Abstract
Modern computing systems are built based on Service Oriented Architectures and are made up of multiple distributed components. They often span separate and autonomous domains of administration and involve dynamic collaboration. Resources and services are exposed as Web Services that are a natural choice for achieving interoperability in a heterogeneous computing environment.
Access control systems ensure that services are protected against unauthorised access. Architecting such systems in multi-domain computing environments poses numerous challenges that must be considered. Such systems must be modular, extensible and should have reusable components. Authorisation needs to span separate and autonomous domains of administration, scale to large user and resource bases and should be efficient enough to handle even fine-grained interactions between highly distributed components.
In this paper we present a requirements analysis for architecting dependable access control systems for multi-domain computing environments. In particular, we address those environments that are built based on SOA and use Web Services as the underlying connection technology. We refer to relevant standards and technologies that are of significant importance when architecting access control for such environments.
Supported by UK Technology Strategy Board, grant nr. P0007E(’Trust Economics’).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
XML Encryption Syntax and Processing (December 2002), http://www.w3.org/TR/xmlenc-core/
Web Services Architecture (Febuary 2004), http://www.w3.org/TR/ws-arch/
OASIS eXtensible Access Control Markup Language (XACML). Version 2.0 (2005), http://www.oasis-open.org/committees/xacml/
SAML 2.0 profile of XACML v2.0 (February 2005), http://www.oasis-open.org/committees/xacml/
OASIS Reference Model for Service Oriented Architecture. Version 1.0 (October 2006), http://docs.oasis-open.org/soa-rm/v1.0/soa-rm.pdf
OASIS Security Assertion Markup Language (SAML). Version 2.0 (2007), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Security Policy Assertion Language SecPAL. Version 2.0 (2007), http://research.microsoft.com/projects/SecPAL/
SOAP. Technical report, W3C, Version 1.2 (April 2007)
Web Services Profile of XACML (WS-XACML). Version 1.0 (2007), http://www.oasis-open.org/committees/xacml/
XACML 2.0 Interop Scenarios Working Draft. Version 0.12 (June 2007), http://www.oasis-open.org/committees/download.php/24475/xacml-2.0-core-interop-draft-12-04.doc
Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare. Committee Draft (2008), http://www.oasis-open.org/committees/xacml/
XACML 2.0 RSA 2008 Interop Scenarios Working Draft. Version 0.12 (April 2008), http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip
XACML v3.0 Administration and Delegation Profile. Version 1.0 (2008), http://www.oasis-open.org/committees/xacml/
XML Signature Syntax and Processing (June 2008), http://www.w3.org/TR/xmldsig-core/
Alfieri, R., Cecchini, R., Ciaschini, V., Dellagnello, L., Frohner, Á., Gianoli, A., Orentey, K.L., Spataro, F.: VOMS, an Authorization System for Virtual Organizations, pp. 33–40 (2004)
Alonso, G., Casati, F., Kuno, H., Machiraju, V.: Web Services - Concepts, Architectures and Applications, November 2003. Springer, Heidelberg (2003)
Ardagna, C.A., Damiani, E., di Vimercati, S.D.C., Samarati, P.: A Web Service Architecture for Enforcing Access Control Policies. In: Proceedings of the First International Workshop on Views on Designing Complex Architectures (VODCA 2004). Electronic Notes in Theoretical Computer Science, vol. 142, pp. 47–62 (2006)
Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity federation and attribute-based authorization through the globus toolkit. In: Shibboleth, GridShib, and MyProxy. In Proceedings of the 5th Annual PKI R&D Workshop (2005)
Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, Secaucus (2005)
Bertino, E., Castano, S., Ferrari, E.: On specifying security policies for web documents with an xml-based language. In: SACMAT 2001: Proceedings of the sixth ACM symposium on Access control models and technologies, pp. 57–65. ACM, New York (2001)
Bhatti, R., Ghafoor, A., Bertino, E., Joshi, J.B.D.: X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control. ACM Trans. Inf. Syst. Secur. 8(2), 187–227 (2005)
Brewer, D.F.C., Nash, M.J.: The Chinese wall security policy. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 206–214 (1989)
British Standards Institution. BS ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements (2005)
British Standards Institution. BS ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management (2005)
Chakrabarti, A.: Grid Computing Security. Springer, Heidelberg (2007)
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Service Definition Language (WSDL). Technical report (March 2001)
de Laat, C., Gross, G., Gommans, L., Vollbrecht, J., Spence, D.: Generic AAA Architecture. RFC 2903 (August 2000)
Demchenko, Y., Koeroo, O., de Laat, C., Sagehaug, H.: Extending XACML authorisation model to support policy obligations handling in distributed application. In: MGC 2008: Proceedings of the 6th international workshop on Middleware for grid computing, pp. 1–6. ACM, New York (2008)
Dhankhar, V., Kaushik, S., Wijesekera, D.: XACML Policies for Exclusive Resource Usage, pp. 275–290 (2007)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008)
