Security in Widely Distributed Environments

Widely distributed systems and collaborative environments, such as

  • multi-user instruments at national facilities
    •

  • widely distributed supercomputers and large-scale storage systems
    •

  • data sharing in restricted collaborations
    •

  • network-based multimedia collaboration channels
    •

    give rise to a range of requirement for distributed access control.

    In all of these scenarios, the resource (data, instrument, computational and storage capacity, communication channel) has multiple stakeholders (typically the intellectual principals and policy makers), and each stakeholder will impose use-conditions on the resource. All of the use-conditions must be met simultaneously in order to satisfy the requirements for access.

    Further, it is the norm that scientific collaboration tends to be diffuse, with the principals and stakeholders being geographically distributed, and multi-organizational. Therefore the security / access control mechanism must accommodate these circumstances.

    Goals

    The goal for security in such distributed environments is to reflect, in a computing and communication based working environment, the general principles that have been established in society for policy-based resource access control.

    Each involved entity -- principals and stakeholders -- should be able to make their assertions (as they do now by signing, e.g., a policy statement) without reference to a mediator, and especially without reference to a centralized mediator (e.g. a system administrator) who must act on their behalf. Only in this way will computer-based security systems achieve the decentralization needed for scalability in large distributed environments.

    The resource access control mechanisms should be able to collect all of the relevant assertions and make an unambiguous access decision without requiring entity-specific or resource-specific local, static configuration information that must be centrally administered. (This does not imply that such specific configuration is precluded, only that it should not be required.)

    Expected Benefits

    For security to be a successful part of the distributed environment -- providing both protection and policy enforcement -- each principal entity should have no more nor less involvement than they do in the currently established procedure that operates in the absence of computer security. That is, those who have the authority to set access conditions or use-conditions by, e.g., holographically signing statements in a paper environment, will digitally sign functionally equivalent statements in a distributed computer based environment. The functions of checking credentials, auditing, etc. are performed by appropriate entities in either circumstance.

    The expected advantage of computer-based systems is in maintaining access control policy, but with greatly increased independence from temporal and spatial factors (e.g. time zone differences and geographic separation), together with automation of redundant tasks such as credential checking and auditing.

    The intended outcome is that the scientific community will much more easily share expensive resources, unique systems, sensitive data, etc.

    A further expected benefit is that this sort of a security infrastructure should provide the basis of automated brokering of resources that proceed the construction of dynamically, and just-in-time configured systems to support, e.g., scientific experiments with transient computing, communication, or storage requirements.

    An Authorization Based Distributed Security Architecture

    A security architecture that addresses the general goals noted above can be based on authorization and attribute certificates. These digitally signed documents have the characteristic that they assert document validity without physical presence, or physical possession of holographically signed documents. The result is that digitally signed documents provide assertions of the principals, stakeholders, attribute authorities, etc., that may be represented, used, and verified independent of time or location.

    The other parts of the model are implemented through the use of "authorities" that provide delegation mechanisms and assured information as digitally signed documents: identity authorities connect human entities to digital signatures, stakeholder authorities represent use-conditions, attribute authorities attest to subject (e.g., user) characteristics, etc. Additional components include reliable mechanisms for distributing and verifying the digitally signed documents, mechanisms that match requirements and attributes, and resource access control mechanisms that use the credentials to enforce policy for the specific resource.

    Security Architecture for Distributed Management of Fine-grained Web Object Access Control

    A prototype implementation (see [/1/]) that is addressing the problem of distributed management of access control to limited, valuable, or large-scale resources / data / objects -- e.g. large scientific instruments, distributed supercomputers, sensitive but unclassified databases (e.g. Internet vulnerability and incident databases) is providing some experience with decentralized security environments. The prototype elements include:

    1) Fully distributed resource management and access: In our target environment, the resource users, resources owners, and other stakeholders, are remote from the protected resource -- the norm in, among others, large-scale scientific instrument environments.

    2) Multiple stakeholders: All significant resources have many stakeholders, all of whom will provide their own use-conditions. These use-conditions are specified in the environment of the stakeholder and then provided to the resource access control mechanism.

    3) Attribute-based access policy: Users are permitted access based on their attributes that satisfy the owner and stakeholder use-conditions. These attributes are attested to by trusted third parties.

    The prototype provides for objects / data / resource owners and other stakeholders to be able to remotely exercise control over access to the resource; and for legitimate users (those that satisfy the use-conditions of the resource stakeholders) to obtain easy access, and; for unqualified / un-authorized users to be strongly denied access.

    In addition to the security and distributed enterprise functionality, the issue of security is as much (or more) a deployment and user-ergonomics issue as technology issue. That is, the problem is as much trying to find out how to integrate good security into the scientific environment so that it will be used, trusted to provide the protection that it claims, easily administered, and genuinely useful in the sense of "providing distributed enterprise capabilities" (that is, providing new functionality that supports distributed organizations and operation), in addition to addressing the more traditional security issues.

    /1/ "A Use-Condition Centered Approach to Authenticated Global Capabilities: Security Architectures for Large-Scale Distributed Collaboratory Environments", William Johnston and Case Larsen, January 1997. Available at: http://www-itg.lbl.gov/security/publications.html

    /2/ "A Public Key Infrastructure for DOE Security Research" Findings from U. S. Department of Energy, Joint Energy Research / Defense Programs Computing-related Security Research Requirements - Workshop-II Dec 11-13, 1996, Albuquerque, New Mexico. Available at http://www-itg.lbl.gov/security

    [an error occurred while processing this directive]