Félix J. García Clemente

Semantic-aware multi-tenancy authorization system for cloud architectures

Cloud computing is an emerging paradigm to offer on-demand IT services to customers. The access control to resources located in the cloud is one of the critical aspects to enable business to shift into the cloud. Some recent works provide access control models suitable for the cloud; however there are important shortages that need to be addressed in this field. This work presents a step forward in the state-of-the-art of access control for cloud computing. We describe a high expressive authorization model that enables the management of advanced features such as role-based access control (RBAC), hierarchical RBAC (hRBAC), conditional RBAC (cRBAC) and hierarchical objects (HO). The access control model takes advantage of the logic formalism provided by the Semantic Web technologies to describe both the underlying infrastructure and the authorization model, as well as the rules employed to protect the access to resources in the cloud. The access control model has been specially designed taking into account the multi-tenancy nature of this kind of environment. Moreover, a trust model that allows a fine-grained definition of what information is available for each particular tenant has been described. This enables the establishment of business alliances among cloud tenants resulting in federation and coalition agreements. The proposed model has been validated by means of a proof of concept implementation of the access control system for OpenStack with promising performance results.

POSITIF: A Policy-Based Security Management System

The POSITIF project - funded by the EU in FP6 - has developed a framework and tools to configure in a policy- based way the security services of networked systems and applications.

Editorial: Detection of semantic conflicts in ontology and rule-based information systems

Nowadays, managers of information systems use ontologies and rules as a powerful tool to express the desired behaviour for the system. However, the use of rules may lead to conflicting situations where the antecedent of two or more rules is fulfilled, but their consequent is indicating contradictory facts or actions. These conflicts can be categorised in two different groups, modality and semantic conflicts, depending on whether the inconsistency is owing to the rule language expressiveness or due to the nature of the actions. While there exist certain proposals to detect and solve modality conflicts, the problem becomes more complex with semantic ones. Additionally, current techniques to detect semantic conflicts are usually not considering the use of standard information models. This paper provides a taxonomy of semantic conflicts, analyses the main features of each of them and provides an OWL/SWRL modelling for certain realistic scenarios related with information systems. It also describes different conflict detection techniques that can be applied to semantic conflicts and their pros and cons. Finally, this paper provides a comparison of these techniques based on performance measurements taken in a realistic scenario and suggests a better approach. This approach is then used in other scenarios related with information systems and where different types of semantic conflicts may appear.

Semantic-based authorization architecture for Grid

There are a few issues that still need to be covered regarding security in the Grid area. One of them is authorization where there exist good solutions to define, manage and enforce authorization policies in Grid scenarios. However, these solutions usually do not provide Grid administrators with semantic-aware components closer to the particular Grid domain and easing different administration tasks such as conflict detection or resolution. This paper defines a proposal based on Semantic Web to define, manage and enforce security policies in a Grid scenario. These policies are defined by means of semantic-aware rules which help the administrator to create higher-level definitions with more expressiveness. These rules also permit performing added-value tasks such as conflict detection and resolution, which can be of interest in medium and large scale scenarios where different administrators define the authorization rules that should be followed before accessing a resource in the Grid. The proposed solution has been also tested providing some reasonable response times in the authorization decision process.

Towards semantic web-based management of security services

Policy-based management of distributed system has become a commonly accepted approach for such systems. However, there are a number of open technical issues that might put large-scale deployment of policy-based management techniques at risk. They include automated policy translation (i.e., refinement from abstract business goals to final configurations); development of integrated policy architectures for network, service and application management, and dynamic service creation; and methods for policy conflict detection and resolution. Regarding this last issue, there exist some relevant efforts in the security area, but they are still in the design phase and it is not clear how flexible and powerful they will become when they deal with different kinds of security-related policies and scenarios. This article provides the main ideas behind the semantically enriched specification of security policies and describes an automated process for doing conflict detection on these policies.

An XML-seamless policy based management framework

The great variety of policy representation forms currently existing (e.g., LDAP schemas, PIBs, MIBs, plain text, etc.) is leading to interoperability and manageability problems, mainly in inter-domain management environments, but also between the elements (i.e., PMTs, PDPs, and PEPs) dealing with and exchanging policies inside one particular management domain. The use of XML technologies provides a solution to this important limitation. This paper describes the seamless integration of XML technologies in a policy-based management framework. It includes a proposal for an XML-based management architecture, the definition of an XML PIB (Policy Information Base) and a new Java COPS (Common Open Policy Service) implementation supporting both XML-encoding and BER-encoding of the policy data exchanged between PDP servers and PEP clients. It also analyses the main techniques used to ensure the provision of security services to the management of policies.

