Sticky Policy Based Open Source Security APIs for the Cloud

基于粘性策略的云开源安全 API

• 批准号: EP/J020354/1
• 负责人: David Chadwick
• 金额: $ 16.17万
• 依托单位: University of Kent
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2012
• 资助国家: 英国
• 起止时间: 2012 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FJ020354%2F1
• 关键词: Sticky; Policy; Based; Open; Source

The Internet and telephone are successful because they use open protocols and open interfaces, allowing users to communicate, innovate and share at will. We propose to facilitate this process in cloud computing, by developing a set of open security services, protocols and interfaces (APIs) that will allow cloud resource owners to be able to specify their policies for fine grained access control to their cloud resources, and have these enforced everywhere at all times, regardless of the subsequent location or data processing that has ensued. The ability to securely share data with anyone, anywhere, at any time, will facilitate spontaneous collaborations and ensure confidence in collaborative working. This will be achieved by using "sticky policies", delegation of authority, federated access and attribute based access controls. Sticky policies are policies which are cryptographically linked or "stuck" to the data and meta-data they control, so that access to the data is only granted if the policy is honoured. In order to cater for Internet scale cloud usage, federated access and attribute based access controls are needed. Federated access allows users to identify themselves to a cloud service using their existing credentials, without having to first obtain new ones from the cloud service itself. Attribute based access controls allows access to be specified based on a user's identity attributes rather than simply an identifier, which is typically used today. In order to achieve Internet scale in identifying users and data resources, an ontology is needed that will classify both the data and the users who wish to access it. The authorities who issue identity attributes will also need to be classified. The characteristics of any particular set of data will be held in meta-data that describes or identifies the data, and conforms to the ontology. The meta-data itself will be stuck to the data in a similar way to the sticky policy.When data is merged or fused with other data, or is split, filtered or reduced, then its meta-data will need to change accordingly, in order to describe the new data. Similarly the sticky policy that controls access to the new data will need to be derived from the original sticky policy(ies). This project will develop a new algebra and algorithms for deriving the new sticky policy from the old, using the ontology and meta-data as a guide. (Note that this project will not be performing the actual data merging or splitting, but simply assumes that trustworthy services are available to do this.)The protocols and APIs specified in this project will be standardised through an organisation already well versed in cloud APIs, such as the Open Grid Forum or OASIS.In order to ensure the widest take up of the services and APIs specified in this project, pilot implementations will be developed in Python and distributed as part of the OpenStack suite of software. OpenStack is a community project involving over 135 organisations, ranging from multi-nationals such as HP, Cisco and Intel, to specialist SMEs such as Cloudscaling. This project proposes to harness the energies of the OpenStack community by acting in a leading role to facilitate others in contributing to the development effort.

互联网和电话之所以成功，是因为它们使用开放协议和开放接口，允许用户随意交流、创新和分享。我们建议通过开发一组开放的安全服务，协议和接口（API）来促进云计算中的这一过程，这些服务，协议和接口（API）将允许云资源所有者能够指定其策略，以便对其云资源进行细粒度的访问控制，并随时随地执行这些策略，而不管随后的位置或数据处理如何。与任何人、任何地方、任何时间安全共享数据的能力将促进自发协作，并确保协作工作的信心。这将通过使用“粘性政策”、授权、联合访问和基于属性的访问控制来实现。粘性策略是以加密方式链接或“粘”到它们所控制的数据和元数据的策略，因此只有在遵守策略的情况下才授予对数据的访问。为了满足互联网规模的云使用，需要联合访问和基于属性的访问控制。联合访问允许用户使用其现有凭证向云服务标识自己，而不必首先从云服务本身获取新凭证。基于属性的访问控制允许基于用户的身份属性而不是简单地基于标识符来指定访问，这通常是当今使用的。为了在互联网范围内识别用户和数据资源，需要一个本体，对数据和希望访问数据的用户进行分类，还需要对发布身份属性的机构进行分类。任何特定数据集的特征都将保存在描述或标识数据的元数据中，并符合本体。元数据本身将以类似于粘性策略的方式被粘在数据上。当数据与其他数据合并或融合时，或者被拆分，过滤或缩减时，其元数据将需要相应地改变，以便描述新数据。类似地，控制对新数据的访问的粘性策略将需要从原始粘性策略导出。这个项目将开发一个新的代数和算法，用于从旧的粘性策略中导出新的粘性策略，使用本体和元数据作为指导。(Note该项目不会执行实际的数据合并或拆分，而只是假设有值得信赖的服务可用于执行此操作。）该项目中指定的协议和API将通过一个已经精通云API的组织进行标准化，例如开放网格论坛或OASIS。为了确保该项目中指定的服务和API得到最广泛的采用，将使用Python开发试点实现，并作为OpenStack软件套件的一部分分发。OpenStack是一个社区项目，涉及超过135个组织，从惠普、思科和英特尔等跨国公司到Cloudscaling等专业中小企业。该项目旨在通过发挥领导作用来利用OpenStack社区的能量，以促进其他人为开发工作做出贡献。

项目成果

Adding Federated Identity Management to OpenStack

向 OpenStack 添加联合身份管理

• DOI: 10.1007/s10723-013-9283-2
• 发表时间: 2013
• 期刊: Journal of Grid Computing
• 影响因子: 5.5
• 作者: Chadwick D