Pietro Mazzoleni

XACML Policy Integration Algorithms

XACML is the OASIS standard language specifically aimed at the specification of authorization policies. While XACML fits well with the security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises in which several autonomous subjects collaborate by sharing their resources to provide better services to customers. In this article we highlight such limitation, and we propose an XACML extension, the policy integration algorithms, to address them. In the article we also present the implementation of a system that makes use of the policy integration algorithms to securely replicate information in a P2P-like environment. In our solution, the data replication process considers the policies specified by both the owners of the data shared and the peers sharing data storage.

A Chinese wall security model for decentralized workflow systems

Workflow systems are gaining importance as an infrastructure for automating inter-organizational interactions, such as those in Electronic Commerce. Execution of inter-organiz-ational workflows may raise a number of security issues including those related to conflict-of-interest among competing organizations. Moreover, in such an environment, a centralized Workflow Management System is not desirable because: (i) it can be a performance bottleneck, and (ii) the systems are inherently distributed, heterogeneous and autonomous in nature. In this paper, we propose an approach to realize decentralized workflow execution, in which the workflow is divided into partitions called self-describing workflows, and handled by a light weight workflow management component, called workflow stub, located at each organizational agent. We argue that placing the task execution agents that belong to the same conflict-of-interest class in one self-describing workflow may lead to unfair, and in some cases, undesirable results, akin to being on the wrong side of the Chinese wall. We propose a Chinese wall security model for the decentralized workflow environment to resolve such problems, and a restrictive partitioning solution to enforce the proposed model.

XACML policy integration algorithms: not to be confused with XACML policy combination algorithms!

XACML is the OASIS standard language for the specification of authorization and entitlement policies. However, while XACML well addresses security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises built through collaboration of several autonomous subjects sharing their resources. In this paper we highlight such limitations and we propose an XACML extension, the policy integration algorithm, to address them. In the paper we also discuss in which respect the process of comparing two XACML policies differs from the process used to compare other business rules.

P-Hera: scalable fine-grained access control for P2P infrastructures

In this paper, we present P-Hera, a peer-to-peer (P2P) infrastructure for scalable and secure content hosting. P-Hera allows the users and content owners to dynamically establish trust using fine-grained access control. In P-Hera, resource owners can specify fine-grained restrictions on who can access their resources and which user can access which part of data. We differentiate our work with traditional works of fine-grained access control on Web services, as our system in addition to handling access constraints of the service provider (which is the case in Web services), it also handles security constraints regarding actions performed on data: replication and modification. We believe this is of immense significance for wide-range of applications such as data grids, information grids and Web content delivery networks. In addition to presenting the overall system architecture, we also study the problem of evaluating these fine-grained access policies in depth and propose a novel means of organizing these policies that can result in faster evaluation. We demonstrate the effectiveness of our approach using prototype implementation.

Chinese wall security for decentralized workflow management systems

Workflow systems are gaining importance as an infrastructure for automating inter-organizational interactions, such as those in Electronic Commerce. In such an environment, a centralized Workflow Management System is not desirable because: (i) it can be a performance bottleneck, and (ii) the systems are inherently distributed, heterogeneous, and autonomous in nature. Decentralized execution of interorganizational workflows may raise a number of security issues including those related to conflict-of-interest among competing organizations. In this paper, we first provide an approach to realize decentralized workflow execution, in which the workflow is divided into partitions, called self-describing workflows, and handled by a light weight workflow management component, called workflow stub, located at each organizational agent. Second, we identify the limitations of the traditional workflow model with respect to expressing the various types of join dependencies and extend the traditional workflow model suitably. Distinguishing the different types of dependencies among tasks is essential in the efficient execution of self-describing workflows. Finally, we recognize that placing the task execution agents that belong to the same conflict-of-interest class in one self-describing workflow may lead to unfair, and in some cases, undesirable results, akin to being on the wrong side of the Chinese wall. Therefore, to address the conflict-of-interest issues that arise in competitive business environments, we propose a decentralized workflow Chinese wall security model. We propose a restrictive partitioning solution to enforce the proposed model.