Design of a recommender system based on users’ behavior and collaborative location and tracking

Abstract During the last years, mobile devices allow incorporating users’ location and movements into recommendations to potentially suggest most valuable information. In this context, this paper presents a hybrid recommender algorithm that combines users’ location and preferences and the content of the items located close to such users. This algorithm also includes a way of providing implicit ratings considering the users’ movements after receiving recommendations, aimed at measuring the users’ interest for the recommended items. Conducted experiments measure the effectiveness and the efficiency of our recommender algorithm, as well as the impact of implicit ratings.

Taxonomy of trust relationships in authorization domains for cloud computing

Cloud computing is revealing a new scenario where different cloud customers need to collaborate to meet client demands. The cloud stack must be able to support this situation by enabling collaborative agreements between cloud customers. However, these collaborations entail new security risks since participating entities should trust each other to share a set of resources. The management of trust relationships in the cloud is gaining importance as a key element to establish a secure environment where entities are given full control in the definition of which particular services or resources they are willing to share. Entities can cooperate at different levels of trust, according to their willingness of sharing information. This paper analyses these collaboration agreements defining a taxonomy of different levels of trust relationships among customers for the cloud. Privacy concerns, assumed risk, as well as easiness in the definition of the trust relationships have been taken into account. A set of different trust relationships have been identified and modeled, enabling entities to control the information they share with others in the cloud. The proposed model has been validated with a prototypical implementation. Likewise, some examples to illustrate the application of these trust models to common cloud collaboration scenarios are provided.Cloud computing is revealing a new scenario where different cloud customers need to collaborate to meet client demands. The cloud stack must be able to support this situation by enabling collaborative agreements between cloud customers. However, these collaborations entail new security risks since participating entities should trust each other to share a set of resources. The management of trust relationships in the cloud is gaining importance as a key element to establish a secure environment where entities are given full control in the definition of which particular services or resources they are willing to share. Entities can cooperate at different levels of trust, according to their willingness of sharing information. This paper analyses these collaboration agreements defining a taxonomy of different levels of trust relationships among customers for the cloud. Privacy concerns, assumed risk, as well as easiness in the definition of the trust relationships have been taken into account. A set of different trust relationships have been identified and modeled, enabling entities to control the information they share with others in the cloud. The proposed model has been validated with a prototypical implementation. Likewise, some examples to illustrate the application of these trust models to common cloud collaboration scenarios are provided.

Secure overlay networks for federated service provision and management

This paper presents the components and formal information model enabling the dynamic creation and management of secure overlay networks. Special attention will be paid to the solution provided to two important open issues: the definition of a certificate path building and validation algorithm (to ease the trust establishment and negotiation processes) and the definition and negotiation of SLAs in inter-domain secure overlay scenarios. Given a set of already existing domains with certain trust relationships, each overlay network allows the secure sharing of some (or all) of its services. For this, the administrator of each administrative domain will define using a formal information model which services he wants to share with any other domain, and which ones is he expecting from these other domains. Time and other networking conditions can also be indicated allowing secure overlay networks to be dynamically and automatically established and managed.

Deployment of a Policy-Based Management System for the Dynamic Provision of IPsec-Based VPNs in IPv6 Networks

Security is considered as a key service in IP networks. This is equally true for IPv4- and IPv6-based networks, and for them the IPsec protocol was defined to provide security at the network layer. IPsec can be used in different scenarios, being the VPN the most widely used. However, IPsec-based VPNs are experiencing important limitations mainly because they are usually based on information manually configured, and the integration with PKI-related services is still under definition and is far from being mature. This is especially true in IPv6 networks where IPsec is defined as a mandatory component to be implemented in all stacks and PKI services in these networks are just starting to be designed and deployed. This paper describes how IPsec-based VPNs can be dynamically deployed in an IPv6 network as the one designed in the Euro6IX EU IST project. Such dynamicity is provided using a new management paradigm based on security policies.