Dillema, F.W., Lupetti, S., Stabell-Kulo, T.: A decentralized authorization architecture. In: AINAW 2007: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, Washington, DC, USA, pp. 497–504. IEEE Computer Society, Los Alamitos (2007)
Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall PTR, Upper Saddle River (2005)
Ferraiolo, D.F., Kuhn, R.D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House, Inc., Norwood (2007)
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the grid: Enabling scalable virtual organizations. International Journal of Supercomputer Applications 15 (2001)
Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol. Internet Draft 302, Version 3.0 (November 1996)
Gupta, R.: Security in a SOA. SOA World Magazine 7, 16–18 (2007)
Yuri, G., Itay, N.: Dkal: Distributed-knowledge authorization language. In: CSF 2008: Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium, Washington, DC, USA, pp. 149–162. IEEE Computer Society, Los Alamitos (2008)
Joshi, J., Ghafoor, A., Aref, W.G., Spafford, E.H.: Digital Government Security Infrastructure Design Challenges. Computer 34(2), 66–72 (2001)
Joshi, J.B.D.: Access-control language for multidomain environments. Internet Computing, IEEE 8(6), 40–50 (2004)
Juric, M.B., Rozman, I., Brumen, B., Colnaric, M., Hericko, M.: Comparison of performance of Web services, WS-Security, RMI, and RMI-SSL. Journal of Systems and Software (Quality Software) 79(5), 689–700 (2006)
Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Policy conflict analysis using free variable tableaux for access control in web services environments. In: Policy Management for the Web (2005)
Kanneganti, R., Chodavarapu, P.: SOA Security. Manning Publications (January 2008)
Keleta, Y., Coetzee, M., Eloff, J.H.P., Venter, H.S.: Proposing a Secure XACML architecture ensuring privacy and trust. In: ISSA: Information Security South Africa, Sandton, South Africa (2005)
Kerschbaum, F., Robinson, P.: Security architecture for virtual organizations of business web services. Journal of Systems Architecture (in Press) (Corrected Proof) (2008)
Lee, A.J., Winslett, M.: Towards Standards-Compliant Trust Negotiation for Web Services. In: Trust Management II, IFIP International Federation for Information Processing, vol. 263, pp. 311–326. Springer, Boston (2008)
Lee, A.J., Winslett, M., Basney, J., Von Welch: Traust: a trust negotiation-based authorization service for open systems. In: SACMAT 2006: Proceedings of the eleventh ACM symposium on Access control models and technologies, pp. 39–48. ACM, New York (2006)
Lee, H.K.: Unraveling decentralized authorization for multi-domain collaborations. In: CollaborateCom, pp. 33–40. IEEE, Los Alamitos (2007)
Liu, M., Zhang, W., Liu, H.-L.: Specification of access control policies for web services. In: CISW 2007: Proceedings of the, International Conference on Computational Intelligence and Security Workshops, Washington, DC, USA, pp. 472–475. IEEE Computer Society, Los Alamitos (2007)
Lorch, M., Cowles, B., Baker, R., Gommans, L., Madsen, P., McNab, A., Ramarkrishnan, L., Sankar, K., Skow, D., Thompson, M.: GFD.38 Conceptual grid authorization framework and classification (2004)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using xacml for access control in distributed systems. In: XMLSEC 2003: Proceedings of the 2003 ACM workshop on XML security, pp. 25–37. ACM, New York (2003)
Lupu, E.C., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering 25(6), 852–869 (1999)
Michiels, E.F. (ed.): ISO/IEC 10181-3:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ISO/IEC, Geneva, int. standard edition (1996)
Naedele, M.: Standards for xml and web services security. Computer 36(4), 96–98 (2003)
Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: POLICY 2002: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY 2002), Washington, DC, USA, p. 50. IEEE Computer Society, Los Alamitos (2002)
Samarati, P., di Vimercati, S.D.C.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Smith, K.: SOA Access Control Policy Management. Approaches, Common Pitfalls, and Best Practices. Version 2.0 (October 2006), http://soa.sys-con.com/node/284576
The Stationery Office Limited. Data Protection Act 1998 (1998)
Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., Gross, G., de Bruijn, B., de Laat, C., Holdrege, M., Spence, D.: AAA Authorization Framework. RFC 2904 (Informational) (August 2000)
Winsborough, W.H., Seamons, K.E., Jones, V.E.: Automated trust negotiation. In: DARPA Information Survivability Conference and Exposition, vol. I, pp. 88–102. IEEE Press, Los Alamitos (2000)
Woo, T.Y.C., Lam, S.S.: Designing a distributed authorization service. Technical report, Austin, TX, USA (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Machulak, M.P., Parkin, S.E., van Moorsel, A. (2009). Architecting Dependable Access Control Systems for Multi-domain Computing Environments. In: de Lemos, R., Fabre, JC., Gacek, C., Gadducci, F., ter Beek, M. (eds) Architecting Dependable Systems VI. Lecture Notes in Computer Science, vol 5835. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10248-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-10248-6_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10247-9
Online ISBN: 978-3-642-10248-6
eBook Packages: Computer ScienceComputer Science (R0)