ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations
Introduction
In resource-distributed environments, such as in grid computing, cloud computing, and Future Internet (FI) testbeds, access control is a very important feature, once it is responsible for providing user access to distributed resources.
There are scenarios where different partners from different institutions access a shared distributed-resource environment, and resources are maintained by different administrators following distinct access policies. On the other hand, in those scenarios, partners should have common policies for sharing their resource infrastructure, making access control a huge challenge. We call such scenario a Virtual Organization (VO) [1].
In the literature, we can find several proposals to provide access control functionalities for distributed-resource environments, especially in grid computing [1], cloud computing [2], [3], and FI testbeds [4]. Therefore, those are specific solutions for each specific scenario, which are usually difficult to be adapted to be used in a different context. For example, a framework for grid computing is rarely used in a cloud computing scenario. Other cases are applied only to extend or adapt a kind of authentication in a specific scenario or technology, as it is possible to see in [3].
This work presents a new proposal to obtain the benefits of identity and access management in VOs through a complete, flexible, and integrated authentication and authorization solution. We introduce a generic framework called ACROSS (A ttribute-based access C ontRO l and diS tributed policieS), which deals with identity federation and access control policies in order to facilitate identity management in VOs. ACROSS is a framework for access control based on policies and attributes for VOs, which respects the “X. — ISO/IEC ” [5] standard framework for access control.
ACROSS is a complete authentication and authorization solution for VO, supporting many concepts of identity management and resources management. Among all benefits of using ACROSS, we highlight some characteristics it provides:
-
a generic authentication and authorization framework with attribute-based access control and distributed policies for virtual organizations;
-
support to different authentication technologies;
-
independence of the kind of resource federation;
-
a solution of attribute aggregation supporting multiple specific attribute providers for virtual organization scenarios and respecting the user privacy based on unique identity opaque attribute;
-
a new model of user level classification based on his/her attributes and attribute-based access control concepts; and
-
support to identity federation authentication and credential translation, making it easier to create credentials for a specific environment.
To satisfy these requirements and benefits, ACROSS was modelled and modularized, allowing the deployment of each module independently from the others. As a consequence, ACROSS allows the update of any module whenever necessary.
The rest of this article is organized as follows. Section 2 shows an essential background of technologies, standards, and concepts necessary to understand this proposal. Section 3 details our proposal and presents a comparison between our proposal and related work. Section 4 presents the validation results, and in Section 5, conclusions and future works are described.
Section snippets
Related technologies
Since Kerberos was introduced in 1987 [6] addressing authentication, authorization, and accounting, many studies and solutions were proposed for Identity and Access Management (IAM) [7]. In IAM, the Identity Management (IdM) is responsible for ensuring the quality of identity information such as identifiers, credentials, and attributes and using it for authentication, authorization, and accounting processes.
An identity federation enables transparent access to its users to the services offered
ACROSS framework proposal
The ACROSS (A ttribute-based access C ontRO l and diS tributed policieS) framework is designed to help institutions to create or join in a VO environment with distributed resources. To achieve this goal, ACROSS provide solutions from installation & configuration to operation of identity and access management in VOs. ACROSS offers wizards to help and facilitate an institution to join in a VO, from the configuration of a service provider in a Shibboleth-based identity federation, to using a
ACROSS framework validation
The framework validation, besides attesting that ACROSS works, brought an experience to how concepts of IAM can be integrated with VO scenarios. To show this, ACROSS was applied in two different scenarios, a hypothetical VO, representing a testing environment composed of resources simulating a distributed open lab, and a real VO composed by a testbed for Future Internet experimentation, called FIBRE. This validation made clear the benefits to use a modularized framework with concepts of
Conclusion and future work
This work proposed a generic, extensible, and flexible framework of A&A for VOs. ACROSS presents modules for a complete authentication and access control processes for virtual organizations. These modules can be easily extended to support new technologies of A&A and can be easily adapted to be used in different VO applications. As it presents the functionalities and proper interfaces for managing a VO, ACROSS is considered as a simple and efficient VO manager for developing and operating new
Acknowledgements
We thank RNP and GIdLab, CAPES, CNPq, FAPERJ, and FIBRE project for supporting this research.
