Skip to main content
SpringerLink
Log in

Architecting Dependable Access Control Systems for Multi-domain Computing Environments

  • Chapter
Architecting Dependable Systems VI

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5835))

  • 404 Accesses

Abstract

Modern computing systems are built based on Service Oriented Architectures and are made up of multiple distributed components. They often span separate and autonomous domains of administration and involve dynamic collaboration. Resources and services are exposed as Web Services that are a natural choice for achieving interoperability in a heterogeneous computing environment.

Access control systems ensure that services are protected against unauthorised access. Architecting such systems in multi-domain computing environments poses numerous challenges that must be considered. Such systems must be modular, extensible and should have reusable components. Authorisation needs to span separate and autonomous domains of administration, scale to large user and resource bases and should be efficient enough to handle even fine-grained interactions between highly distributed components.

In this paper we present a requirements analysis for architecting dependable access control systems for multi-domain computing environments. In particular, we address those environments that are built based on SOA and use Web Services as the underlying connection technology. We refer to relevant standards and technologies that are of significant importance when architecting access control for such environments.

Supported by UK Technology Strategy Board, grant nr. P0007E(’Trust Economics’).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. XML Encryption Syntax and Processing (December 2002), http://www.w3.org/TR/xmlenc-core/

  2. Web Services Architecture (Febuary 2004), http://www.w3.org/TR/ws-arch/

  3. OASIS eXtensible Access Control Markup Language (XACML). Version 2.0 (2005), http://www.oasis-open.org/committees/xacml/

  4. SAML 2.0 profile of XACML v2.0 (February 2005), http://www.oasis-open.org/committees/xacml/

  5. OASIS Reference Model for Service Oriented Architecture. Version 1.0 (October 2006), http://docs.oasis-open.org/soa-rm/v1.0/soa-rm.pdf

  6. OASIS Security Assertion Markup Language (SAML). Version 2.0 (2007), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

  7. Security Policy Assertion Language SecPAL. Version 2.0 (2007), http://research.microsoft.com/projects/SecPAL/

  8. SOAP. Technical report, W3C, Version 1.2 (April 2007)

    Google Scholar 

  9. Web Services Profile of XACML (WS-XACML). Version 1.0 (2007), http://www.oasis-open.org/committees/xacml/

  10. XACML 2.0 Interop Scenarios Working Draft. Version 0.12 (June 2007), http://www.oasis-open.org/committees/download.php/24475/xacml-2.0-core-interop-draft-12-04.doc

  11. Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare. Committee Draft (2008), http://www.oasis-open.org/committees/xacml/

  12. XACML 2.0 RSA 2008 Interop Scenarios Working Draft. Version 0.12 (April 2008), http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip

  13. XACML v3.0 Administration and Delegation Profile. Version 1.0 (2008), http://www.oasis-open.org/committees/xacml/

  14. XML Signature Syntax and Processing (June 2008), http://www.w3.org/TR/xmldsig-core/

  15. Alfieri, R., Cecchini, R., Ciaschini, V., Dellagnello, L., Frohner, Á., Gianoli, A., Orentey, K.L., Spataro, F.: VOMS, an Authorization System for Virtual Organizations, pp. 33–40 (2004)

    Google Scholar 

  16. Alonso, G., Casati, F., Kuno, H., Machiraju, V.: Web Services - Concepts, Architectures and Applications, November 2003. Springer, Heidelberg (2003)

    Google Scholar 

  17. Ardagna, C.A., Damiani, E., di Vimercati, S.D.C., Samarati, P.: A Web Service Architecture for Enforcing Access Control Policies. In: Proceedings of the First International Workshop on Views on Designing Complex Architectures (VODCA 2004). Electronic Notes in Theoretical Computer Science, vol. 142, pp. 47–62 (2006)

    Google Scholar 

  18. Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity federation and attribute-based authorization through the globus toolkit. In: Shibboleth, GridShib, and MyProxy. In Proceedings of the 5th Annual PKI R&D Workshop (2005)

    Google Scholar 

  19. Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, Secaucus (2005)

    Google Scholar 

  20. Bertino, E., Castano, S., Ferrari, E.: On specifying security policies for web documents with an xml-based language. In: SACMAT 2001: Proceedings of the sixth ACM symposium on Access control models and technologies, pp. 57–65. ACM, New York (2001)

