Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Slides:



Advertisements
Similar presentations
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Advertisements

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
Trust and Security for Next Generation Grids, Grid Security Requirements Philippe Massonet et al CETIC OGF-25-Presentation Catania, 02-06/03/2009.
© 2006 Open Grid Forum Joint Session on Information Modeling for Computing Resources (OGSA Modeling Activities) OGF 21 - Seattle, 16 October 2007.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Data Management Expert Panel - WP2. WP2 Overview.
Trust and Security for Next Generation Grids, Fine-grained Continuous Usage Control of Service based Grids – The GridTrust Approach Philippe.
1 Authorization XACML – a language for expressing policies and rules.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
OASIS XACML TC and Rights Language TC Hal Lockhart
Secure Systems Research Group - FAU Using patterns to compare web services standards E. Fernandez and N. Delessy.
MOBILITY BILL DEFRAYMENT
XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids Introduction Philippe Massonet et al CETIC.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
Information Integration BIRN supports integration across complex data sources – Can process wide variety of structured & semi-structured sources (DBMS,
Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
OASIS XACML Update Hal Lockhart Office of the CTO BEA Systems
11 Restricting key use with XACML* for access control * Zack’-a-mul.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Presented by: Emir Toktar Emir Toktar Edgard.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart
Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Real time Stock quotes by web Service and Securing XML for Web Services security. Bismita Srichandan
© 2008 Open Grid Forum PGI - Information Security in the UNICORE Grid Middleware Morris Riedel (FZJ – Jülich Supercomputing Centre & DEISA) PGI Co-Chair.
Access Policy - Federation March 23, 2016
Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University Purdue University.
XACML The New Standard for Access Control Policy
OGF PGI – EDGI Security Use Case and Requirements
OGSA-WG Basic Profile Session #1 Security
XACML and the Cloud.
Middleware independent Information Service
Groups and Permissions
Presentation transcript:

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam OGF-25-Tutorial

Trust and Security for Next Generation Grids, Table of Content UCON in GridTrust UCON in GridTrust eXtended Access Control XML (XACML) eXtended Access Control XML (XACML) Language Run-time Support How we implemented in GridTrust How we implemented in GridTrust Limitations and Extensions Limitations and Extensions Multilateralism Performance

Trust and Security for Next Generation Grids, From Access Control to Usage Control Rights Subjects Objects Usage Decision (Authorizations) Conditions

Trust and Security for Next Generation Grids, From Access Control to Usage Control AuthorizationsoBligationsConditions Subjects Objects Attributes Usage Decision Rights

Trust and Security for Next Generation Grids, Policies Examples Access Control policies Access Control policies Silver Users can use the service from 8:00 am till 8:00pm Managers can read and write Purchase Orders of the all Sales Department while Accountants can only write they own P.O. Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM

Trust and Security for Next Generation Grids, Policies Examples Usage Control policies Usage Control policies Silver Users can use the service only 5 times from 8:00 am till 8:00pm The SendOrder Service can be invoked only after the Log Service has been successfully invoked All mails sent outside the company must be encrypted All data related to a customer must be deleted when its account is deleted Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM Workflowbased History based Obligations Continuous monitoring monitoring

Trust and Security for Next Generation Grids, Policies Examples DRM policies DRM policies (Pay Per Use) - The cost to see this movie is $ 4.00 (Metered Payment) - The cost to see this movie is 1¢/minute (Play n times) – You can see this movie at most 10 times

GridTrust Model

Trust and Security for Next Generation Grids, Components users PKI GridTrust Services TRS SRB VBE Manager service providers C-UCON ENFORCER VO Library

Trust and Security for Next Generation Grids, Virtual Breeding Environment VBE Manager PKI Virtual Breeding Environment

Trust and Security for Next Generation Grids, User & SP Registration to a VBE VBE Manager PKI SRB A Virtual Breeding Environment formed by users and different types of services. A VBE manager regulated the subscription of services and users to the VBE

Trust and Security for Next Generation Grids, VO: Virtual Organizations VBE Manager PKI VO Manager SRB Any user (VO Owner) may initiate the process of creating a VO by looking for service providers she needs.

