Difference between revisions of "Data e-Infrastructure Policy-oriented Security Facilities"

From Gcube Wiki
Jump to: navigation, search
m
Line 1: Line 1:
 
== Overview ==
 
== Overview ==
Policy Based Access Control is a very flexible approach focused on the evaluation of ''policies'' based on different kinds of ''attributes'' in order to grant or deny the ''access'' to a ''resource''.
+
Data e-Infrastructure Policy-oriented Security Facilities protect gCube infrastructure resources from unauthorized accesses. The facilities compose a complete security module built on SOA3 framework.
 +
SOA3 (''Service Oriented Authorization, Authentication and Accounting) is a security framework based on the ''Security as a Service'' (SaaS) model. SaaS model, together with the use of standard protocols and technologies provides:
  
The whole Process consists in three atomic operations:
+
*an open and extensible architecture
*to establish who can do what
+
*possibility to interoperate with external infrastructures and domain, obtaining, if required, also ''Identity Federation''
*to grant or deny the permissions
+
*total separation from gCore: zero dependencies in both the directions
*to guarantee that rules are followed
+
  
As a consequence a Policy Oriented Security Module provides the following functionalities:
+
== Key Features ==
*policies definition
+
*decision
+
*enforcement
+
  
GCube Policy Oriented Security Facilities allows to easily and intuitively perform these operations.
+
;Security as a Service
 +
:Authentication and Authorization are services called by resource management modules in order to secure the resources
  
== Key Features ==
+
;Username/password authentication model
 +
:The user is not requested to maintain personal digital certificates
  
;Policy Definition Portlet
+
;Attribute Based Access Control
:A portlet providing the possibility to create, read, update and delete policies
+
:The most general way to manage accesses: the access control is performed basing the decision on one or more attributes
  
;XACML based Authorization System
+
;Support to different categories of attributes
:Composed by Policy Administration Point, Policy Decision Point and Policy Enforcement Point
+
:User related attributes (e.g. roles, groups...) and environment related attributes (e.g. time, date...)
  
;Dynamic user attributes
+
;Modularity
:The policies are based on roles and on dynamic attributes, e.g. maximum number of accesses made by the user
+
:SOA3 is composed by different modules: each module has a well defined functionality and provides well defined services
  
;Context attributes
+
;Support to standards
:An advanced Policy Information Point provides the possibility to use policies based also on context attributes, such as ''date'' and ''time''
+
:All the operation performed by the facilities are standard based
 +
 
 +
;High performance
 +
:The design and architectural choices have been made with great attention to the performance 
  
  
Line 34: Line 36:
 
[[GCube Security Handler]]
 
[[GCube Security Handler]]
  
[[GCube Authorization Module]]
+
[[SOA3 Authentication Module]]
 +
 
 +
[[SOA3 Authorization Module]]
  
 
[[GCube Policy Definition Module]]
 
[[GCube Policy Definition Module]]

Revision as of 17:06, 19 March 2012

Overview

Data e-Infrastructure Policy-oriented Security Facilities protect gCube infrastructure resources from unauthorized accesses. The facilities compose a complete security module built on SOA3 framework. SOA3 (Service Oriented Authorization, Authentication and Accounting) is a security framework based on the Security as a Service (SaaS) model. SaaS model, together with the use of standard protocols and technologies provides:

  • an open and extensible architecture
  • possibility to interoperate with external infrastructures and domain, obtaining, if required, also Identity Federation
  • total separation from gCore: zero dependencies in both the directions

Key Features

Security as a Service
Authentication and Authorization are services called by resource management modules in order to secure the resources
Username/password authentication model
The user is not requested to maintain personal digital certificates
Attribute Based Access Control
The most general way to manage accesses: the access control is performed basing the decision on one or more attributes
Support to different categories of attributes
User related attributes (e.g. roles, groups...) and environment related attributes (e.g. time, date...)
Modularity
SOA3 is composed by different modules: each module has a well defined functionality and provides well defined services
Support to standards
All the operation performed by the facilities are standard based
High performance
The design and architectural choices have been made with great attention to the performance


Subsystems

GCube Policy Oriented Security Facility is composed by the following subsystems:

GCube Security Handler

SOA3 Authentication Module

SOA3 Authorization Module

GCube Policy Definition Module