Abstract
For large distributed applications, security and performance are two requirements often difficult to satisfy together. Addressing them separately leads more often to fast systems with security holes, rather than secure systems with poor performance. For instance, caching data needed for security decisions can lead to security violations when the data changes faster than the cache can refresh it. Retrieving such fresh data without caching it impacts performance. In this paper, we analyze a subproblem: how to dynamically configure a distributed authorization system when both security and performance requirements change. We examine data caching, retrieval and correlation, and propose a runtime management tool that, with external input, finds and enacts the customizations that satisfy both security and performance needs. Preliminary results show it takes around two seconds to find customization solutions in a setting with over one thousand authorization components.
Chapter PDF
Similar content being viewed by others
References
Globus Alliance: Globus Toolkit 4 API (November 2010), http://www.globus.org/toolkit/docs/4.2/4.2.1/security/
Atluri, V., Gal, A.: An authorization model for temporal and derived data: securing information portals. ACM Trans. Inf. Syst. Secur. 5, 62–94 (2002)
Axiomatics: Axiomatics Policy Server 4.0 (November 2010), http://www.axiomatics.com/products/axiomatics-policy-server.html
Chadwick, D., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurr. Comput.: Pract. Exper. 20, 1341–1357 (2008)
Chadwick, D.W., Su, L., Laborde, R.: Coordinating access control in grid services. Concurrency and Computation: Practice and Experience 20(9), 1071–1094 (2008)
Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A Proposal on Enhancing XACML with Continuous Usage Control Features. In: Grids, P2P and Services Computing, pp. 133–146. Springer, US (2010)
Djordjevic, I., Dimitrakos, T.: A note on the anatomy of federation. BT Technology Journal 23, 89–106 (2005)
Dulay, N., Lupu, E., Sloman, M., Damianou, N.: A policy deployment model for the ponder language. In: 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings, pp. 529–543 (2001)
Frisch, A.M., Peugniez, T.J., Doggett, A.J., Nightingale, P.W.: Solving non-boolean satisfiability problems with stochastic local search: A comparison of encodings. J. Autom. Reason. 35, 143–179 (2005)
Gebel, G., Peterson, G.: Authentication and TOCTOU (2011), http://analyzingidentity.com/2011/03/18/
Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In: Nishigaki, M., Jøsang, A., Murayama, Y., Marsh, S. (eds.) IFIPTM 2010. IFIP AICT, vol. 321, pp. 63–78. Springer, Heidelberg (2010)
Goovaerts, T., Desmet, L., Joosen, W.: Scalable Authorization Middleware for Service Oriented Architectures. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 221–233. Springer, Heidelberg (2011)
IBM: IBM Tivoli Access Manager (November 2010), http://www-01.ibm.com/software/tivoli/products/access-mgr-e-bus/
Internet2MiddlewareInitiative/MACE: Shibboleth 2 (2011), https://wiki.shibboleth.net/confluence/display/SHIB2/Home
Ioannidis, S., Bellovin, S.M., Ioannidis, J., Keromytis, A.D., Anagnostakis, K.G., Smith, J.M.: Virtual private services: Coordinated policy enforcement for distributed applications. I. J. Network Security 4(1), 69–80 (2007)
Kassaei, F.: eBay Identity Assertion Framework (May 2010), http://www.slideshare.net/farhangkassaei/ebay-identity-assertion-framework-iaf
Kerner, S.M.: Inside Facebook’s Open Source Infrastructure (July 2010), http://www.developer.com/open/article.php/3894566/
Knuth, D.E.: The art of computer programming, vol. 2. Addison-Wesley Longman Publishing Co., Inc., Boston (1997)
Layer 7 Technologies: Policy Manager for XML Gateways (November 2010), http://www.layer7tech.com/products/policy-manager-for-xml-gatewaysl
Miller, R.: The Facebook Data Center FAQ (September 2010), http://www.datacenterknowledge.com/the-facebook-data-center-faq/
Mitre: Common Vulnerabilities and Exposures (2011), http://cve.mitre.org/
Shoup, R.: Scalability best practices - Lessons from eBay. InfoQ (May 2008), http://www.infoq.com/articles/ebay-scalability-best-practices
Shoup, R.: More Best Practices from Large Scale Websites - Lessons from eBay. Talk at QCon San Francisco (November 2010), http://qconsf.com/sf2010
Wei, D., Jiang, C.: Frontend Performance Engineering in Facebook. In: O’Reilly Velocity, Web Performance and Operations Conference (June 2009)
Wei, Q.: Towards Improving the Availability and Performance of Enterprise Authorization Systems. Ph.D. thesis, University of British Columbia (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gheorghe, G., Crispo, B., Carbone, R., Desmet, L., Joosen, W. (2011). Deploy, Adjust and Readjust: Supporting Dynamic Reconfiguration of Policy Enforcement. In: Kon, F., Kermarrec, AM. (eds) Middleware 2011. Middleware 2011. Lecture Notes in Computer Science, vol 7049. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25821-3_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-25821-3_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25820-6
Online ISBN: 978-3-642-25821-3
eBook Packages: Computer ScienceComputer Science (R0)