Secure Data Grid
Grid is an integration infrastructure
for sharing and coordinated use of diverse resources in dynamic, distributed
virtual organizations (VOs). A Data Grid is an architecture for the access,
exchange, and sharing of data in the Grid environment. The secure data grid
project is to develop a secure system for accessing data resources in the Data
Grid. We designed and implemented
various access control systems for Data Grids, including a semantic Role-based
Access Control (RBAC) system and a privacy-preserving Attribute-based Access
Control (ABAC) system. Both systems can be used with Globus Toolkit which is a
representative software package used for building a Grid.
Overview
Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) is a
widely used middleware for integrating data resources in Grids, and it is
supported by Globus Toolkit. However, the identity-based access control in
OGSA-DAI causes substantial overhead for the resource providers in virtual organizations
(VOs), because the access control information of individual users has to be
maintained by each resource provider. To solve these problems, we developed a
semantic Role-based Access Control system using Shibboleth and ontology.
Shibboleth is an attribute authorization service, and we used it to manage the
user attributes. By using ontology, VOs can resolve the differences in their
terminologies and specify access control policies based on concepts and user
roles, instead of individual resources and user identities. As a result, the
administration overhead of the resource providers is reduced considerably.
In Attribute-Based Access Control
(ABAC), access is granted based on the attributes of the requesting user. ABAC
is a highly flexible and scalable access control scheme which can deal with
diverse security requirements in a Grid environment. However, in ABAC the user attributes
published by the identity providers for authorization decision may cause some
privacy violation. We developed an attribute release control mechanism to
publish an optimal set of user attributes that are essential to access a
desired resource, while exposing the least amount of sensitive user
information. To facilitate the selection of an optimal set of user attributes,
we developed a Web service, named Security Policy Publication Service, and also
enhanced the identity provider of Shibboleth.
References:
1.
V.
Muppavarapu and S. M. Chung, “Semantic-based Access
Control for Data Resources in Open Grid Services Architecture - Data Access and
Integration (OGSA-DAI),” International Journal of Grid and High Performance
Computing, Vol. 6, No. 2, IGI Global, 2014, pp. 1–23.
2.
S.
M. Park and S. M. Chung, “Privacy-Preserving Attribute-Based Access Control for
Grid Computing,” International Journal of Grid and Utility Computing, Vol. 5,
No. 4, Inderscience, 2014, pp. 286–296.
3.
V.
Muppavarapu, A. L. Pereira, and S. M. Chung,
“Role-Based Access Control for a Grid System Using OGSA-DAI and Shibboleth,”
The Journal of Supercomputing, Vol. 54, No. 2, Springer, 2010, pp. 154–179.
4.
V.
Muppavarapu and S. M. Chung, “Role-Based Access
Control in a Data Grid Using the Storage Resource Broker and Shibboleth,”
Journal of Grid Computing, Vol. 7, No. 2, Springer, 2009, pp. 265–283.
5.
A.
L. Pereira, V. Muppavarapu, and S. M. Chung,
“Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI
Using CAS,” Journal of Grid Computing, Vol. 5, No. 1, Springer, 2007, pp.
65–81.
6.
A.
L. Pereira, V. Muppavarapu, and S. M. Chung,
“Role-Based Access Control for Grid Database Services Using the Community
Authorization Service,” IEEE Trans. on Dependable and Secure Computing, Vol. 3,
No. 2, 2006, pp. 156–166.
son.chung [at] wright [dot] edu Contact: Prof.
Soon M. Chung