Abstract
E-Infrastructures can be used to support e-science and e-research allowing different collaborators from disparate organisations, often from different disciplines and utilising heterogeneous software and hardware, to work together on common research problems. This is typically achieved through the formation of targeted Virtual Organisations (VO). Inter-organisational collaborations also bring challenges of security that must be overcome. There has been much work in e-Research-oriented security, i.e. at the middleware level, but far less on ensuring that middleware-oriented security is not made redundant through ensuring the robustness of the underlying hardware and software (fabric) upon which the e-Research middleware security is based, e.g. the operating systems, network configurations and core software required to support e-Research solutions. To tackle this, an integrated security framework is needed that is cognisant of VO requirements on e-Research middleware-oriented security and incorporates targeted fabric level security. In this paper we present an integrated architecture (ACVAS), which encompasses VO-specific fabric security including configuration-aware security monitoring (patch status monitoring) and vulnerability scanning and subsequent updating. We show how tool support can be used to pre-emptively identify and assess potential vulnerabilities in a VO, before they are potential exploited. We also outline how these vulnerabilities can be dynamically overcome to support the needs of the VO and associated e-Infrastructure to improve the overall VO security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
JISC Virtual Research Environments programme, http://www.jisc.ac.uk/whatwedo/programmes/vre1.aspx
Chadwick, D.W., Otenko, A.: The PERMIS X. 509 role based privilege management infrastructure. Future Generation Computer Systems 19(2), 277–289 (2003)
Alfieri, R., Cecchini, R.L., Ciaschini, V., dell’Agnello, L., Frohner, A., Gianoli, A., Lõrentey, K., Spataro, F.: VOMS, an Authorization System for Virtual Organizations. In: Fernández Rivera, F., Bubak, M., Gómez Tato, A., Doallo, R. (eds.) Across Grids 2003. LNCS, vol. 2970, pp. 33–40. Springer, Heidelberg (2004)
Lorch, M., et al.: First experiences using XACML for access control in distributed systems. In: Proceedings of the 2003 ACM Workshop on XML Security, pp. 25–37. ACM, Fairfax (2003)
Anderson, A.: SAML 2.0 profile of XACML (2004)
Internet2. Internet Shibboleth Technology (2009), http://shibboleth.internet2.edu/
Sinnott, R.O., et al.: Advanced security for virtual organizations: The pros and cons of centralized vs decentralized security models, pp. 106–113 (2008)
Power, R.: 2001 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2001)
Grid Site Monitoring (2005)
Grid Security Monitoring (2008)
Muncaster, P.: Google hack-attack code hits the web (2010), http://www.securecomputing.net.au/News/164937,google-hack-attack-code-hits-the-web.aspx (June 2012)
Kurtz, G.: Aurora Exploit in Google Attack Now Public (2010), http://blogs.mcafee.com/corporate/cto/dealing-with-operation-aurora-related-attacks (June 2012)
Prince, K.: Malicious Software Defense: Have We Moved Beyond Anti-Virus and Spyware Protection Software? Perimeter eSecurity (2007)
Shostack, A.: Quantifying Patch Management. Secure Business Quarterly III(2) (2003)
Stirparo, P., Shibli, M.A., Muftic, S.: Vulnerability analysis and patches management using secure mobile agents. In: 11th International Conference on Advanced Communication Technology, ICACT 2009 (2009)
Microsoft SMS, http://www.microsoft.com/smserver/default.mspx
An Overview of Vulnerability Scanners (2008), http://www.infosec.gov.hk/english/technical/articles.html
Microsoft software update services, http://technet.microsoft.com/enus/wsus/bb466190
Sufatrio, Yap, R.H.C., Zhong, L.: A Machine-Oriented Vulnerability Database for Automated Vulnerability Detection and Processing. In: Proceedings of the 18th USENIX Conference on System Administration. USENIX Association, Berkeley (2004)
Keizer, G.: Trojan horse poses as windows xp update (2004), http://www.informationweek.com/trojan-horse-poses-as-windows-xp-update/17300290?queryText=Trojan%20horse%20poses%20as%20windows%20xp%20update
Berlind, D.: Why Windows Update desperately needs an update (2003), http://www.zdnet.com/news/why-windows-update-desperately-needs-an-update/299080
Sinnott, R.O.: Grid Security: Practices, Middleware and Outlook. National e-Science Centre (2005)
Pakiti: A Patching Status Monitoring Tool, http://pakiti.sourceforge.net/
EGEE Operational Security Coordination Team (OSCT), http://osct.web.cern.ch/osct/
Yum-Package Manager, http://yum.baseurl.org/
apt-get, http://www.apt-get.org/
Roberge, M.W., Bergeron, T.: Robert, Introduction to OVAL: A new language to determine the presence of software vulnerabilities (2003)
Common vulnerabilities and exposures list, CVE (2011), http://cve.mitre.org/cve/
Curl, http://curl.haxx.se
CFengine Web site, http://www.cfengine.org
Matsushita, M.: Telecommunication Management Network. In: NTT Review, Geneva (1991)
Problem Informant/Killer Tool (PIKT), pikt.org/pikt/software.html (cited March 2012)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14. USENIX Association, Baltimore (2005)
Ajayi, O., Sinnott, R., Stell, A.: Dynamic trust negotiation for flexible e-health collaborations. In: Proceedings of the 15th ACM Mardi Gras Conference: From Lightweight Mash-Ups to Lambda Grids: Understanding the Spectrum of Distributed Computing Requirements, Applications, Tools, Infrastructures, Interoperability, and the Incremental Adoption of Key Capabilities, pp. 1–7. ACM, Baton Rouge (2008)
Ajayi, O.: Dynamic Trust Negotiation for Decentralised e-Health Collaborations, University of Glasgow (2009)
Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ACM, New York (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Muhammad, J., Doherty, T., Hussain, S., Sinnott, R. (2012). Policy-Based Vulnerability Assessment for Virtual Organisations. In: Xiang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_29
Download citation
DOI: https://doi.org/10.1007/978-3-642-35362-8_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35361-1
Online ISBN: 978-3-642-35362-8
eBook Packages: Computer ScienceComputer Science (R0)