Secured middleground for user and service integration in in federated network monitoring

Abstract

[ACCESS RESTRICTED TO THE UNIVERSITY OF MISSOURI AT REQUEST OF AUTHOR.] Multi-domain network performance monitoring (NPM) systems based on active measurements are being widely deployed in high-performance computing and other communities that support large-scale data transfers. Security mechanisms to federated NPM services across multiple domains need to be designed carefully to allow easy sharing of data between the federation domains, yet should protect measurement resources and private data as per any domain-specific policies. Today's practice of the default "otally open" access model compromises the NPM security, and the conservative alternative of "strictly closed" access hinders the fundamental motivation for deploying multi-domain federated NPM systems. In this thesis, we conduct analytical investigations to design a middleground between the default settings for policy-driven access to address the emerging problems in securing a multi-domain NPM federation. Our approach considers both the role-based legacy access control as well as the attribute-based fine-grained access control techniques adopted within enterprises to achieve a secured middleground. Through a set of novel metrics, we determine the tradeoffs in choosing a particular middleground that is customized for the desired security requirements related to access control of diverse measurement functions. In addition, we describe our "OnTimeSecure" framework that can implement a chosen middleground using secure middleware protocols for "user-to-service" and "service-to-service" authentication, as well as federated authorization of entitlement policies in a multi-domain NPM federation.