WSACT : a model for Web Services access control incorporating trust

Coetzee, Marijke

10 July 2008

Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is towards implementing collaborating applications that are supported by web services technology. Even though web services technology is rapidly becoming a fundamental development paradigm, adequate security constitutes the main concern and obstacle to its adoption as an industry solution. An important issue to address is the development of suitable access control models that are able to not only restrict access to unauthorised users, but also to discriminate between users that originate from different collaborating parties. In web services environments, access control is required to cross the borders of security domains, in order to be implemented between heterogeneous systems. Traditional access control systems that are identity-based do not provide a solution, as web services providers have to deal with unknown users, manage a large user population, collaborate with others and at the same time be autonomous of nature. Previous research has pointed towards the adoption of attribute-based access control as a means to address some of these problems. This approach is still not adequate, as the trustworthiness of web services requestors cannot be determined. Trust in web services requestors is thus an important requirement to address. For this reason, the thesis investigated trust, as to promote the inclusion of trust in the web services access control model. A cognitive approach to trust computation was followed that addressed uncertain and imprecise information by means of fuzzy logic techniques. A web services trust formation framework was defined that aims to populate trust concepts by means of automated, machine-based trust assessments. The structure between trust concepts was made explicit by means of a trust taxonomy. This thesis presents the WSACT – or the Web Services Access Control incorporating Trust –model. The model incorporates traditional role-based access control, the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast to the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established. Such flexibility gives a web services provider the ability to foster meaningful business relationships with others, which portrays humanistic forms of trust. The WSACT architecture describes the interacting roles of an authorisation interface, authorisation manager and trust manager. A prototype finally illustrates that the incorporation of trust is a viable solution to the problem of web services access control when decisions of an autonomous nature are to be made. / Thesis (PhD (Computer Science))--University of Pretoria, 2008. / Computer Science / unrestricted

Virtual infrastructures

Security domains

Computing resources

UCTD

Enabling future internet research : the FEDERICA case

Szegedi, Peter, Riera, Jordi Ferrer, Garcia-Espin, Joan Antoni, Hidell, Markus, Sjödin, Peter, Söderman, Pehr, Ruffini, Marco, O’Mahony, Donal, Bianco, Andrea, Giraudo, Luca, Ponce de Leon, Miguel, Power, Gemma, Cervelló-Pastor, Cristina, López, Víctor, Naegele-Jackson, Susanne

January 2011

The Internet, undoubtedly, is the most influential technical invention of the 20th century that affects and constantly changes all aspects of our day-to-day lives nowadays. Although it is hard to predict its long-term consequences, the potential future of the Internet definitely relies on future Internet research. Prior to every development and deployment project, an extensive and comprehensive research study must be performed in order to design, model, analyze, and evaluate all impacts of the new initiative on the existing environment. Taking the ever-growing size of the Internet and the increasing complexity of novel Internet-based applications and services into account, the evaluation and validation of new ideas cannot be effectively carried out over local test beds and small experimental networks. The gap which exists between the small-scale pilots in academic and research test beds and the realize validations and actual deployments in production networks can be bridged by using virtual infrastructures. FEDERICA is one of the facilities, based on virtualization capabilities in both network and computing resources, which creates custom-made virtual environments and makes them available for Future Internet Researchers. This article provides a comprehensive overview of the state-of-the-art research projects that have been using the virtual infrastructure slices of FEDERICA in order to validate their research concepts, even when they are disruptive to the test bed’s infrastructure, to obtain results in realistic network environments. / © 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. QC20120119 / FEDERICA

Infrastructures virtuelles dynamiquement approvisionnées : spécification, allocation et exécution / Dynamically provisioned virtual infrastructures : specification, allocation and execution

Koslovski, Guilherme Piêgas

08 July 2011

Les Infrastructures Virtuelles (VIs) ont émergé de la combinaison de l’approvisionnement des ressources informatiques et des réseaux virtuels dynamiques. Grâce à la virtualisation combinée des ressource de calcul et de réseau, le concept de VI transforme l’Internet en un réservoir mondial de ressources interconnectées. Avec l’innovation des VIs viennent aussi des nouveaux défis nécessitant le développement de modèles et technologies, pour assister la migration d’applications existantes d’infrastructures traditionnelles vers des VIs. L’abstraction complète des ressources physiques et l’indéterminisme dans les besoins des applications, en termes de ressources de calcul et de communication ont fait de la composition de VI un problème difficile. En outre, l’allocation d’un ensemble des VIs sur un substrat distribué est un problème NP-difficile. En plus des objectifs traditionnels (par exemple un coût minimal, un revenu croissant), un algorithme d’allocation doit également satisfaire les attentes des utilisateurs (par exemple la qualité de l’allocation). Ce manuscrit contribue aux initiatives de recherche en cours avec les propositions suivantes : i) le Virtual Infrastructure Description Language (VXDL), qui permet aux utilisateurs et aux systèmes de décrire les composants pertinents d’une VI ; ii) un mécanisme qui traduit un flux de travail en une spécification de VI pour faciliter l’exécution d’applications distribuées; iii) une solution pour réduire l’espace de recherche d’une façon automatique qui accélère le processus d’allocation ; et iv) un service offert par des fournisseurs d'infrastructure avec lequel un utilisateur peut déléguer les besoins en fiabilité. / Virtual Infrastructures (VIs) have emerged as result of the combined on-demand provisioning of IT resources and dynamic virtual networks. By combining IT and network virtualization, the VI concept is turning the Internet into a worldwide reservoir of interconnected resources, where computational, storage, and communication services are available on-demand for different users and applications. The innovation introduced by VIs posed a set of challenges requiring the development of new models, technologies, and procedures to assist the migration of existing applications from traditional infrastructures to VIs. The complete abstraction of physical resources, coupled with the indeterminism of required computing and communication resources to execute applications, turned the specification and composition of a VI into a challenging task. In addition, mapping a set of VIs onto a distributed substrate is an NP-hard problem. Besides considering common objectives of infrastructure providers (e.g., efficient usage of the physical substrate, cost minimization, increasing revenue), an allocation algorithm should consider the users' expectations (e.g., allocation quality, data location and mobility). This thesis contributes to related research initiatives by proposing the following: i) Virtual Infrastructure Description Language (VXDL), a descriptive and declarative language that allows users and systems to model the components of a VI; ii) a mechanism for composing VI specifications to execute distributed applications; iii) an approach to reduce the search space in an automatic way, accelerating the process of VI allocation; and iv) mechanism for provisioning reliable VIs.

Infrastructures virtuelles

Spécification

VXDL

Nuage

Allocation

Exécution

Reliability

Virtual infrastructures

Cloud

Virtualization

Specification

Allocation

Execution

VXDL