Secure Data Grid

Grid is an integration infrastructure for sharing and coordinated use of diverse resources in dynamic, distributed virtual organizations (VOs). A Data Grid is an architecture for the access, exchange, and sharing of data in the Grid environment. The secure data grid project is to develop a secure system for accessing data resources in the Data Grid.  We designed and implemented various access control systems for Data Grids, including a semantic Role-based Access Control (RBAC) system and a privacy-preserving Attribute-based Access Control (ABAC) system. Both systems can be used with Globus Toolkit which is a representative software package used for building a Grid.

 

Overview

          Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) is a widely used middleware for integrating data resources in Grids, and it is supported by Globus Toolkit. However, the identity-based access control in OGSA-DAI causes substantial overhead for the resource providers in virtual organizations (VOs), because the access control information of individual users has to be maintained by each resource provider. To solve these problems, we developed a semantic Role-based Access Control system using Shibboleth and ontology. Shibboleth is an attribute authorization service, and we used it to manage the user attributes. By using ontology, VOs can resolve the differences in their terminologies and specify access control policies based on concepts and user roles, instead of individual resources and user identities. As a result, the administration overhead of the resource providers is reduced considerably.

In Attribute-Based Access Control (ABAC), access is granted based on the attributes of the requesting user. ABAC is a highly flexible and scalable access control scheme which can deal with diverse security requirements in a Grid environment.  However, in ABAC the user attributes published by the identity providers for authorization decision may cause some privacy violation. We developed an attribute release control mechanism to publish an optimal set of user attributes that are essential to access a desired resource, while exposing the least amount of sensitive user information. To facilitate the selection of an optimal set of user attributes, we developed a Web service, named Security Policy Publication Service, and also enhanced the identity provider of Shibboleth.

References:  

1.     V. Muppavarapu and S. M. Chung, “Semantic-based Access Control for Data Resources in Open Grid Services Architecture - Data Access and Integration (OGSA-DAI),” International Journal of Grid and High Performance Computing, Vol. 6, No. 2, IGI Global, 2014, pp. 1–23.

2.     S. M. Park and S. M. Chung, “Privacy-Preserving Attribute-Based Access Control for Grid Computing,” International Journal of Grid and Utility Computing, Vol. 5, No. 4, Inderscience, 2014, pp. 286–296.

3.     V. Muppavarapu, A. L. Pereira, and S. M. Chung, “Role-Based Access Control for a Grid System Using OGSA-DAI and Shibboleth,” The Journal of Supercomputing, Vol. 54, No. 2, Springer, 2010, pp. 154–179.

4.     V. Muppavarapu and S. M. Chung, “Role-Based Access Control in a Data Grid Using the Storage Resource Broker and Shibboleth,” Journal of Grid Computing, Vol. 7, No. 2, Springer, 2009, pp. 265–283.

5.     A. L. Pereira, V. Muppavarapu, and S. M. Chung, “Managing Role-Based Access Control Policies for Grid Databases in OGSA-DAI Using CAS,” Journal of Grid Computing, Vol. 5, No. 1, Springer, 2007, pp. 65–81.

6.     A. L. Pereira, V. Muppavarapu, and S. M. Chung, “Role-Based Access Control for Grid Database Services Using the Community Authorization Service,” IEEE Trans. on Dependable and Secure Computing, Vol. 3, No. 2, 2006, pp. 156–166.

 

son.chung [at] wright [dot] edu

Contact:

Prof. Soon M. Chung