150 likes | 220 Views
Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance Computing Center – HLRS University Stuttgart assel@hlrs.de. Outline. The ViroLab Project Motivation Data Resource Protection
E N D
Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance Computing Center – HLRS University Stuttgart assel@hlrs.de
Outline The ViroLab Project Motivation Data Resource Protection Towards Fine-grain Access Control Conclusions CGW 2008 Matthias Assel
The ViroLab Project • Funded by EC within the 6th Framework Programme in the • area of integrated biomedical information for better health • 11 partners from 8 different European • countries • 3 years project (2006-2009) • Experts from multiple disciplines • (Physicians, virologists, epidemiologists, • computer scientists) • Develop a “Virtual Laboratory” for • medical experts that allows clinical • studies, medical knowledge discovery, • and decision support for HIV drug • resistance CGW 2008 Matthias Assel
Motivation What we had… • Distributed teams/groups/researcher • Distributed resources providing heterogeneous data/information and capabilities • local applications and workflows CGW 2008 Matthias Assel
Motivation What we wanted and basically achieved… • Integration of users, data, workflows, applications, resources into one sophisticated, virtual environment • Interdisciplinary collaboration and research • Dynamic, on-demand and secure accessibility of resources and knowledge CGW 2008 Matthias Assel
ViroLab Virtual Laboratory CGW 2008 Matthias Assel
Data Resource Protection - Approach • Two-step authentication and authorisation procedure • Authentication based on Shibboleth -> Home organisations are responsible for users' identity management • Final authorisation decision up to the data resources’ owner • Access control handled with the aid of so-called access control policies being stored and evaluated by a dedicated component: Policy Decision Point (PDP) • Policies implemented using established policy description language: XACML • Attribute-based access control approach: The policies contain a set of rules specifying the required attributes (conditions) to become authorised for certain resources • User-friendly graphical interface for dynamically adding, updating or removing policies CGW 2008 Matthias Assel
<PolicySet> <Policy> <Target> <Subject> <Resource> <Action> <Rule> <Target> <Subject> <Resource> <Action> <Condition> Institution Resource-ID Resource-URL Data Resource Protection - Realisation Policy Structure Resource Identification CGW 2008 Matthias Assel
Data Resource Protection - Scenario CGW 2008 Matthias Assel
Data Resource Protection - Implementation CGW 2008 Matthias Assel
Towards Fine-grain Access Control • Enhancement of actual policy descriptions • Introduction of hierarchies CGW 2008 Matthias Assel
Towards Fine-grain Access Control • Mapping access rules onto database views • Why views? - supported by most of today’s relational DBMS - can be created and dropped dynamically and on-demand - useful to restrict someone’s access to a set of tables, columns, or rows • Two scenarios to implement the generation of views - during policy creation the view is generated under control of administrator does not reduce administrative tasks; the human factor - during policy evaluation the view is dynamically created according to specified rules more flexibility during creation and deletion scalability and performance issues • View creation achieved either via the DAS or directly on the local DBMS CGW 2008 Matthias Assel
Conclusions • Approach to realise fine-grain access control for relational databases does not support XML and object-oriented databases • Usage of existing standards and technologies • Creation of simple and highly detailed access control policies • One standard access control policy language (XACML) • Flexibility and dynamicity through VO approach and attribute-based access control • Fast and easy generation, change, and upload of policies through nice and user-friendly graphical interface • Future work - Implementation and testing of presented approach (XACML 2.0/3.0) - Encrypted policy management - Trust management CGW 2008 Matthias Assel
Where to find more information? http://www.virolab.org http://virolab.hlrs.de http://virolab.cyfronet.pl CGW 2008 Matthias Assel
Thank you for your attention. Any questions? CGW 2008 Matthias Assel