Dynamic, context-aware, least-privilege grid delegation

Performing delegation in large scale, dynamic and distributed environments with large numbers of shared resources is more challenging than inside local administrative domains. In dynamic environments like Grids, on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility and dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. This issue has not yet been adequately addressed by current Grid security mechanisms and is becoming a very challenging and crucial issue for future Grid development. Therefore, providing an effective delegation mechanism which meets the requirements of the least privilege principle is becoming an essential need. Furthermore, we are witnessing a phenomenal increase in the automation of organizational tasks and decision making, as well as the computerization of information related services, requiring automated delegation mechanisms. In order to meet these requirements we introduce an Active Delegation Framework which extends our previous work on on-demand delegation, making it context-aware. The framework provides a just-in-time, restricted and dynamic delegation mechanism for Grids. In this paper we describe the development of this framework and its implementation and integration with the Globus Toolkit.

[1]  Marianne Winslett,et al.  PRUNES: an efficient and complete strategy for automated trust negotiation over the Internet , 2000, CCS.

[2]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[3]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[4]  Henry M. Gladney,et al.  Access control for large collections , 1997, TOIS.

[5]  Ravi S. Sandhu,et al.  Towards a task-based paradigm for flexible and adaptable access control in distributed applications , 1993, NSPW '92-93.

[6]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[7]  Ian Foster,et al.  The Security Architecture for Open Grid Services , 2002 .

[8]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[9]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[10]  Lalana Kagal,et al.  A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments , 2004 .

[11]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[12]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[13]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[14]  Ravi S. Sandhu,et al.  Rationale for the RBAC96 family of access control models , 1996, RBAC '95.

[15]  Jim Basney,et al.  Toward an On-Demand Restricted Delegation Mechanism for Grids , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.

[16]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[17]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[18]  D. Chadwick Delegation Issuing Service for X.509 , 2005 .

[19]  Dennis G. Kafura,et al.  The PRIMA system for privilege management, authorization and enforcement in grid environments , 2003, Proceedings. First Latin American Web Congress.

[20]  Steven Tuecke,et al.  X.509 Proxy Certificates for Dynamic Delegation , 2004 .

[21]  David Snelling,et al.  Explicit Trust Delegation: Security for dynamic Grids , 2004 .

[22]  Lalana Kagal Rei : A Policy Language for the Me-Centric Project , 2002 .

[23]  Jim Basney,et al.  Grid Delegation Protocol , 2004 .

[24]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[25]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[26]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.