    Chapter  Google Scholar 

  21. Bhatti, R., Ghafoor, A., Bertino, E., Joshi, J.B.D.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Trans. Inf. Syst. Secur. 8(2), 187–227 (2005)

    Article  Google Scholar 

  22. Brewer, D.F.C., Nash, M.J.: The Chinese wall security policy. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 206–214 (1989)

    Google Scholar 

  23. British Standards Institution. BS ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements (2005)

    Google Scholar 

  24. British Standards Institution. BS ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management (2005)

    Google Scholar 

  25. Chakrabarti, A.: Grid Computing Security. Springer, Heidelberg (2007)

    MATH  Google Scholar 

  26. Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Service Definition Language (WSDL). Technical report (March 2001)

    Google Scholar 

  27. de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., Spence, D.: Generic AAA Architecture. RFC 2903 (August 2000)

    Google Scholar 

  28. Demchenko, Y., Koeroo, O., de Laat, C., Sagehaug, H.: Extending XACML authorisation model to support policy obligations handling in distributed application. In: MGC 2008: Proceedings of the 6th international workshop on Middleware for grid computing, pp. 1–6. ACM, New York (2008)

    Chapter  Google Scholar 

  29. Dhankhar, V., Kaushik, S., Wijesekera, D.: XACML Policies for Exclusive Resource Usage, pp. 275–290 (2007)

    Google Scholar 

  30. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008)

    Google Scholar 

  31. Dillema, F.W., Lupetti, S., Stabell-Kulo, T.: A decentralized authorization architecture. In: AINAW 2007: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, Washington, DC, USA, pp. 497–504. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  32. Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, Upper Saddle River (2005)

    Google Scholar 

  33. Ferraiolo, D.F., Kuhn, R.D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House, Inc., Norwood (2007)

    Google Scholar 

  34. Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: Enabling scalable virtual organizations. International Journal of Supercomputer Applications 15 (2001)

    Article  Google Scholar 

  35. Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol. Internet Draft 302, Version 3.0 (November 1996)

    Google Scholar 

  36. Gupta, R.: Security in a SOA. SOA World Magazine 7, 16–18 (2007)

    Google Scholar 

  37. Yuri, G., Itay, N.: Dkal: Distributed-knowledge authorization language. In: CSF 2008: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, Washington, DC, USA, pp. 149–162. IEEE Computer Society, Los Alamitos (2008)

    Google Scholar 

  38. Joshi, J., Ghafoor, A., Aref, W.G., Spafford, E.H.: Digital Government Security Infrastructure Design Challenges. Computer 34(2), 66–72 (2001)

    Article  Google Scholar 

  39. Joshi, J.B.D.: Access-control language for multidomain environments. Internet Computing, IEEE 8(6), 40–50 (2004)

    Article  Google Scholar 

  40. Juric, M.B., Rozman, I., Brumen, B., Colnaric, M., Hericko, M.: Comparison of performance of Web services, WS-Security, RMI, and RMI-SSL. Journal of Systems and Software (Quality Software) 79(5), 689–700 (2006)

    Article  Google Scholar 

  41. Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Policy conflict analysis using free variable tableaux for access control in web services environments. In: Policy Management for the Web (2005)

    Google Scholar 

  42. Kanneganti, R., Chodavarapu, P.: SOA Security. Manning Publications (January 2008)

    Google Scholar 

  43. Keleta, Y., Coetzee, M., Eloff, J.H.P., Venter, H.S.: Proposing a Secure XACML architecture ensuring privacy and trust. In: ISSA: Information Security South Africa, Sandton, South Africa (2005)

    Google Scholar 

  44. Kerschbaum, F., Robinson, P.: Security architecture for virtual organizations of business web services. Journal of Systems Architecture (in Press) (Corrected Proof) (2008)

    Google Scholar 

  45. Lee, A.J., Winslett, M.: Towards Standards-Compliant Trust Negotiation for Web Services. In: Trust Management II, IFIP International Federation for Information Processing, vol. 263, pp. 311–326. Springer, Boston (2008)

