Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual...
-
Upload
debra-charles -
Category
Documents
-
view
213 -
download
0
Transcript of Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual...
Approaching Fine-grain Access Control for Distributed Biomedical
Databases within Virtual Environments
Onur Kalyoncu,Yi Pan,
Matthias Assel
High Performance Computing Center – HLRSUniversity Stuttgart
Outline
The ViroLab ProjectMotivationData Resource ProtectionTowards Fine-grain Access ControlConclusions
CGW 2008 Matthias Assel
The ViroLab Project
CGW 2008 Matthias Assel
• Funded by EC within the 6th Framework Programme in the area of integrated biomedical information for better health
• 11 partners from 8 different European countries
• 3 years project (2006-2009)• Experts from multiple disciplines
(Physicians, virologists, epidemiologists,computer scientists)
• Develop a “Virtual Laboratory” for medical experts that allows clinical studies, medical knowledge discovery, and decision support for HIV drug resistance
Motivation
What we had… • Distributed teams/groups/researcher• Distributed resources providing heterogeneous
data/information and capabilities• local applications and workflows
CGW 2008 Matthias Assel
What we wanted and basically achieved… • Integration of users, data, workflows, applications, resources into
one sophisticated, virtual environment• Interdisciplinary collaboration and research• Dynamic, on-demand and secure accessibility of resources and
knowledge
CGW 2008 Matthias Assel
Motivation
ViroLab Virtual Laboratory
CGW 2008 Matthias Assel
Data Resource Protection - Approach Two-step authentication and authorisation procedure Authentication based on Shibboleth
-> Home organisations are responsible for users' identity management
• Final authorisation decision up to the data resources’ owner• Access control handled with the aid of so-called access control
policies being stored and evaluated by a dedicated component: Policy Decision Point (PDP)
• Policies implemented using established policy description language: XACML
• Attribute-based access control approach:The policies contain a set of rules specifying the required attributes (conditions) to become authorised for certain resources
• User-friendly graphical interface for dynamically adding, updating or removing policies
CGW 2008 Matthias Assel
Data Resource Protection - Realisation
CGW 2008 Matthias Assel
Institution
Resource-URL
Resource-ID
Policy Structure Resource Identification
<Policy>
<Target>
<Subject> <Resource> <Action>
<Rule>
<Target>
<Subject> <Resource> <Action>
<Condition>
<PolicySet>
Data Resource Protection - Scenario
CGW 2008 Matthias Assel
Data Resource Protection - Implementation
CGW 2008 Matthias Assel
Towards Fine-grain Access Control
Enhancement of actual policy descriptions Introduction of hierarchies
CGW 2008 Matthias Assel
Towards Fine-grain Access Control Mapping access rules onto database views Why views?
- supported by most of today’s relational DBMS- can be created and dropped dynamically and on-demand- useful to restrict someone’s access to a set of tables, columns, or rows
Two scenarios to implement the generation of views- during policy creation the view is generated
under control of administratordoes not reduce administrative tasks; the human factor
- during policy evaluation the view is dynamically created according to specified rules
more flexibility during creation and deletion scalability and performance issues
View creation achieved either via the DAS or directly on the local DBMS
CGW 2008 Matthias Assel
Conclusions
• Approach to realise fine-grain access control for relational databases does not support XML and object-oriented databases
• Usage of existing standards and technologies• Creation of simple and highly detailed access control policies• One standard access control policy language (XACML)• Flexibility and dynamicity through VO approach and attribute-based
access control• Fast and easy generation, change, and upload of policies through
nice and user-friendly graphical interface• Future work
- Implementation and testing of presented approach (XACML 2.0/3.0)- Encrypted policy management- Trust management
CGW 2008 Matthias Assel
CGW 2008 Matthias Assel
Where to find more information?
http://www.virolab.org
http://virolab.hlrs.de http://virolab.cyfronet.pl
Thank you for your attention.
Any questions?
CGW 2008 Matthias Assel