Trust and Security for Next Generation Grids, VO: Virtual Organizations VBE Manager PKI VO Manager VO SRB The search and join is driven by service functionality and by security policy UCON policies, at this level written using XACML Service Resource Broker that implements a match- maker for XACML policies

Trust and Security for Next Generation Grids, SRB: Secure Resource Broker Service Service to match the security policy required by the VO with the policies exposed by service providers Service to match the security policy required by the VO with the policies exposed by service providers Supports XACML as a policy language Supports XACML as a policy language It supports policy integration algorithms It supports policy integration algorithms Trust and Security for Next Generation Grids,

VO: Virtual Organizations C-UCON VBE Manager PKI VO Manager VO SRB Users can register to use the VO. The registration consider also the security policies of both VO and User Support for UCON policies

Trust and Security for Next Generation Grids, A component used by the VO A component used by the VO Optionally can be also a third party service Implement UCON policy at VO level Implement UCON policy at VO level E.g. Service 1 can be invoked only after Service 2 has been invoked Trust and Security for Next Generation Grids,

VO Usage Application VO ENFORCER Virtual Breeding Environment VO user Service1 Service3 Service2

Trust and Security for Next Generation Grids, eXtendible Access Control XML (XACML) XML based access control language XML based access control language Simple Syntax, Strong Expressivity Simple Syntax, Strong Expressivity OASIS standard OASIS standard Widely adopted both in industry and academia Widely adopted both in industry and academia Many implementations (both open source and proprietary) Many implementations (both open source and proprietary)

Trust and Security for Next Generation Grids, XACML History First Meeting – 21 May 2001 First Meeting – 21 May 2001 Requirements from: Healthcare, DRM, Online Web, XML Docs, Fed Gov, Workflow…. Requirements from: Healthcare, DRM, Online Web, XML Docs, Fed Gov, Workflow…. XACML OASIS Standard – 6 February 2003 XACML OASIS Standard – 6 February 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 2.0 – Approved February 2005 XACML 2.0 – Approved February 2005 XACML 3.0 Core Specification under review XACML 3.0 Core Specification under review

Trust and Security for Next Generation Grids, Goals Define a core XML schema for representing authorization and entitlement policies Define a core XML schema for representing authorization and entitlement policies Target - any object - referenced using XML Target - any object - referenced using XML Fine grained access control Fine grained access control Consistent with and building upon SAML Consistent with and building upon SAML

Trust and Security for Next Generation Grids, XACML – Key Aspects General-purpose authorization policy model and XML-based specification language General-purpose authorization policy model and XML-based specification language Input/output to the XACML policy processor is clearly defined as XACML context data structure Input/output to the XACML policy processor is clearly defined as XACML context data structure Extension points: function, identifier, data type, rule-combining algorithm, policy-combining algorithm, etc. Extension points: function, identifier, data type, rule-combining algorithm, policy-combining algorithm, etc. A policy consists of multiple rules A policy consists of multiple rules A set of policies is combined by a higher level policy (PolicySet element) A set of policies is combined by a higher level policy (PolicySet element)

Trust and Security for Next Generation Grids, XACML Syntax

Trust and Security for Next Generation Grids, XACML Example =VideoServer =login = Permit = >08h00 and <17h00 = UsersRegs =Deny-Overrides =Multimedia the user can login on a Video Server in the period between 08:00AM and 05:00PM

Trust and Security for Next Generation Grids, XACML Schemas Policy Schema PolicySet (Combining Alg) Policy* (Combining Alg) Rule* (Effect) Target Subject* Resource* Action* Environment Effect Condition Obbligation* Request Schema Request Subject Resource Action Response Schema Response Decision Permit Permit w/ Obligations Deny N/A Indeterminate