    Google Scholar 

  46. Lee, A.J., Winslett, M., Basney, J., Von Welch: Traust: a trust negotiation-based authorization service for open systems. In: SACMAT 2006: Proceedings of the eleventh ACM symposium on Access control models and technologies, pp. 39–48. ACM, New York (2006)

    Chapter  Google Scholar 

  47. Lee, H.K.: Unraveling decentralized authorization for multi-domain collaborations. In: CollaborateCom, pp. 33–40. IEEE, Los Alamitos (2007)

    Google Scholar 

  48. Liu, M., Zhang, W., Liu, H.-L.: Specification of access control policies for web services. In: CISW 2007: Proceedings of the, International Conference on Computational Intelligence and Security Workshops, Washington, DC, USA, pp. 472–475. IEEE Computer Society, Los Alamitos (2007)

    Chapter  Google Scholar 

  49. Lorch, M., Cowles, B., Baker, R., Gommans, L., Madsen, P., McNab, A., Ramarkrishnan, L., Sankar, K., Skow, D., Thompson, M.: GFD.38 Conceptual grid authorization framework and classification (2004)

    Google Scholar 

  50. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using xacml for access control in distributed systems. In: XMLSEC 2003: Proceedings of the 2003 ACM workshop on XML security, pp. 25–37. ACM, New York (2003)

    Chapter  Google Scholar 

  51. Lupu, E.C., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering 25(6), 852–869 (1999)

    Article  Google Scholar 

  52. Michiels, E.F. (ed.): ISO/IEC 10181-3:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ISO/IEC, Geneva, int. standard edition (1996)

    Google Scholar 

  53. Naedele, M.: Standards for xml and web services security. Computer 36(4), 96–98 (2003)

    Article  Google Scholar 

  54. Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: POLICY 2002: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002), Washington, DC, USA, p. 50. IEEE Computer Society, Los Alamitos (2002)

    Google Scholar 

  55. Samarati, P., di Vimercati, S.D.C.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  56. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  57. Smith, K.: SOA Access Control Policy Management. Approaches, Common Pitfalls, and Best Practices. Version 2.0 (October 2006), http://soa.sys-con.com/node/284576

  58. The Stationery Office Limited. Data Protection Act 1998 (1998)

    Google Scholar 

  59. Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., Gross, G., de Bruijn, B., de Laat, C., Holdrege, M., Spence, D.: AAA Authorization Framework. RFC 2904 (Informational) (August 2000)

    Google Scholar 

  60. Winsborough, W.H., Seamons, K.E., Jones, V.E.: Automated trust negotiation. In: DARPA Information Survivability Conference and Exposition, vol. I, pp. 88–102. IEEE Press, Los Alamitos (2000)

    Google Scholar 

  61. Woo, T.Y.C., Lam, S.S.: Designing a distributed authorization service. Technical report, Austin, TX, USA (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing Science, University of Newcastle upon Tyne, Newcastle upon Tyne, NE1 7RU, UK

    Maciej P. Machulak, Simon E. Parkin & Aad van Moorsel

Authors
  1. Maciej P. Machulak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon E. Parkin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aad van Moorsel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computing Laboratory, Canterbury, University of Kent, CT2 7NF, Kent, UK

    Rogério de Lemos

  2. LAAS-CNRS, 7, avenue du Colonel Roche, 31077, Toulouse Cedex 4, France

    Jean-Charles Fabre

  3. School of Computing Science, Newcastle upon Tyne, University of Newcastle upon Tyne, NE1 7RU, UK

    Cristina Gacek

  4. Dipartimento di Informatica, Largo Pontecorvo 3c, Università di Pisa, 56127, Pisa, Italy

    Fabio Gadducci

  5. Istituto di Scienza e Tecnologie dell’Informazione (ISTI-CNR), Area della Ricerca di Pisa, Via G. Moruzzi 1, 56124, Pisa, Italy

    Maurice ter Beek

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Machulak, M.P., Parkin, S.E., van Moorsel, A. (2009). Architecting Dependable Access Control Systems for Multi-domain Computing Environments. In: de Lemos, R., Fabre, JC., Gacek, C., Gadducci, F., ter Beek, M. (eds) Architecting Dependable Systems VI. Lecture Notes in Computer Science, vol 5835. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10248-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-10248-6_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-10247-9

  • Online ISBN: 978-3-642-10248-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation