Data and Application Secutiry for Distributed Application Hosting Services

The cost of creating and maintaining software and hardware infrastructures for delivering web services led to a notable trend toward the use of application service providers (ASPs) and, more generally, distributed application hosting services (DAHSs). The emergence of enabling technologies, such as J2EE and .NET, has contributed to the acceleration of this trend. DAHSs rent out Internet presence, computation power, and data storage space to clients with infrastructural needs. Consequently, they are cheap and effective outsourcing solutions for achieving increased service availability and scalability in the face of surges in demand. However, ASPs and DAHSs operate within the complex, multi-tiered, and open Internet environment and, hence, they introduce many security challenges that have to be addressed effectively to convince customers that outsourcing their IT needs is a viable alternative to deploying complex infrastructures locally. In this chapter, we provide an overview of typical This chapter appears in the book, Information Security Policies and Actions in Modern Integrated Systems, edit d by Mariagrazia Fugini and Carl Bellettini. Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. 701 E. Chocolate Avenue, Suite 200, Hershey PA 17033-1240, USA Tel: 717/533-8845; Fax 717/533-8661; URL-http://www.idea-group.com IDEA GROUP PUBLISHING

[1]  W. Alex Gray,et al.  Providing Dynamic Security Control in a Federated Database , 1994, VLDB.

[2]  Michael Gertz,et al.  Authentic Third-party Data Publication , 2000, DBSec.

[3]  Bennet S. Yee A Sanctuary for Mobile Agents , 2001, Secure Internet Programming.

[4]  Moni Naor,et al.  Bit Commitment Using Pseudo-Randomness , 1989, CRYPTO.

[5]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[6]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[7]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[8]  Yuval Ishai,et al.  One-way functions are essential for single-server private information retrieval , 1999, STOC '99.

[9]  William Whelan PPP EAP RSA Public Key Authentication Protocol , 1998 .

[10]  Christian F. Tschudin,et al.  Protecting Mobile Agents Against Malicious Hosts , 1998, Mobile Agents and Security.

[11]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[12]  Moti Yung,et al.  An Overview of Secure Distributed Computing , 1992 .

[13]  Elisa Bertino,et al.  Securing XML Documents with Author-X , 2001, IEEE Internet Comput..

[14]  Renato J. O. Figueiredo,et al.  Fine-grain access control for securing shared resources in computational grids , 2002, Proceedings 16th International Parallel and Distributed Processing Symposium.

[15]  Martín Abadi,et al.  On hiding information from an oracle , 1987, STOC '87.

[16]  Steve H. Weingart,et al.  Validating a High-Performance , Programmable Secure Coprocessor , 1999 .

[17]  Anand R. Tripathi,et al.  Security in mobile agent systems , 1998 .

[18]  Gio Wiederhold,et al.  Mediators in the architecture of future information systems , 1992, Computer.

[19]  Gio Wiederhold,et al.  Intelligent integration of information , 1993, SIGMOD Conference.

[20]  Rida A. Bazzi,et al.  Provably secure data hiding and tamper resistance for a simple loop program , 2003, SPIE Defense + Commercial Sensing.

[21]  Sergio Loureiro,et al.  Function hiding based on error correcting codes , 1999 .

[22]  Michael Gertz,et al.  Flexible authentication of XML documents , 2001, CCS '01.

[23]  Elisa Bertino,et al.  Selective and authentic third-party distribution of XML documents , 2004, IEEE Transactions on Knowledge and Data Engineering.

[24]  K. Selçuk Candan,et al.  Hiding Traversal of Tree Structured Data from Untrusted Data Stores , 2003, ISI.

[25]  Ahmed Sameh Mohamed,et al.  Security in mobile agent systems , 2002, Proceedings 2002 Symposium on Applications and the Internet (SAINT 2002).

[26]  Rida A. Bazzi,et al.  Optimally Simulating Crash Failures in a Byzantine Environment , 1991, WDAG.

[27]  Sarit Kraus,et al.  Secure Agents , 2004, Annals of Mathematics and Artificial Intelligence.

[28]  Robbert van Renesse,et al.  Cryptographic support for fault-tolerant distributed computing , 1996, EW 7.

[29]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[30]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[31]  Laks V. S. Lakshmanan,et al.  Optimizing the Secure Evaluation of Twig Queries , 2002, VLDB.

[32]  Giovanni Vigna,et al.  Cryptographic Traces for Mobile Agents , 1998, Mobile Agents and Security.

[33]  V. S. Subrahmanian,et al.  Merging Heterogeneous Security Orderings , 1996, ESORICS.

[34]  William Nace,et al.  PPP EAP KEA Public Key Authentication Protocol , 1997 .

[35]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[36]  Barbara T. Blaustein,et al.  Autonomy and Confidentiality: Secure Federated Data Management , 1995, Next Generation Information Technologies and Systems.

[37]  Klaus R. Dittrich,et al.  An Approach for Building Secure Database Federations , 1994, VLDB.

[38]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[39]  Oded Goldreich,et al.  On the Foundations of Modern Cryptography , 1997, CRYPTO.

[40]  Niv Gilboa,et al.  Computationally private information retrieval (extended abstract) , 1997, STOC '97.

[41]  Sushil Jajodia,et al.  Secure mediated databases , 1996, Proceedings of the Twelfth International Conference on Data Engineering.

[42]  Laks V. S. Lakshmanan,et al.  Compressed Accessibility Map: Efficient Access Control for XML , 2002, VLDB.

[43]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[44]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.