1 / 15

Outline

Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance Computing Center – HLRS University Stuttgart assel@hlrs.de. Outline. The ViroLab Project Motivation Data Resource Protection

chinara
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance Computing Center – HLRS University Stuttgart assel@hlrs.de

  2. Outline The ViroLab Project Motivation Data Resource Protection Towards Fine-grain Access Control Conclusions CGW 2008 Matthias Assel

  3. The ViroLab Project • Funded by EC within the 6th Framework Programme in the • area of integrated biomedical information for better health • 11 partners from 8 different European • countries • 3 years project (2006-2009) • Experts from multiple disciplines • (Physicians, virologists, epidemiologists, • computer scientists) • Develop a “Virtual Laboratory” for • medical experts that allows clinical • studies, medical knowledge discovery, • and decision support for HIV drug • resistance CGW 2008 Matthias Assel

  4. Motivation What we had… • Distributed teams/groups/researcher • Distributed resources providing heterogeneous data/information and capabilities • local applications and workflows CGW 2008 Matthias Assel

  5. Motivation What we wanted and basically achieved… • Integration of users, data, workflows, applications, resources into one sophisticated, virtual environment • Interdisciplinary collaboration and research • Dynamic, on-demand and secure accessibility of resources and knowledge CGW 2008 Matthias Assel

  6. ViroLab Virtual Laboratory CGW 2008 Matthias Assel

  7. Data Resource Protection - Approach • Two-step authentication and authorisation procedure • Authentication based on Shibboleth -> Home organisations are responsible for users' identity management • Final authorisation decision up to the data resources’ owner • Access control handled with the aid of so-called access control policies being stored and evaluated by a dedicated component: Policy Decision Point (PDP) • Policies implemented using established policy description language: XACML • Attribute-based access control approach: The policies contain a set of rules specifying the required attributes (conditions) to become authorised for certain resources • User-friendly graphical interface for dynamically adding, updating or removing policies CGW 2008 Matthias Assel

  8. <PolicySet> <Policy> <Target> <Subject> <Resource> <Action> <Rule> <Target> <Subject> <Resource> <Action> <Condition> Institution Resource-ID Resource-URL Data Resource Protection - Realisation Policy Structure Resource Identification CGW 2008 Matthias Assel

  9. Data Resource Protection - Scenario CGW 2008 Matthias Assel

  10. Data Resource Protection - Implementation CGW 2008 Matthias Assel

  11. Towards Fine-grain Access Control • Enhancement of actual policy descriptions • Introduction of hierarchies CGW 2008 Matthias Assel

  12. Towards Fine-grain Access Control • Mapping access rules onto database views • Why views? - supported by most of today’s relational DBMS - can be created and dropped dynamically and on-demand - useful to restrict someone’s access to a set of tables, columns, or rows • Two scenarios to implement the generation of views - during policy creation the view is generated under control of administrator does not reduce administrative tasks; the human factor - during policy evaluation the view is dynamically created according to specified rules more flexibility during creation and deletion scalability and performance issues • View creation achieved either via the DAS or directly on the local DBMS CGW 2008 Matthias Assel

  13. Conclusions • Approach to realise fine-grain access control for relational databases does not support XML and object-oriented databases • Usage of existing standards and technologies • Creation of simple and highly detailed access control policies • One standard access control policy language (XACML) • Flexibility and dynamicity through VO approach and attribute-based access control • Fast and easy generation, change, and upload of policies through nice and user-friendly graphical interface • Future work - Implementation and testing of presented approach (XACML 2.0/3.0) - Encrypted policy management - Trust management CGW 2008 Matthias Assel

  14. Where to find more information? http://www.virolab.org http://virolab.hlrs.de http://virolab.cyfronet.pl CGW 2008 Matthias Assel

  15. Thank you for your attention. Any questions? CGW 2008 Matthias Assel

More Related