(PDF) Audited credential delegation: a usable security solution for the virtual physiological human toolkit

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/225273611 Audited credential delegation: A usable security solution for the virtual physiological human toolkit Article in Interface focus: a theme supplement of Journal of the Royal Society interface · June 2011 DOI: 10.1098/rsfs.2010.0026 · Source: PubMed CITATIONS READS 7 109 6 authors, including: Ali Nasrat Haidar Peter Coveney University of London University College London 20 PUBLICATIONS 94 CITATIONS 258 PUBLICATIONS 4,643 CITATIONS SEE PROFILE SEE PROFILE Ali Abdallah Mike A. S. Jones Birmingham City University The University of Manchester 60 PUBLICATIONS 262 CITATIONS 79 PUBLICATIONS 1,310 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: VisualNets: Visualisation and Animation of Concurrent Systems specified in CSP View project Interfacing Java with Haskell View project All content following this page was uploaded by Ali Abdallah on 13 January 2017. The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document and are linked to publications on ResearchGate, letting you access and read them immediately. Interface Focus (2011) 1, 462–473 doi:10.1098/rsfs.2010.0026 Published online 30 March 2011 Audited credential delegation: a usable security solution for the virtual physiological human toolkit Ali N. Haidar1, Stefan J. Zasada1, Peter V. Coveney1,*, Ali E. Abdallah2, Bruce Beckles3 and Mike A. S. Jones4 1 Centre for Computational Science, University College London, 20 Gordon Street, London WC1H 0AJ, UK 2 E-Security Group, London South Bank University, 103 Borough Road, London SE1 0AA, UK 3 University of Cambridge Computing Service, Pembroke Street, Cambridge CB2 3QH, UK 4 Research Computing Services, Devonshire House, Precinct Centre, The University of Manchester, Manchester M13 9PL, UK We present applications of audited credential delegation (ACD), a usable security solution for authentication, authorization and auditing in distributed virtual physiological human (VPH) project environments that removes the use of digital certificates from end-users’ experience. Current security solutions are based on public key infrastructure (PKI). While PKI offers strong security for VPH projects, it suffers from serious usability shortcomings in terms of end-user acquisition and management of credentials which deter scientists from exploiting distributed VPH environments. By contrast, ACD supports the use of local credentials. Cur- rently, a local ACD username –password combination can be used to access grid-based resources while Shibboleth support is underway. Moreover, ACD provides seamless and secure access to shared patient data, tools and infrastructure, thus supporting the provision of personalized medicine for patients, scientists and clinicians participating in e-health pro- jects from a local to the widest international scale. Keywords: grid security; e-health security; information assurance; security wrappers 1. INTRODUCTION Insurance Portability and Accountability Act (HIPAA) that make it a legal requirement for VPH partners to col- Within the virtual physiological human (VPH) ini- lect, hold and process patient data in a secure way [4]. tiative (www.vph-noe.eu), grid infrastructure provides Security is also needed to protect VPH projects from the access to a wide range of computing resources distribu- consequences of unauthorized disclosure of medical infor- ted across multiple administrative domains. Scientists mation including negative publicity, legal liabilities and and clinicians need to use such resources to perform fines; and from unauthorized modification of patient patient-specific modelling and simulation that draws data used in VPH project environments, which may lead on the medical characteristics of an individual patient. to incorrect patient treatment and result in a loss of life Decision-support systems based on patient-specific com- or identity theft, itself currently creating considerable con- puter simulation hold the potential to revolutionize the cern. Hence, authentication, authorization and auditing way clinicians plan courses of treatment for patients [1]. security mechanisms are key requirements for any VPH This leads immediately to the question of how to system using patient data to be compliant with address information security within the VPH initiative. information security standards and avoid legal liability. As high profile security breaches and data loss are fre- Another major problem faced by end-users and quent headline news [2,3], a usable security solution is of administrators of grid-based VPH environments arises critical importance for VPH projects. There are several in connection with the usability of the security mechan- pieces of legislation such as the UK Data Protection Act, isms deployed [5]. Many of the existing computational the EU Data Protection Directive and the US Health grid security infrastructures use public key infrastructure (PKI) and X.509 digital certificates as the means to pro- *Author for correspondence (