Trust and Security for Next Generation Grids, XACML Combination Algorithms Both at policy level and at rule level Both at policy level and at rule level Used to compute decision result in case of policies/rules with conflicting effects Used to compute decision result in case of policies/rules with conflicting effects rule: rule: rule1: rule2: Trust and Security for Next Generation Grids, Permit-Override John can access Deny-Override John cant

Trust and Security for Next Generation Grids, Combination Algorithm Expected Behavior Deny Override A policy is denied if a rule is encountered the effect of which is DENY Permit Override A policy is permitted if a rule is encountered the effect of which is PERMIT First-one-applicable The combined result is the same as the result of the first rule that applies Only-one-applicable The combined result corresponds to the result of the unique rule which applies to the request XACML Combination Algorithms Similarly for policies

Trust and Security for Next Generation Grids, Problem: Policy Integration If VO can always impose its policy, combination algorithms are enough If VO can always impose its policy, combination algorithms are enough Simple Not very flexible We want to increase flexibility to increase the chances service provider can join the VO We want to increase flexibility to increase the chances service provider can join the VO Then we cannot impose but we need to integrate VO and service provider policies, thus combination algorithms are not enough.

Trust and Security for Next Generation Grids, Example VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] Which combination algorithm to apply?

Trust and Security for Next Generation Grids, VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] If Deny-Override HP users cannot read file from 8am till 10am

Trust and Security for Next Generation Grids, VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] If Permit-Override VO may not be happy that HP users and.edu domain can violate its policy

Trust and Security for Next Generation Grids, Propose integration algorithms Stakeholders specify combination algorithms and also which compromise they are willing to accept if they offer their service to a VO Stakeholders specify combination algorithms and also which compromise they are willing to accept if they offer their service to a VO Step1: Normalize policy (First-one applicable) Step1: Normalize policy (First-one applicable) Step2: Compute policy similarity Step2: Compute policy similarity Step3: Specify integration preferences Step3: Specify integration preferences

Trust and Security for Next Generation Grids, Policy similarity Rule similarity type Authorized request set R i Converges R j R i Diverges R j R i Restricts R j R i Extends R j R i Shuffles R j R i =R j RiRi RjRj RiRi RjRj RjRj RiRi RiRi RjRj

Trust and Security for Next Generation Grids, Policy Integration Preferences VO point of view Converge Override Converge Override VO enforces only its unchanged policy Restrict Override Restrict Override VO enforces also SP policies that do not deny its Deny Override Deny Override VO enforces also SP policies. Request permitted only if all permit it Permit Override Permit Override VO enforces also SP policies. Requested permitted if at least one permit it SP point of view Restrict Override Restrict Override SP accepts that only a subset of its accepted requests will be accepted by the VO Extend Override Extend Override SP accepts requests it doesnt accept will be accepted by the VO Converge Override Converge Override SP demands that its unchanged policy is enforced by the VO

Trust and Security for Next Generation Grids, Policy Integration Preferences Restrict Override ExtendOverride Converge Override ConvergeExtendConvergeRestrictConverge Restrict Override ConvergeRestrictConvergeRestrictConvergeRestrict DenyOverrideConvergeRestrictExtendShuffleConvergeRestrictConvergeRestrict Permit Override ConvergeExtendConvergeRestrictExtendShuffleDivergeConvergeExtend VO SP

Trust and Security for Next Generation Grids, XACML Runtime Support The Policy Administration Point (PAP) stores XACML policies in the appropriate repository. The Policy Administration Point (PAP) stores XACML policies in the appropriate repository. The Policy Enforcement Point (PEP) performs access control by making decision requests and enforcing authorization decisions. The Policy Enforcement Point (PEP) performs access control by making decision requests and enforcing authorization decisions. The Policy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation. The Policy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation. The Policy Decision Point (PDP) evaluates the applicable policy and renders an authorization decision. The Policy Decision Point (PDP) evaluates the applicable policy and renders an authorization decision. Note: The PEP and PDP might both be contained within the same application, or might be distributed across different servers

