Toward a Usage-Based Security Framework for Collaborative Computing Systems

Collaborative systems such as Grids provide efficient and scalable access to distributed computing capabilities and enable seamless resource sharing between users and platforms. This heterogeneous distribution of resources and the various modes of collaborations that exist between users, virtual organizations, and resource providers require scalable, flexible, and fine-grained access control to protect both individual and shared computing resources. In this article we propose a usage control (UCON) based security framework for collaborative applications, by following a layered approach with policy, enforcement, and implementation models, called the PEI framework. In the policy model layer, UCON policies are specified with predicates on subject and object attributes, along with system attributes as conditional constraints and user actions as obligations. General attributes include not only persistent attributes such as role and group memberships but also mutable usage attributes of subjects and objects. Conditions in UCON can be used to support context-based authorizations in ad hoc collaborations. In the enforcement model layer, our novel framework uses a hybrid approach for subject attribute acquisition with both push and pull modes. By leveraging attribute propagations between a centralized attribute repository and distributed policy decision points, our architecture supports decision continuity and attribute mutability of the UCON policy model, as well as obligation evaluations during policy enforcement. As a proof-of-concept, we implement a prototype system based on our proposed architecture and conduct experimental studies to demonstrate the feasibility and performance of our approach.

[1]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[2]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[3]  Ian T. Foster,et al.  The anatomy of the grid: enabling scalable virtual organizations , 2001, Proceedings First IEEE/ACM International Symposium on Cluster Computing and the Grid.

[4]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[5]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[6]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[7]  Ákos Frohner,et al.  From gridmap-file to VOMS: managing authorization in a Grid environment , 2005, Future Gener. Comput. Syst..

[8]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.

[9]  Ravi S. Sandhu,et al.  Secure information sharing enabled by Trusted Computing and PEI models , 2006, ASIACCS '06.

[10]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[11]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[12]  Jaehong Park,et al.  Formal model and policy specification of usage control , 2005, TSEC.

[13]  Kent Beck,et al.  Extreme Programming Explained: Embrace Change (2nd Edition) , 2004 .

[14]  Manoj R. Sastry,et al.  Attribute-Based Authentication Model for Dynamic Mobile Environments , 2006, SPC.

[15]  Elisa Bertino,et al.  Secure collaboration in mediator-free environments , 2005, CCS '05.

[16]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[17]  Jaehong Park,et al.  Attribute Mutability in Usage Control , 2004, DBSec.

[18]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[19]  B. Cohen,et al.  Incentives Build Robustness in Bit-Torrent , 2003 .

[20]  ZhangXinwen,et al.  Toward a Usage-Based Security Framework for Collaborative Computing Systems , 2008 .

[21]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[22]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[23]  William E. Johnston,et al.  The Computing and Data Grid Approach: Infrastructure for Distributed Science Applications , 2013, Comput. Artif. Intell..

[24]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[25]  Dennis G. Kafura,et al.  The PRIMA system for privilege management, authorization and enforcement in grid environments , 2003, Proceedings. First Latin American Web Congress.

[26]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[27]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[28]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[29]  Jaehong Park,et al.  Usage control: a unified framework for next generation access control , 2003 .

[30]  Trent Jaeger,et al.  Attestation-based policy enforcement for remote access , 2004, CCS '04.

[31]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[32]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[33]  Ravi S. Sandhu,et al.  Engineering authority and trust in cyberspace: the OM-AM and RBAC way , 2000, RBAC '00.

[34]  Elisa Bertino,et al.  Security for grid-based computing systems issues and challenges , 2004, SACMAT '04.

[35]  Ravi S. Sandhu,et al.  Binding identities and attributes using digitally signed certificates , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).