TY - GEN
T1 - Toward an on-demand restricted delegation mechanism for Grids
AU - Ahsant, Mehran
AU - Basney, Jim
AU - Mulmo, Olle
AU - Lee, Adam J.
AU - Johnsson, Lennart
PY - 2006
Y1 - 2006
N2 - Grids are intended to enable cross-organizational interactions which makes Grid security a challenging and non-trivial issue. In Grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current Grid systems there is a trade-off between flexibility and security in the context of delegation. Applications must choose between limited or full delegation: on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility/dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. In this paper, we propose an on-demand restricted delegation mechanism, aimed at addressing the shortcomings of current delegation mechanisms by providing restricted delegation in a flexible fashion as needed for Grid applications. This mechanism provides an ontology-based solution for tackling one the most challenging issues in security systems, which is the principle of least privileges. It utilizes a callback mechanism, which allows on-demand provisioning of delegated credentials in addition to observing, screening, and auditing delegated rights at runtime. This mechanism provides support for generating delegation credentials with a very limited and well-defined range of capabilities or policies, where a delegator is able to grant a delegatee a set of restricted and limited rights, implicitly or explicitly.
AB - Grids are intended to enable cross-organizational interactions which makes Grid security a challenging and non-trivial issue. In Grids, delegation is a key facility that can be used to authenticate and authorize requests on behalf of disconnected users. In current Grid systems there is a trade-off between flexibility and security in the context of delegation. Applications must choose between limited or full delegation: on one hand, delegating a restricted set of rights reduces exposure to attack but also limits the flexibility/dynamism of the application; on the other hand, delegating all rights provides maximum flexibility but increases exposure. In this paper, we propose an on-demand restricted delegation mechanism, aimed at addressing the shortcomings of current delegation mechanisms by providing restricted delegation in a flexible fashion as needed for Grid applications. This mechanism provides an ontology-based solution for tackling one the most challenging issues in security systems, which is the principle of least privileges. It utilizes a callback mechanism, which allows on-demand provisioning of delegated credentials in addition to observing, screening, and auditing delegated rights at runtime. This mechanism provides support for generating delegation credentials with a very limited and well-defined range of capabilities or policies, where a delegator is able to grant a delegatee a set of restricted and limited rights, implicitly or explicitly.
UR - http://www.scopus.com/inward/record.url?scp=46149103695&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=46149103695&partnerID=8YFLogxK
U2 - 10.1109/ICGRID.2006.311010
DO - 10.1109/ICGRID.2006.311010
M3 - Conference contribution
AN - SCOPUS:46149103695
SN - 1424403448
SN - 9781424403448
T3 - Proceedings - IEEE/ACM International Workshop on Grid Computing
SP - 152
EP - 159
BT - Proceedings of the 7th IEEE/ACM International Conference on Grid Computing, GRID 2006
T2 - 7th IEEE/ACM International Conference on Grid Computing, GRID 2006
Y2 - 28 September 2006 through 29 September 2006
ER -