Difference between revisions of "Data e-Infrastructure Policy-oriented Security Facilities"

Revision as of 17:29, 26 March 2012

Overview

The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.

Service Oriented Authorization, Authentication and Accounting (SOA3) is a security framework providing security services as web services, according to Security as a Service (SecaaS) research topic ^[1]. It is based on standard protocols and technologies, providing:

• an open and extensible architecture
• interoperability with external infrastructures and domains, obtaining, if required, also so-called Identity Federation
• total isolation from gCore: zero dependencies in both the directions

Key Features

Security as a Service

Authentication and Authorization provided by web services called by resource management modules

Flexible authentication model

the user is not requested to have personal digital certificates

Attribute-based Access Control

a generic way to manage access: access control decisions are based on one or more attributes

Support to different categories of attributes

user related attributes (e.g. roles, groups...) and environment related attributes (e.g. time, date...)

Modularity

SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services

Support to standards

all the operations delivered by the facilities are built atop of recognized standards

High performance

the design and architectural choices have been made paying great attention to performances

Subsystems

GCube Policy Oriented Security Facility is composed by the following subsystems:

GCube Security Handler

SOA3 Authentication Module

SOA3 Authorization Module

SOA3 User Management Module

Notes

1. ↑ https://cloudsecurityalliance.org/research/secaas/