Approaching Fine-grain Access Control for Distributed Biomedical

Databases within Virtual Environments

Onur Kalyoncu,Yi Pan,

Matthias Assel

High Performance Computing Center – HLRSUniversity Stuttgart

assel@hlrs.de

Outline

The ViroLab ProjectMotivationData Resource ProtectionTowards Fine-grain Access ControlConclusions

CGW 2008 Matthias Assel

The ViroLab Project

CGW 2008 Matthias Assel

• Funded by EC within the 6th Framework Programme in the area of integrated biomedical information for better health

• 11 partners from 8 different European countries

• 3 years project (2006-2009)• Experts from multiple disciplines

(Physicians, virologists, epidemiologists,computer scientists)

• Develop a “Virtual Laboratory” for medical experts that allows clinical studies, medical knowledge discovery, and decision support for HIV drug resistance

Motivation

What we had… • Distributed teams/groups/researcher• Distributed resources providing heterogeneous

data/information and capabilities• local applications and workflows

CGW 2008 Matthias Assel

What we wanted and basically achieved… • Integration of users, data, workflows, applications, resources into

one sophisticated, virtual environment• Interdisciplinary collaboration and research• Dynamic, on-demand and secure accessibility of resources and

knowledge

CGW 2008 Matthias Assel

Motivation

ViroLab Virtual Laboratory

CGW 2008 Matthias Assel

Data Resource Protection - Approach Two-step authentication and authorisation procedure Authentication based on Shibboleth

-> Home organisations are responsible for users' identity management

• Final authorisation decision up to the data resources’ owner• Access control handled with the aid of so-called access control

policies being stored and evaluated by a dedicated component: Policy Decision Point (PDP)

• Policies implemented using established policy description language: XACML

• Attribute-based access control approach:The policies contain a set of rules specifying the required attributes (conditions) to become authorised for certain resources

• User-friendly graphical interface for dynamically adding, updating or removing policies

CGW 2008 Matthias Assel

Data Resource Protection - Realisation

CGW 2008 Matthias Assel

Institution

Resource-URL

Resource-ID

Policy Structure Resource Identification

<Policy>

<Target>

<Subject> <Resource> <Action>

<Rule>

<Target>

<Subject> <Resource> <Action>

<Condition>

<PolicySet>

Data Resource Protection - Scenario

CGW 2008 Matthias Assel

Data Resource Protection - Implementation

CGW 2008 Matthias Assel

Towards Fine-grain Access Control

Enhancement of actual policy descriptions Introduction of hierarchies

CGW 2008 Matthias Assel

Towards Fine-grain Access Control Mapping access rules onto database views Why views?

- supported by most of today’s relational DBMS- can be created and dropped dynamically and on-demand- useful to restrict someone’s access to a set of tables, columns, or rows

Two scenarios to implement the generation of views- during policy creation the view is generated

under control of administratordoes not reduce administrative tasks; the human factor

- during policy evaluation the view is dynamically created according to specified rules

more flexibility during creation and deletion scalability and performance issues

View creation achieved either via the DAS or directly on the local DBMS

CGW 2008 Matthias Assel

Conclusions

• Approach to realise fine-grain access control for relational databases does not support XML and object-oriented databases

• Usage of existing standards and technologies• Creation of simple and highly detailed access control policies• One standard access control policy language (XACML)• Flexibility and dynamicity through VO approach and attribute-based

access control• Fast and easy generation, change, and upload of policies through

nice and user-friendly graphical interface• Future work

- Implementation and testing of presented approach (XACML 2.0/3.0)- Encrypted policy management- Trust management

CGW 2008 Matthias Assel

CGW 2008 Matthias Assel

Where to find more information?

http://www.virolab.org

http://virolab.hlrs.de http://virolab.cyfronet.pl

Thank you for your attention.

Any questions?

CGW 2008 Matthias Assel