Difference between revisions of "Data e-Infrastructure Policy-oriented Security Facilities"

From Gcube Wiki
Jump to: navigation, search
(Created page with 'This is the template for Facilities Specifications. == Overview == Few lines with a promotional 'flavour', e.g. ''"gCube xxx facilities offer scalable, high-performance, reliab…')
 
(Subsystems)
 
(21 intermediate revisions by 5 users not shown)
Line 1: Line 1:
This is the template for Facilities Specifications.
+
<!-- CATEGORIES -->
 
+
[[Category: gCube Features]]
 +
<!-- CATEGORIES -->
 
== Overview ==
 
== Overview ==
Few lines with a promotional 'flavour', e.g. ''"gCube xxx facilities offer scalable, high-performance, reliable, open source instruments for ..."''
+
The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.
 +
 
 +
''Service Oriented Authorization, Authentication and Accounting'' (SOA3) is a security framework providing ''security services'' as web services, according to ''Security as a Service'' ('''SecaaS''') research topic <ref>https://cloudsecurityalliance.org/research/secaas/</ref>. It is based on standard protocols and technologies, providing:
 +
 
 +
*an open and extensible architecture
 +
*interoperability with external infrastructures and domains, obtaining, if required, also so-called ''Identity Federation''
 +
*total isolation from gCore: zero dependencies in both the directions
  
 
== Key Features ==
 
== Key Features ==
A bullet list highlighting the main features offered by the facilities. The 'flavour' should be catchy and user-friendly. Some examples are (from MongoDB):
 
  
;Document-oriented storage
+
;Security as a Service
:JSON-style documents with dynamic schemas offer simplicity and power.
+
:Authentication and Authorization provided by web services called by resource management modules
  
;Full Index Support
+
;Flexible authentication model
:Index on any attribute, just like you're used to.
+
:the user is not requested to have personal digital certificates
  
;Replication & High Availability
+
;Attribute-based Access Control
:Mirror across LANs and WANs for scale and peace of mind.
+
:a generic way to manage access: access control decisions are based on one or more ''attributes''
  
;Auto-Sharding
+
;Support to different categories of attributes
:Scale horizontally without compromising functionality.
+
:user related attributes (e.g. roles, groups) and environment related attributes (e.g. time, date)
  
== Subsystems ==
+
;Modularity
 +
:SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services
  
Because
+
;Support to standards
# the identified facilities might be quite extent / "fat" from the functional point of view and
+
:all the operations delivered by the facilities are built atop of recognized standards
# the information introduced so far is very generic from a technical point of view
+
one or more 'subsystem' pages should be created.
+
  
Each subsystem page is expected to provide the reader with a description capturing '''design''' and '''deployment aspects''' as well as '''supported use cases'''. The following template is proposed:
+
;High performance
 +
:the design and architectural choices have been made paying great attention to performances
 +
 
 +
;Resource Usage Tracking
 +
:administrators and users can monitor applications resources usage
 +
 
 +
== Subsystems ==
 +
GCube Policy Oriented Security Facility is composed by the following subsystems:
  
[[Subsystem Specification Template]]
+
*<strike>[[GCube Security Handler]]</strike>
 +
*<strike>[[SOA3 Authentication Module]]</strike>
 +
*<strike>[[SOA3 Authorization Module]]</strike>
 +
*<strike>[[SOA3 User Management Module]]</strike>
 +
*<strike>[[Resource Accounting]]</strike>
 +
*[[Accounting]]
 +
*[[Authorization Framework]]
  
Next step will be the identification of the subsystems for each facility.
+
==Notes==
 +
<references/>

Latest revision as of 14:33, 27 May 2016

Overview

The goal of Data e-Infrastructure Policy-oriented Security Facilities is to protect gCube infrastructure resources from unauthorized accesses. The facilities, composing a complete security module, are built on SOA3.

Service Oriented Authorization, Authentication and Accounting (SOA3) is a security framework providing security services as web services, according to Security as a Service (SecaaS) research topic [1]. It is based on standard protocols and technologies, providing:

  • an open and extensible architecture
  • interoperability with external infrastructures and domains, obtaining, if required, also so-called Identity Federation
  • total isolation from gCore: zero dependencies in both the directions

Key Features

Security as a Service
Authentication and Authorization provided by web services called by resource management modules
Flexible authentication model
the user is not requested to have personal digital certificates
Attribute-based Access Control
a generic way to manage access: access control decisions are based on one or more attributes
Support to different categories of attributes
user related attributes (e.g. roles, groups) and environment related attributes (e.g. time, date)
Modularity
SOA3 is composed by different modules: each module has a well-defined scope and provides well-defined services
Support to standards
all the operations delivered by the facilities are built atop of recognized standards
High performance
the design and architectural choices have been made paying great attention to performances
Resource Usage Tracking
administrators and users can monitor applications resources usage

Subsystems

GCube Policy Oriented Security Facility is composed by the following subsystems:

Notes

  1. https://cloudsecurityalliance.org/research/secaas/
Retrieved from "https://wiki.gcube-system.org/index.php?title=Data_e-Infrastructure_Policy-oriented_Security_Facilities&oldid=24863"