Ivan Djordjevic

Policy-driven access control over a distributed firewall architecture

Motivated by a scientific application, where virtual organisations are dynamically created to achieve specific goals by sharing resources and information, we propose the synthesis of two lines of research: policy-based access control and distributed firewalls. Through this fusion we expect to deliver a scalable method of setting up security infrastructures for Grid computing infrastructures.

Contract performance assessment for secure and dynamic virtual collaborations

In this paper we sketch a framework supporting contract enactment within the context of virtual organisation units that are dynamically created in order to achieve a common objective by securely sharing resources, services and information. The framework is built on top of a joint extension of the policy deployment architecture for peer-to-peer communities (Dimitrakos et al., 2002) and the contract enactment capability (Milosevic et al., 2002) that enables monitoring, mediation, arbitration and enforcement of electronic contracts in multiple, simultaneous closed collaborations. A longer-term goal is to deliver a scalable method of setting up contract enforcement and contract performance management infrastructures for interorganisational information systems that allow the on-demand creation and dynamic evolution of secure virtual organizations based on the ad-hoc integration of systems across enterprise boundaries.

Towards Dynamic Security Perimeters for Virtual Collaborative Networks

Rapid technological advancements capitalising on the convergence of information (middleware) and communication (network) technologies now enable open application-to-application communication and bring about the prospect of ad hoc integration of systems across organisational boundaries to support collaborations that may last for a single transaction or evolve dynamically over a longer period. Architectures for managing networks of collaborating peers in such environments face new security and trust management challenges. In this paper we will introduce the basic elements of such an architecture emphasising trust establishment, secure collaboration, distributed monitoring and performance assessment issues.

Virtualised Trusted Computing Platform for Adaptive Security Enforcement of Web Services Interactions

Security enforcement framework is an important aspect of any distributed system. With new requirements imposed by SOA-based business models, adaptive security enforcement on the application level becomes even more important. Our work on the enforcement framework to date has resulted in a comprehensive middleware-based solution leveraging on Web services technologies. However, potential merits of hardware-based solutions to further secure application exposure have not been considered so far. This paper describes a method for combining software resource level security features offered by Web services technologies, with the hardware-based security mechanisms offered by trusted computing platform and system virtualisation approaches. In particular, we propose trust-based architecture for protecting the enforcement middleware deployed at the policy enforcement endpoints of Web and grid services. The main motivation is to additionally secure execution environment of the applications, by providing virtual machine level separation that maps from logical domains imposed by Web services level enforcement policies.

An architecture for dynamic security perimeters of virtual collaborative networks

The convergence of service and telecommunications technology is enabling new and more dynamic forms of virtual collaborations, where networked entities, be them (human) agents, applications, or service instances, share information and resources in order to achieve a common objective. Such collaborations are usually dynamic, often short in duration, and enacted by potentially large groups of collaborating peers which may join or leave the group as needed. They cut across organizational boundaries, therefore taking place on open networks (such as the Internet) and they may involve complex policies constraining possible interactions. This paper introduces a novel architecture that supports the dynamic formation and self-management of virtual collaboration networks understood as coordinated groups of peers which reside in different organisational domains. Our main goal is to allow the enforcement and management of dynamic security perimeters that contain and protect such virtual collaboration networks. This is achieved with the use of certificates to assist the policy distribution, and the multilayered mechanism for the distributed policy enforcement, residing at the each participating entity. The dynamic re-sizing of the security perimeters, and the communication within, is facilitated with the group management protocol that is both scalable and secure.

Secure web service federation management using tpm virtualisation

Web Services and SOA provide interoperability and architectural baseline for flexible and dynamic cross enterprise collaborations, where execution and use of the participating services contributes to the common objective. Relationships within these collaborations are complex, with services joining and leaving throughout the life cycle, or the same services being offered in several collaborations simultaneously. This provides strong requirements for federated security, where integrity and confidentiality of the collaboration must be maintained through membership control, security policy enforcement and separation of web service instance interactions in different collaborations. In this paper we propose a new Web Services (WS) framework for managing and controlling WS interactions in a federated environment, leveraging on platform virtualisation architecture and the functionalities provided by trusted secure hardware. The framework allows configuring policies that define collaboration membership, and enforce access to the collaboration per-WS instance. In addition, since the access to the configurations is restricted, it provides masterslave model where only authorised administrative entity can modify any of the above - either at the deployment or at the execution time. Some of the benefits of the proposed approach are: fine-grained external exposure of WSs, a flexible model for group membership control and revocation and hardware-enabled secure virtualised system providing functional process isolation and strong data security.

Architecture for secure work of dynamic distributed groups

The continuing exploitation of the Internet has witnessed the development of new working patterns including nomadic computing and the formation of extranets. These require the network infrastructure to provide not only secure transport, but also flexibility. Mobile IP version 6 goes some way to supporting this with IPSec support, auto-configuration and forwarding mechanisms. However, further functionality is required higher up the protocol stack to provide a practical secure group-working environment. The main objective of the presented architecture is to provide a new, distributed, secure working environment based on robust and efficient network mechanisms, allowing for dynamic collaboration groups without topological constraints. The security architecture is described and performance of the group management protocol analysed through simulation results.