Semantic Security: Specification and Enforcement of Semantic Policies for Security-driven Collaborations

Collaborative research can often have demands on finer-grained security that go beyond the authentication-only paradigm as typified by many e-Infrastructure/Grid based solutions. Supporting finer-grained access control is often essential for domains where the specification and subsequent enforcement of authorization policies is needed. The clinical domain is one area in particular where this is so. However it is the case that existing security authorization solutions are fragile, inflexible and difficult to establish and maintain. As a result they often do not meet the needs of real world collaborations where robustness and flexibility of policy specification and enforcement, and ease of maintenance are essential. In this paper we present results of the JISC funded Advanced Grid Authorisation through Semantic Technologies (AGAST) project (www.nesc.ac.uk/hub/projects/agast) and show how semantic-based approaches to security policy specification and enforcement can address many of the limitations with existing security solutions. These are demonstrated into the clinical trials domain through the MRC funded Virtual Organisations for Trials and Epidemiological Studies (VOTES) project (www.nesc.ac.uk/hub/projects/votes) and the epidemiological domain through the JISC funded SeeGEO project (www.nesc.ac.uk/hub/projects/seegeo).

[1]  Richard O. Sinnott,et al.  Advanced Security for Virtual Organizations: The Pros and Cons of Centralized vs Decentralized Security Models , 2008, 2008 Eighth IEEE International Symposium on Cluster Computing and the Grid (CCGRID).

[2]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[3]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[4]  Richard O. Sinnott,et al.  Supporting Decentralized, Security Focused Dynamic Virtual Organizations across the Grid , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[5]  Konstantin Beznosov,et al.  Authorization Using the Publish-Subscribe Model , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[6]  References , 1971 .

[7]  Richard O. Sinnott,et al.  Single Sign-On And Authorization For Dynamic Virtual Organizations , 2006, PRO-VE.

[8]  Richard O. Sinnott,et al.  A Shibboleth-protected privilege management infrastructure for e-science education , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[9]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[10]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[11]  Richard O. Sinnott,et al.  Shibboleth-based Access to and Usage of Grid Resources , 2006, 2006 7th IEEE/ACM International Conference on Grid Computing.