Edelberto Franco Silva was born in Brazil in 1984. He received the M.Sc. in 2011 and D.Sc. in 2016, both in computer science at Universidade Federal Fluminense (UFF), Niterói, Rio de Janeiro. He is an adjunct professor on the Computer Science Department at Universidade Federal de Juiz de Fora (UFJF) in Juiz de Fora, Minas Gerais. His main areas interest are computer networks and identity and access management.
References (25)
- et al.
Resource discovery and allocation for federated virtualized infrastructures
Future Gener. Comput. Syst.
(2015) - et al.
Cost model based service placement in federated hybrid clouds
Future Gener. Comput. Syst.
(2014) - et al.
Major requirements for building smart homes in smart cities based on internet of things technologies
Future Gener. Comput. Syst.
(2017) - et al.
A conceptual model for attribute aggregation
Future Gener. Comput. Syst.
(2010) - et al.
The anatomy of the grid - enabling scalable virtual organizations
- P. Hunt, et al., System for Cross-domain Identity Management: Core Schema, RFC 7643 (Proposed Standard), Sep. 2015. URL...
- et al.
Providing efficient SSO to cloud service access in AAA-based identity federations
Future Gener. Comput. Syst.
(2016) Fibre project: brazil and europe unite forces and testbeds for the internet of the future
- ISO, ISO/IEC 10181-3:1996 - Information technology –Open Systems Interconnection –Security frameworks for open systems:...
- Miller, Steven P., et al., Kerberos Authentication and Authorization System, in: Project Athena Technical Plan,...
A modeling approach to federated identity and access management
Organization for the Advancement of Structured Information Standards: Security Assertion Markup Language (SAML) V2.0
Cited by (16)
Securing distributed systems: A survey on access control techniques for cloud, blockchain, IoT and SDN
2023, Cyber Security and ApplicationsDACP: Enforcing a dynamic access control policy in cross-domain environments
2023, Computer NetworksImproving the attribute retrieval on ABAC using opportunistic caches for Fog-Based IoT Networks
2022, Computer NetworksCitation Excerpt :Additionally, once several works in the literature point out that XACML is compatible and flexible to support the complex authorization requirements of Fog-Based IoT applications, we opt to use it in our work. So, although there are other alternatives for XACML, such as SecPal and Permis, they are not widely recognized compared to XACML [24–26]. Fig. 1 shows a diagram of the XACML entities and the messages exchanged by them.
Association stability and handoff latency tradeoff in dense IEEE 802.11 networks: A case study
2020, Computer CommunicationsCitation Excerpt :In addition, different hardware behave differently due to chipset designs and the lack of standardization for the way RSSI is reported [15]. To verify if there is a relationship between the RSSI variation and the average RSSI, beacon frames were captured using the FIBRE [16] testbed also installed at UFF.9 The frames were captured by a laptop running Linux Ubuntu 14.04 OS and an Airpcap NX10 interface.
Money Transfer on Transaction Signature-Based Ledger
2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Edelberto Franco Silva was born in Brazil in 1984. He received the M.Sc. in 2011 and D.Sc. in 2016, both in computer science at Universidade Federal Fluminense (UFF), Niterói, Rio de Janeiro. He is an adjunct professor on the Computer Science Department at Universidade Federal de Juiz de Fora (UFJF) in Juiz de Fora, Minas Gerais. His main areas interest are computer networks and identity and access management.
Débora Christina Muchaluat-Saade received a computer engineering degree, M.Sc. and D.Sc. degrees in computer science from PUC-Rio, Brazil, in 1992, 1996 and 2003, respectively. Since 2002, she has been an associate professor at Universidade Federal Fluminense. From 2002 to 2009, she was a professor at the Telecommunications Engineering Department, and since then, she has been a professor at the Computer Science Department. Her major research interests are computer networks, multimedia communications, identity management and telemedicine applications.
Natalia Castro Fernandes is an associate professor on the Telecommunications Engineering Department at Universidade Federal Fluminense (UFF) in Niterói, Rio de Janeiro. She received the electronics and computer engineering degree, M.Sc. degree, and D.Sc. degree in electrical engineering from Universidade Federal do Rio de Janeiro (UFRJ), Rio de Janeiro, Brazil, in 2006, 2008, and 2011, respectively. Her major research interests are in network security, future Internet, and wireless networks.