). vide authentication and authorization security goals. Electronic supplementary material is available at http://dx.doi.org/ For instance, Globus (www.globus.org), UNICORE 10.1098/rsfs.2010.0026 or via http://rsfs.royalsocietypublishing.org. (www.unicore.eu), virtual organization membership One contribution of 17 to a Theme Issue ‘The virtual physiological service (VOMS) [6] and community authorization ser- human’. vice [7] are all based on PKI [8]. However, it is well Received 15 November 2010 Accepted 4 March 2011 462 This journal is q 2011 The Royal Society Audited Credential Delegation A. N. Haidar et al. 463 documented that such security solutions lack user friend- MEdiciNe Simulation Environment (IMENSE) [15], liness [5,9] for both administrators and end-users, which developed within the ContraCancrum Project (www. is essential for the uptake of any VPH solution. The pro- contracancrum.eu), to provide secure access to clinical blems stem from the process of acquiring X.509 digital data and tools. The functionality used in the environ- certificates, which can be a lengthy one including the ment includes the performance of imaging data generation of proxy certificates to get access to remote annotation and analysis, the running of simulations resources as part of the authentication process (see the and composite tasks (workflows) of considerable com- electronic supplementary material, §1). As a result, plexity on remote grid resources using patient data. many users engage in practices which substantially The integration of IMENSE with ACD provides weaken the security of the environment, such as the shar- assurance about the confidentiality and integrity of ing of the private key of a single personal certificate, to patient data because only authorized scientists and get on with their tasks. clinicians are able to view and modify patients’ clinical End-users, such as scientists or clinicians who are not records as well as having easy and controlled access to security experts, are concerned with the results of the remote grid resources using familiar authentication analysis they perform on such grids rather than acquiring mechanisms. and using digital certificates [5]. Administrators are con- The paper is organized as follows. Section 2 gives a cerned with setting up virtual organizations (VOs) and brief overview of the current security challenges encoun- administering security infrastructure in an efficient way. tered within VPH, namely enabling scientists to access Resource providers are concerned with securing access to grid infrastructures and providing secure access to their shared resources, tracing users responsible for per- shared patient data. Section 3 provides a brief overview forming tasks on their resources, and avoiding the of common VPH projects’ security requirements. consequences of security breaches, including negative pub- Section 4 presents a description of ACD. Sections 5 licity and fines. Moreover, there is a need within the VPH and 6 describe two case studies which demonstrate initiative for a security solution that can be easily inte- how ACD can be integrated with VPH environments grated with the tools provided by the VPH Toolkit [10]. to enable secure and usable access to patient data and These software tools have been developed by various part- grid infrastructures. Section 7 discusses related work, ners and third parties using different programming while §8 contains a discussion and conclusions. languages to access and process patient medical data. Without such security, each set of VPH tools would need to have a ‘hard wired’ security extension in order to be com- 2. OVERVIEW OF CURRENT SECURITY pliant with data security standards. This also means that ISSUES WITHIN VIRTUAL VPH users would have to maintain credentials for all PHYSIOLOGICAL HUMAN these VPH tools, which would be difficult to manage and This section describes two major security issues encoun- would probably deter clinical uptake of VPH approaches. tered in VPH environments. The first concerns the This paper describes the application of the audited cre- complexity of current mechanisms for accessing grid dential delegation (ACD) [11,12] security solution to resources; the second addresses secure access to shared address authentication, authorization and auditing secur- patient data for VPH collaborators. ity goals within grid-related projects, including VPH and many other projects. We show how ACD satisfies security 2.1. Access to grid resources and usability. We demonstrate how ACD can be used to set up multiple VOs that have specific goals within the To illustrate the complexity of current mechanisms for VPH initiative, to manage dynamic groups of users accessing grid resources, such as those provided by the wishing to access various resources, and to provide VO UK National Grid Service (NGS) (www.ngs.ac.uk), administrators with tighter control of users’ actions as US TeraGrid (www.teragrid.org) and EU DEISA (www. well as identity management. ACD is more than simply deisa.eu), we briefly describe the current steps needed a security layer. Existing solutions such as MyProxy, by a scientist prior to running any application on a Shibboleth and SARoNGS only provide credential reposi- grid. For more details, the reader is referred to Haidar tories to store short-lived X.509 certificates (Myproxy), et al. [16] and the electronic supplementary material. web-based single sign-on (Shibboleth), and web portals The first step is to acquire a digital certificate. There to access grid resources using a combination of Shibboleth are three processes involved in this step, each of which and VOMS (SARoNGS) [9,13]. None of these solutions has a mean duration of one working day. The certificate provides a holistic VO-controlled security solution in the authority (CA) informs the registration authority (RA) way ACD does. that a user has applied for a certificate (1 day). The RA We have successfully integrated ACD with the func- contacts the user and arranges a face-to-face visit (1 tionality of the application hosting environment (AHE) day); the CA then issues the certificate (1 day). The aver- [14], lightweight grid middleware that allows the user age scenario takes about three days, which is too long. In to run applications on the grid, to construct a VO with the second step, the user is required to get authorization tight security controls on identities and actions while to access the resources offered by the resource provider. providing a set of services allowing users to interact From our experience, this step takes between 3 working with grid resources without requiring specific knowledge days and two weeks but only needs to be performed once. of the details of each resource they wish to use. In the final step, end-users have to