ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations

https://doi.org/10.1016/j.future.2017.07.049Get rights and content

Highlights

  • A generic, extensible, and flexible framework of authentication and authorization for virtual organizations is proposed.

  • The solution increases the agility to join or create a virtual organization.

  • Support for identity federation, access control mechanisms, additional attributes and credential translation.

  • Creates a new and modern solution of identity and access management for distributed-resources environment.

Abstract

Research interests about access control mechanisms for distributed resources have recently increased. In this scenario, users from different institutions access distributed resources, maintained by different organizations, in order to participate in a common research project, network, or testbed. Several challenges arise from these virtual organizations in order to give different types of access privileges to distinct types of resources, depending on the user profile and considering local and global access policies from partners. This work presents a generic and extensible authentication and authorization framework, named ACROSS, based on policies and attributes for virtual organizations. Our proposal creates a granular and scalable access control, which supports different authentication technologies and is independent of the kind of resource federation. In addition, ACROSS introduces a new concept of attribute generalization for access control, providing a transparent management based on access level computed from user attribute values and weights. Other works with similar goals have limitations restricting their integration with any kind of identity and resource federations. Also, these works present restrictions concerning environment and resource types. Hence, they are specific for usage in grid computing, testbed experimentation, or other distributed-resource environment. Differently from other proposals, ACROSS is a framework for supporting the development of new virtual organizations using any kind of resource sharing. ACROSS provides all A&A functionalities so that creating the virtual organization is no longer a challenge for new applications. We validate ACROSS using it on two scenarios: a real testbed and a testing environment composed of resources simulating a distributed open lab. The results show the feasibility to apply the proposal to different scenarios.

Introduction

In resource-distributed environments, such as in grid computing, cloud computing, and Future Internet (FI) testbeds, access control is a very important feature, once it is responsible for providing user access to distributed resources.

There are scenarios where different partners from different institutions access a shared distributed-resource environment, and resources are maintained by different administrators following distinct access policies. On the other hand, in those scenarios, partners should have common policies for sharing their resource infrastructure, making access control a huge challenge. We call such scenario a Virtual Organization (VO) [1].

In the literature, we can find several proposals to provide access control functionalities for distributed-resource environments, especially in grid computing [1], cloud computing [2], [3], and FI testbeds [4]. Therefore, those are specific solutions for each specific scenario, which are usually difficult to be adapted to be used in a different context. For example, a framework for grid computing is rarely used in a cloud computing scenario. Other cases are applied only to extend or adapt a kind of authentication in a specific scenario or technology, as it is possible to see in [3].

This work presents a new proposal to obtain the benefits of identity and access management in VOs through a complete, flexible, and integrated authentication and authorization solution. We introduce a generic framework called ACROSS (A ttribute-based access C ontRO l and diS tributed policieS), which deals with identity federation and access control policies in order to facilitate identity management in VOs. ACROSS is a framework for access control based on policies and attributes for VOs, which respects the “X.812 — ISO/IEC 101813:1996” [5] standard framework for access control.

ACROSS is a complete authentication and authorization solution for VO, supporting many concepts of identity management and resources management. Among all benefits of using ACROSS, we highlight some characteristics it provides:

  • a generic authentication and authorization framework with attribute-based access control and distributed policies for virtual organizations;

  • support to different authentication technologies;

  • independence of the kind of resource federation;

  • a solution of attribute aggregation supporting multiple specific attribute providers for virtual organization scenarios and respecting the user privacy based on unique identity opaque attribute;

  • a new model of user level classification based on his/her attributes and attribute-based access control concepts; and

  • support to identity federation authentication and credential translation, making it easier to create credentials for a specific environment.

To satisfy these requirements and benefits, ACROSS was modelled and modularized, allowing the deployment of each module independently from the others. As a consequence, ACROSS allows the update of any module whenever necessary.

The rest of this article is organized as follows. Section 2 shows an essential background of technologies, standards, and concepts necessary to understand this proposal. Section 3 details our proposal and presents a comparison between our proposal and related work. Section 4 presents the validation results, and in Section 5, conclusions and future works are described.

Section snippets

Related technologies

Since Kerberos was introduced in 1987 [6] addressing authentication, authorization, and accounting, many studies and solutions were proposed for Identity and Access Management (IAM) [7]. In IAM, the Identity Management (IdM) is responsible for ensuring the quality of identity information such as identifiers, credentials, and attributes and using it for authentication, authorization, and accounting processes.