A decentralized execution model for inter-organizational workflows

Abstract Workflow Management Systems (WFMS) are often used to support the automated execution of business processes. In today’s networked environment, it is not uncommon for organizations representing different business partners to collaborate for providing value-added services and products. As such, workflows representing the business processes in this loosely-coupled, dynamic and ad hoc coalition environment tend to span across the organizational boundaries. As a result, it is not viable to employ a single centralized WFMS to control the execution of the inter-organizational workflow due to limited scalability, availability and performance. To this end, in this paper, we present a decentralized workflow model, where inter-task dependencies are enforced without requiring to have a centralized WFMS. In our model, a workflow is divided into partitions called self-describing workflows, and handled by a light weight workflow management component, called the workflow stub, located at each organization. We present a performance study by considering different types of workflows with varying degrees of parallelism. Our performance results indicate that decentralized workflow management indeed enjoys significant gain in performance over its centralized counterpart in cases where there is less parallelism.

Dissemination of Cultural Heritage Content through Virtual Reality and Multimedia Techniques: A Case Study

This paper presents the case study of an interactive digital narrative and real-time visualization of an Italian theatre during the 19th century. This case study illustrates how to integrate the traditional concepts of cultural heritage with Virtual Reality (VR) technologies. In this way virtual reconstructions of cultural sites are lift up to an exciting new edutainment level. Novel multimedia interaction devices and digital narrative representations combined with environment historical and architectural certified, offer to the users real-time immersive visualization where to live experiences of the past. Starting to the studies of several project strengthening the great benefits connected at the use of the VR technologies in the cultural fields, the paper illustrates the motivations that have triggered a collaboration between the department of Computer Science[1] and the department of Performing Arts of the University of Milano [2] in order to develop this educational and entertaining system.

Efficient integration of fine-grained access control in large-scale grid services

In this paper, we present a scalable authorization service, based on the concept of fine-grained access control (FGAC), for large-scale grid infrastructures that span multiple independent domains. FGAC enables participating resource owners to specify fine-grained policies concerning which user can access can their resources under which mode. We argue that such an authorization service must be integrated with the resource broker service to avoid scheduling requests onto resources which do not authorize the user request. For this reason, we develop a novel resource broker service that integrates access control with resource scheduling. In our system, both resource owners and users define their resource access and usage policies. The resource broker schedules a user request only within the set of resources whose policies match the user credentials (and vice-versa). Since this process of evaluating authorization policies of resources and user, in addition to checking the resource requirement, can be a potential bottleneck for a large scale grid, we also analyze the problem of efficient evaluation of FGAC policies. In this context, we present a novel method for policy organization and compare its performance with other strategies. Preliminary results show that the proposed method can significantly enhance performance.

Service communities: applications and middleware

Businesses increasingly provide and use services, applying formal (Web) services technology for the description, composition, and management of software as services. At the same time, social communities are emerging on the Web, applying less formal practices and Web 2.0 technology for the dissemination and aggregation of diverse content. In this paper, we are interested in the combination of these two trends in the form of service communities: social and business communities exchanging services. We discuss applications of service communities and introduce the concept of Service Clubs as a structuring mechanism for communities. Clubs have been specifically designed to support community-based, per-project interaction and composition of services.

Towards supporting fine-grained access control for Grid resources

The heterogeneous nature and independent administration of geographically dispersed resources in a Grid demand the need for access control using fine-grained policies. In this paper, we investigate the problem of fine-grained access control in the context of resource allocation in the Grid, as we believe it is the first and key step in developing access control methods specifically tailored for Grid systems. To perform this access control, we design a security component (to be part of a meta-scheduler service) that finds the list of nodes where a user is authorized to run his/her jobs. The security component is designed in an effort to reduce the number of rules that need to be evaluated for each user request. We believe such a fine-grained policy-based access control would help the adoption of the Grid to a higher extent into new avenues such as desktop Grids, as the resource owners are given higher flexibility in controlling access to their resources. Similarly, Grid users get a higher flexibility in choosing the resources in which their jobs must execute.