draft-ggf-ogsa-sec-roadmap-01.doc

4121 grid service reference and service data security

Info icon This preview shows pages 17–19. Sign up to view the full content.

View Full Document Right Arrow Icon
4.12.1. Grid Service Reference and Service Data Security Policy Decoration Specification This specification will describe how a requestor determines the information that is required to communicate securely with a service. This specification would define an XML-based format for these polices as well as a scheme for decorating the GSR and Service Data. This decoration of the service’s Grid Service Reference (GSR) and Service Data would allow policy to be conveyed to the potential requestors. The WS-Policy module of the WS Security Architecture promises to address many of our policy expression language requirements. We will work to influence and to make our specification conform to the upcoming WS-Policy standard. 4.13. Secure Service Operation An incoming request received by a service provider may be subjected to a variety of policy checks as it is passed down through various levels of the service provider implementation—which may include hand off to independent “application” processes. In [email protected] 17
Image of page 17

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
GWD-I ( draft-ggf-ogsa-sec-roadmap-01 ) Revised 6/14/2018 order to allow different levels to make their own policy decisions, all asserted identities and attributes should be passed through. The different policy checks applied by the service should be described, and exit points defined, such that a service can interoperate with externally defined services for certificate validation, attribute assertion, authorization policy evaluation, and secure logging. As noted above, the ability to interface to such services can facilitate integration with existing site authentication and authorization infrastructures. Note that because an OGSA service interfaces comprises both operations and service data, OGSA policy enforcement mechanisms should also control access to service data. One can envision the need for fine-grained access control policy at the service data element level. 4.13.1. Secure Service’s Policy and Processing Specification This specification defines the various policy checks that a service is expected to perform, and defines interfaces to specified external security services. 4.13.2. Service Data Access Control Specification This specification defines both coarse- and fine-grained access control policy that should be enforced on Service Data accesses. 4.14. Audit and Secure Logging Any implementation of OGSA will have all the requirements for auditing that are common to any distributed system. All sorts of information concerning authentication and authorization will need to be logged in managed manner. The complete specification of an Audit Framework is probably outside of the scope of the GGF, but standardizing and audit service and audit management interface will greatly facilitate the overall management of secure logging. 4.14.1. OGSA Audit Service Specification This specification defines an OGSA Audit Service that allows requestors to submit information for inclusion in secure logs. An associated management interface would control policy on the logging – e.g. filters on what logs are actually stored, possible notification if certain logs are received, etc.
Image of page 18
Image of page 19
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern