Difference between revisions of "Data e-Infrastructure Policy-oriented Security Facilities"

From Gcube Wiki
Jump to: navigation, search
m
(Subsystems)
 
(20 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
<!-- CATEGORIES -->
 +
[[Category: gCube Features]]
 +
<!-- CATEGORIES -->
 
== Overview ==
 
== Overview ==
Policy Based Access Control is a very flexible approach focused on the evaluation of ''policies'' based on different kinds of ''attributes'' in order to grant or deny the ''access'' to a ''resource''.
+
The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.
  
The whole Process consists in three atomic operations:
+
''Service Oriented Authorization, Authentication and Accounting'' (SOA3) is a security framework providing ''security services'' as web services, according to ''Security as a Service'' ('''SecaaS''') research topic <ref>https://cloudsecurityalliance.org/research/secaas/</ref>. It is based on standard protocols and technologies, providing:
*to establish who can do what
+
*to grant or deny the permissions
+
*to guarantee that rules are followed
+
  
As a consequence a Policy Oriented Security Module provides the following functionalities:
+
*an open and extensible architecture
*policies definition
+
*interoperability with external infrastructures and domains, obtaining, if required, also so-called ''Identity Federation''
*decision
+
*total isolation from gCore: zero dependencies in both the directions
*enforcement
+
 
+
GCube Policy Oriented Security Facilities allows to easily and intuitively perform these operations.
+
  
 
== Key Features ==
 
== Key Features ==
  
;Policy Definition Portlet
+
;Security as a Service
:A portlet providing the possibility to create, read, update and delete policies
+
:Authentication and Authorization provided by web services called by resource management modules
  
;XACML based Authorization System
+
;Flexible authentication model
:Composed by Policy Administration Point, Policy Decision Point and Policy Enforcement Point
+
:the user is not requested to have personal digital certificates
  
;Dynamic user attributes
+
;Attribute-based Access Control
:The policies are based on roles and on dynamic attributes, e.g. maximum number of accesses made by the user
+
:a generic way to manage access: access control decisions are based on one or more ''attributes''
  
;Context attributes
+
;Support to different categories of attributes
:An advanced Policy Information Point provides the possibility to use policies based also on context attributes, such as ''date'' and ''time''
+
:user related attributes (e.g. roles, groups) and environment related attributes (e.g. time, date)
  
 +
;Modularity
 +
:SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services
 +
 +
;Support to standards
 +
:all the operations delivered by the facilities are built atop of recognized standards
 +
 +
;High performance
 +
:the design and architectural choices have been made paying great attention to performances
 +
 +
;Resource Usage Tracking
 +
:administrators and users can monitor applications resources usage
  
 
== Subsystems ==
 
== Subsystems ==
 
GCube Policy Oriented Security Facility is composed by the following subsystems:
 
GCube Policy Oriented Security Facility is composed by the following subsystems:
  
[[GCube Security Handler]]
+
*<strike>[[GCube Security Handler]]</strike>
 
+
*<strike>[[SOA3 Authentication Module]]</strike>
[[GCube Authorization Module]]
+
*<strike>[[SOA3 Authorization Module]]</strike>
 +
*<strike>[[SOA3 User Management Module]]</strike>
 +
*<strike>[[Resource Accounting]]</strike>
 +
*[[Accounting]]
 +
*[[Authorization Framework]]
  
[[GCube Policy Definition Module]]
+
==Notes==
 +
<references/>

Latest revision as of 15:33, 27 May 2016

Overview

The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.

Service Oriented Authorization, Authentication and Accounting (SOA3) is a security framework providing security services as web services, according to Security as a Service (SecaaS) research topic [1]. It is based on standard protocols and technologies, providing:

  • an open and extensible architecture
  • interoperability with external infrastructures and domains, obtaining, if required, also so-called Identity Federation
  • total isolation from gCore: zero dependencies in both the directions

Key Features

Security as a Service
Authentication and Authorization provided by web services called by resource management modules
Flexible authentication model
the user is not requested to have personal digital certificates
Attribute-based Access Control
a generic way to manage access: access control decisions are based on one or more attributes
Support to different categories of attributes
user related attributes (e.g. roles, groups) and environment related attributes (e.g. time, date)
Modularity
SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services
Support to standards
all the operations delivered by the facilities are built atop of recognized standards
High performance
the design and architectural choices have been made paying great attention to performances
Resource Usage Tracking
administrators and users can monitor applications resources usage

Subsystems

GCube Policy Oriented Security Facility is composed by the following subsystems:

Notes

  1. https://cloudsecurityalliance.org/research/secaas/
Retrieved from "https://gcube.wiki.gcube-system.org/index.php?title=Data_e-Infrastructure_Policy-oriented_Security_Facilities&oldid=24863"