An identity federation enables transparent access to its users to the services offered

ACROSS framework proposal

The ACROSS (A ttribute-based access C ontRO l and diS tributed policieS) framework is designed to help institutions to create or join in a VO environment with distributed resources. To achieve this goal, ACROSS provide solutions from installation & configuration to operation of identity and access management in VOs. ACROSS offers wizards to help and facilitate an institution to join in a VO, from the configuration of a service provider in a Shibboleth-based identity federation, to using a

ACROSS framework validation

The framework validation, besides attesting that ACROSS works, brought an experience to how concepts of IAM can be integrated with VO scenarios. To show this, ACROSS was applied in two different scenarios, a hypothetical VO, representing a testing environment composed of resources simulating a distributed open lab, and a real VO composed by a testbed for Future Internet experimentation, called FIBRE. This validation made clear the benefits to use a modularized framework with concepts of

Conclusion and future work

This work proposed a generic, extensible, and flexible framework of A&A for VOs. ACROSS presents modules for a complete authentication and access control processes for virtual organizations. These modules can be easily extended to support new technologies of A&A and can be easily adapted to be used in different VO applications. As it presents the functionalities and proper interfaces for managing a VO, ACROSS is considered as a simple and efficient VO manager for developing and operating new

Acknowledgements

We thank RNP and GIdLab, CAPES, CNPq, FAPERJ, and FIBRE project for supporting this research.

Edelberto Franco Silva was born in Brazil in 1984. He received the M.Sc. in 2011 and D.Sc. in 2016, both in computer science at Universidade Federal Fluminense (UFF), Niterói, Rio de Janeiro. He is an adjunct professor on the Computer Science Department at Universidade Federal de Juiz de Fora (UFJF) in Juiz de Fora, Minas Gerais. His main areas interest are computer networks and identity and access management.

References (25)

  • GaedkeM. et al.

    A modeling approach to federated identity and access management

  • OASISSAML

    Organization for the Advancement of Structured Information Standards: Security Assertion Markup Language (SAML) V2.0

    (2005)
  • Cited by (16)

    • Improving the attribute retrieval on ABAC using opportunistic caches for Fog-Based IoT Networks

      2022, Computer Networks
      Citation Excerpt :

      Additionally, once several works in the literature point out that XACML is compatible and flexible to support the complex authorization requirements of Fog-Based IoT applications, we opt to use it in our work. So, although there are other alternatives for XACML, such as SecPal and Permis, they are not widely recognized compared to XACML [24–26]. Fig. 1 shows a diagram of the XACML entities and the messages exchanged by them.

    • Association stability and handoff latency tradeoff in dense IEEE 802.11 networks: A case study

      2020, Computer Communications
      Citation Excerpt :

      In addition, different hardware behave differently due to chipset designs and the lack of standardization for the way RSSI is reported [15]. To verify if there is a relationship between the RSSI variation and the average RSSI, beacon frames were captured using the FIBRE [16] testbed also installed at UFF.9 The frames were captured by a laptop running Linux Ubuntu 14.04 OS and an Airpcap NX10 interface.

    • Money Transfer on Transaction Signature-Based Ledger

      2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    View all citing articles on Scopus

    Edelberto Franco Silva was born in Brazil in 1984. He received the M.Sc. in 2011 and D.Sc. in 2016, both in computer science at Universidade Federal Fluminense (UFF), Niterói, Rio de Janeiro. He is an adjunct professor on the Computer Science Department at Universidade Federal de Juiz de Fora (UFJF) in Juiz de Fora, Minas Gerais. His main areas interest are computer networks and identity and access management.

    Débora Christina Muchaluat-Saade received a computer engineering degree, M.Sc. and D.Sc. degrees in computer science from PUC-Rio, Brazil, in 1992, 1996 and 2003, respectively. Since 2002, she has been an associate professor at Universidade Federal Fluminense. From 2002 to 2009, she was a professor at the Telecommunications Engineering Department, and since then, she has been a professor at the Computer Science Department. Her major research interests are computer networks, multimedia communications, identity management and telemedicine applications.

    Natalia Castro Fernandes is an associate professor on the Telecommunications Engineering Department at Universidade Federal Fluminense (UFF) in Niterói, Rio de Janeiro. She received the electronics and computer engineering degree, M.Sc. degree, and D.Sc. degree in electrical engineering from Universidade Federal do Rio de Janeiro (UFRJ), Rio de Janeiro, Brazil, in 2006, 2008, and 2011, respectively. Her major research interests are in network security, future Internet, and wireless networks.

    View full text