Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Virtual Enclaves February 4, 2000 Deborah Shands, Richard Yee Jay Jacobs, E. John Sebes.

Published byShonda McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Virtual Enclaves February 4, 2000 Deborah Shands, Richard Yee Jay Jacobs, E. John Sebes."— Presentation transcript:

1 Secure Virtual Enclaves February 4, 2000 Deborah Shands, Richard Yee Jay Jacobs, E. John Sebes

2 2/4/20002 Outline Project Overview SVE Architecture Observations Results/Conclusions

3 2/4/20003 Coalition Examples Commercial : outsourcing, contractors, or customers needing limited access to corporate data Civilian : disaster/incident response teams and crisis management Military : joint task forces engaged in distributed collaborative planning

4 2/4/20004 SVE Project Goals Support collaborative computing Provide mechanisms to control sharing Enable unified approach to multiple distributed application technologies (e.g., Java, DCOM, web apps.) Support dynamic access policies, allowing changes to: SVE membership, resources to be shared, and access types permitted

5 2/4/20005 SVE Project Constraints Ensure application transparency Retain organizational autonomy over local resources Use only standard network protocols Use only commercially available operating systems

6 2/4/20006 Concept of Operation enclaveA.com enclaveB.com Legend: Services in SVE Services partly in SVE Services not in SVEPrincipals not in SVE Principals in SVE STOP

7 2/4/20007 SVE Concept of Operation Virtual enclave: formed by collaborators sharing resources and services –Enclaves define limited trust relationships with one another –Each enclave specifies internal resources accessible to partners Secure virtual enclave: each enclave’s exports are –Protected from access by non-SVE members –Available to SVE members as specified by access policy Dynamic modification: automatic reconfiguration due to changes in SVE membership, resources, access policy

8 2/4/20008 Outline Project Overview SVE Architecture Observations Results/Conclusions

9 2/4/20009 Server SVE Interceptor/ Enforcer Server SVE Interceptor/ Enforcer Gateway Enclave A Client Enclave B Client-Server Architecture

10 2/4/200010 SPEX Controller Access Calculator Access Calculator Access Calculator SPEX Admin GUI Policy GUI Interceptor/ Enforcer Interceptor/ Enforcer Interceptor/ Enforcer Interceptor/ Enforcer Enclave A SPEX Controller Access Calculator Access Calculator Access Calculator SPEX Admin GUI Policy GUI Interceptor/ Enforcer Interceptor/ Enforcer Interceptor/ Enforcer Interceptor/ Enforcer Enclave B SVE Control Messages SVE Infrastructure Architecture

11 2/4/200011 Current SVE policy semantics are very similar to Object- Oriented Domain and Type Enforcement (OODTE) Principals are mapped to a domain equivalence class using a set of domain derivation rules Resources are mapped to a type equivalence class Access matrix is formed by associating a set of types with a given domain Principal recognition rules are domain derivation rules that are published by an SVE member to allow its principals to be recognized by other SVE members SVE Policy Semantics

12 2/4/200012 Outline Project Overview SVE Architecture Observations Results/Conclusions

13 2/4/200013 Enclave Autonomy Organizations require a certain level of autonomy Autonomy is a difficult requirement for distributed security systems SVE system supports autonomy Most components of access policy used only within the local enclave An enclave may unilaterally withdraw from an SVE at any time Need to balance autonomy and collaboration requirements via business decisions

14 2/4/200014 Ambiguous Policy Semantics Meaning of policy statements known only within defining enclave (e.g., “manager” role) How to prevent misunderstandings as coalitions are formed??? Establish semantics offline Represent and negotiate semantics within system

15 2/4/200015 Outline Project Overview SVE Architecture Observations Results/Conclusions

16 2/4/200016 SVE Prototype Results Supports coalition sharing Supports dynamic changes to both coalition membership and resource access policies Supports enclave autonomy Provides experimental platform for studying security policies for distributed systems

Download ppt "Secure Virtual Enclaves February 4, 2000 Deborah Shands, Richard Yee Jay Jacobs, E. John Sebes."

Similar presentations

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
Chemawawin Cree Nation. Community Planning Change, Expectations and Performance Some Observations Chief Clarence Easter Chemawawin Cree Nation Aboriginal.

Chemawawin Cree Nation. Community Planning Change, Expectations and Performance Some Observations Chief Clarence Easter Chemawawin Cree Nation Aboriginal.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Service Oriented Architecture Concepts March 27, 2006 Chris Armstrong

Service Oriented Architecture Concepts March 27, 2006 Chris Armstrong
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Situation Aware Mobile Computing (SAMC) CPSC 608 Project Spring 2002 Project Members: Brent Dinkle Hemant Mahawar Marco Morales Sreekanth R. Sambavaram.

Situation Aware Mobile Computing (SAMC) CPSC 608 Project Spring 2002 Project Members: Brent Dinkle Hemant Mahawar Marco Morales Sreekanth R. Sambavaram.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Grids and Grid Technologies for Wide-Area Distributed Computing Mark Baker, Rajkumar Buyya and Domenico Laforenza.

Grids and Grid Technologies for Wide-Area Distributed Computing Mark Baker, Rajkumar Buyya and Domenico Laforenza.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.
Understanding Active Directory

Understanding Active Directory
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
February 2013. Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.

February Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.

Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
IT Infrastructure for Business

IT Infrastructure for Business
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Similar presentations

Ads by Google