Data e-Infrastructure Policy-oriented Security Facilities

From Gcube Wiki
Jump to: navigation, search

Overview

The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.

Service Oriented Authorization, Authentication and Accounting (SOA3) is a security framework providing security services as web services, according to Security as a Service (SecaaS) research topic [1]. It is based on standard protocols and technologies, providing:

  • an open and extensible architecture
  • interoperability with external infrastructures and domains, obtaining, if required, also so-called Identity Federation
  • total isolation from gCore: zero dependencies in both the directions

Key Features

Security as a Service
Authentication and Authorization provided by web services called by resource management modules
Flexible authentication model
the user is not requested to have personal digital certificates
Attribute-based Access Control
a generic way to manage access: access control decisions are based on one or more attributes
Support to different categories of attributes
user related attributes (e.g. roles, groups) and environment related attributes (e.g. time, date)
Modularity
SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services
Support to standards
all the operations delivered by the facilities are built atop of recognized standards
High performance
the design and architectural choices have been made paying great attention to performances
Resource Usage Tracking
administrators and users can monitor applications resources usage

Subsystems

GCube Policy Oriented Security Facility is composed by the following subsystems:

Notes

  1. https://cloudsecurityalliance.org/research/secaas/