problems in adding dynamic delegation to an authorization infrastructure  Solution is to place Credential Validation Service on PDP

 Functional Requirements  “Generate” delegation policy as per XACML format for requested Resource  “Revoke” delegated rights to users/groups/roles by deleting previously stored delegation policies  “Generate” reports which can show the activities of Delegators and Delegatees within system

 Non Functional Requirements  Performance Requirements:  Response time: Our framework will be able to withstand the stress and load balancing tests to confirm the number of requests that the PEP can process at any particular time.  Decision accuracy: The accuracy of PDP must be ensured by testing it in different scenarios (data sets) against number of test cases.  Security Requirements:  If PDP is unable to find the applicable policy then it will be reliable enough to respond appropriately to the PEP server so that it may enforce the right decision.  All the policies generated through PAP will preferably implement “Deny override algorithm” to avoid any unauthorized access.

 The quality assurance of the system will be assured via unit testing of individual components (PDP, PAP and PEP) and system testing of complete system.  The system will be available as an open source software on official web site of KTH-Applied Information Security lab.  This system will be the intellectual property of Higher Education Commission Pakistan and National University of Sciences and Technology after is it deployed on web for public use.  Well known MySQL or Oracle databases can be used for policy storage.

 Literature review and initial report submission  Analysis and selection of development platform (Java EE vs. Spring)  Analysis and selection of database (My SQL or Oracle)  Complete Documentation  Software Requirement Specification  Software Design Specification  Comprehensive Final Year Product booklet

 Development  Responsive Interface Designing Phase  Basic infrastructure development phase  OR mapping phase  Intra Group Access rights delegation module development  Revocation of Access rights module development  Report generation module development  Inter Group Access rights delegation module development (same ACM)  Inter Group Access rights delegation module development (Different ACM)

 Comprehensive Testing  Designing and Development of Test case scenarios  Unit testing of individual components (PEP, PDP, PAP)  Unit testing of ‘Delegation’, ‘Revocation’ and ‘Report Generation’ module  Complete System testing

 An innovative and efficient system which will be user friendly with desktop integration.  It will use dynamic delegation to ensure inter/intra group Access Right Delegation. Our system will generate policy and store an XML file on a central PR and corresponding entries in database will be updated.

 A well documented system, making future developments easier  A system which will provide ease of access rights delegation for users