A Policy-Based Security Framework for Privacy-Enhancing Data Access and Usage Control in Grids - Cloud, Grid and High Performance Computing: Emerging Applications

Information Technology Reference

In-Depth Information

Figure 3. Privacy management architecture for the user's Grid home site

home site. Although each technical component

is only shown once, high availability require-

ments can be fulfilled, e.g., based on hardware

redundancy and clustering. Compared to previ-

ously used architectures as depicted in Figure 1,

a logically separated management user interface

is provided as part of the self services, which al-

lows to configure project- and Grid-job-specific

privacy policies. Furthermore, not only Grid-wide

applicable policies must be exchanged between

the involved organizations, but also the policies

of those research projects whose users are spread

among multiple organizations. The same policy

distribution mechanisms are used for both use

cases. However, it must be ensured that they

provide metadata support to restrict a) to which

organizations the policies are transferred to and b)

which other users may access and modify them.

The components used in the architecture usu-

ally have multi-tenancy capabilities, i.e., they can

be used for an arbitrary number of other services,

Grid projects, VO memberships, and users, with-

out requiring additional instances. They also often

provide code hooks for site-specific extensions,

so additional workflows can be triggered, e.g., in

the policy evaluation process. At each home site,

the Grid-specific components also can be com-

bined with other security and privacy measures

that are deployed locally.

The expressiveness of the used policy language

is, in general, sufficient to handle the additional

Grid job policies and groups thereof, so no in-

depth modifications of PDPs and PEPs or other

Grid-specific technology adaption are required.

However, the syntactical basis for identifying

and naming objects, often referred to as policy

namespace, must be extended as follows:

•

Instead of targeting a policy to a single SP,

it must be possible to specify policies for

arbitrary groups of organizations, up to a

Grid environment such as a VO as a whole.

Cloud, Grid and High Performance Computing: Emerging Applications

Search WWH ::

Custom Search

Home