Trust and Security for Next Generation Grids, Evaluation Workflow VO User Obligations service PEP (DKM ) PDP Context Handler PIP Resources Attribute Manager Environment Attribute Manager PAP Subjects Attribute Manager 2. service invocation 3. request 12. response 5. attribute query 4. request notification 10. attributes 11. response context 6. attribute query 8. attributes 1. policy 9. resource 7a. subject attributes 7b. Resource attributes 7c. Environment attributes

Trust and Security for Next Generation Grids, Our implementation in GridTrust VO ENFORCER Virtual Breeding Environment VO user Service1 Service3 Service2 PEPPEP

Trust and Security for Next Generation Grids, Enforcer Extension of SUN XACML PDP to support UCON at VO service level Extension of SUN XACML PDP to support UCON at VO service level At the moment covers only a subset of the XACML specifications At the moment covers only a subset of the XACML specifications In case of denial respond with the rule that caused the deny In case of denial respond with the rule that caused the deny Rollback Rollback Trust and Security for Next Generation Grids,

Enforcer (Extended PDP) B. Crispo TNO Groningen PDP OAMSAMHMCM OM APPPLICATION (PEP) Allow?Yes/No/Delay/Modify/N/A Enforcer OAM: Object Attribute Manager SAM: Subject Attribute Manager HM: History Manager CM Consition Manager OM: Obligation Manager

Trust and Security for Next Generation Grids, Why PDP Performance is Important? PDP is critical for the overall performance of authorization service The proliferation of service oriented applications S3-like services will face enormous amount of requests requiring authorization decisions

Trust and Security for Next Generation Grids, PDP Tested: Sun XACML, XACML Enterprise, XACMLight PDP Tested: Sun XACML, XACML Enterprise, XACMLight Two phases have been tested: Two phases have been tested: Policy Load: Loading of policy/policies from disk to main memory. Policy Evaluation: Request evaluation against loaded policies. Environment: 3.4 GHz Pentium IV CPU, 2GB RAM, 160 GB Serial ATA (7200 rpm) HDD Environment: 3.4 GHz Pentium IV CPU, 2GB RAM, 160 GB Serial ATA (7200 rpm) HDD JVM heap size : 256 MB MB JVM heap size : 256 MB MB

Trust and Security for Next Generation Grids, Policy Test Suite Three policy test suites (syntetic policies): Large Number of Policies: 10, 100, 1000 and XACML policies composed of 4 rules. Large Number of Rules: 10, 50, 100, 500 and 1000 rules in a single policy. Policy Similarity: 10 policies with different similarity settings

Trust and Security for Next Generation Grids, Large Number of Policies In enterprise/cross-enterprise systems In enterprise/cross-enterprise systems With large number of entities eager to specify access control policies With shared PDP services 1 request is evaluated against 10, 100, 1000 and 1000 policies at a time. 1 request is evaluated against 10, 100, 1000 and 1000 policies at a time.

Trust and Security for Next Generation Grids, Large Number of Policies Policy Load

Trust and Security for Next Generation Grids, Large Number of Policies (Cont.) Policy Evaluation

Trust and Security for Next Generation Grids, Large Number of Rules A single organization A single organization With large number of users and resources Single Point of Control 1 request is evaluated against 10 policies with 10, 50, 100, 500, 1000 rules inside 1 request is evaluated against 10 policies with 10, 50, 100, 500, 1000 rules inside

Trust and Security for Next Generation Grids, Large Number of Rules Policy Load

Trust and Security for Next Generation Grids, Large Number of Rules (Cont.) Policy Evaluation

Trust and Security for Next Generation Grids, Ongoing Work Extend the enforcement by reaction, extending the obligation Extend the enforcement by reaction, extending the obligation Integrating security policy Match-making with Resource Allocation/Scheduling Integrating security policy Match-making with Resource Allocation/Scheduling Improve performance acting both on loading time (more efficient policy representation) and evaluation time (more efficient evaluation algorithms) Improve performance acting both on loading time (more efficient policy representation) and evaluation time (more efficient evaluation algorithms) Considering Continuous Monitoring at service level for some specific applications Considering Continuous Monitoring at service level for some specific applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.