configure their chosen In addition, we have integrated authentication, authori- client applications themselves, including the Globus zation and basic auditing of ACD with the Individualized toolkit, the UNICORE Client and the AHE client Interface Focus (2011) 464 Audited Credential Delegation A. N. Haidar et al. which are used to access the grid with a certificate. The — query patient data and access data analysis tools; resource providers patently cannot do this because — invoke familiar and usable security mechanisms to they have no control over or access to the end-users’ perform their tasks; these must not be a barrier to machines. An exception would be where the user invokes their progress, and so must be seamlessly integrated a web portal. All in all, the above steps amount to a with their desired ways of working. lengthy and complicated process which certainly deters many potential VPH users from exploiting the enormous System administrators require a mechanism for set- power locked up within grid resources. ting up VOs and administering the VPH security environment in a clear and easy fashion. This requires understanding of: 2.2. Secure access to shared patient data Currently, scientists working within VPH projects collect — how a scientist from a VPH project becomes a VPH pseudonymized or anonymized patient data from hospi- user with access to grid resources; tals (this may include patient records, histopathological — how to authenticate VPH users to resource provi- and molecular data, magnetic resonance imaging, X-ray ders; and whether VPH users can use their local computed tomography and positron emission tomography credentials ( preferably the same ones they use in imaging data) and upload them to their VPH environ- their own organization) to access grid resources or ments. These data can be stored in a centralized data need to acquire new ones; warehouse or distributed across several administrative — how to determine whether a person within a VPH domains. When the data reside within an environment project is authorized to perform a task on a grid managed by a VPH research group, it is by no means resource; clear what security measures are taken to protect these — who decides what the access rights of a VPH scien- data. Recent studies [5,17] have shown that many VPH tist are; and other e-Science projects do not have adequate secur- — how to identify those people from VPH environ- ity solutions in place to protect patient data. Although ments responsible for performing tasks on grid patient data are anonymized or pseudonymized by the resources using patient data. providing hospital, it can still conceivably be identified in various cases. For example, genetic sequence data Resource providers, in particular the hospitals pro- taken from a person at an interview, whose identity is viding patient data together with grid resource therefore known, could be compared with anonymized owners, are concerned with securing access to their data stored in a database; if a match were found that per- resources. This involves identifying who is requesting son’s medical status would then be revealed. An incident access to their resources (authentication), checking if reported in 2008 [18], where a nurse’s medical status was a user is allowed to run tasks on their resources revealed publicly in an unauthorized way by a colleague in (authorization) and tracking users responsible for run- the hospital where she worked, illustrates the impact of ning named tasks on their resources (auditing) in case such breaches of confidentiality. The nurse’s medical his- of misuse (e.g. security breaches, usage of CPU tory showed that she had been treated for HIV. The allocations for billing purposes). All these measures revelation resulted in her contract not being renewed by are needed to give resource providers assurance that the hospital and her colleagues at work knowing about their assets are adequately protected and to ensure her disease. The hospital was ordered to pay the nurse that the resource providers avoid the consequences E14,000 in damages and E20,000 in costs. of the misuse of their valuable resources by Therefore, there is a very obvious need for a secure unauthorized users. solution that enables VO-controlled access to patient data within VPH projects to ensure patient confidenti- 4. AUDITED CREDENTIAL DELEGATION ality and integrity, along with secure and seamless access to remote grid resources for processing such data. 4.1. Overview The design of ACD is based on the concept of ‘wrappers’. A wrapper is a connector between a component and the 3. COMMON SECURITY REQUIREMENTS outside world. It enables controlled access to the func- IN A VIRTUAL PHYSIOLOGICAL tionalities of a component. For instance, figure 1 shows HUMAN ENVIRONMENT the ACD security wrapper made of authentication, auth- In order to design a usable solution to access grid orization and auditing components surrounding resources and patient data within VPH projects, it is fun- the functionalities of an environment represented by damental to understand all the stakeholders’ the tasks (Task1, . . . ,Taskn) that can be performed on requirements. The stakeholders in VPH environments the system. Any request by a user to perform a task is include patients, scientists, clinical researchers and clini- intercepted by each layer of the security wrapper to cal practitioners, system administrators, universities, establish the identity of the requester, to check whether and grid resources providers. Scientists and clinicians or not the user is allowed to perform the task, to record need to: the results of these checks in the audit log, then to perform the task on the system and, finally, to return — run scientific tasks on grid resources and get the cor- results to the user. rect results of running these tasks as if they are This model fits well with many VPH environments accessing local resources; that encapsulate tools from the VPH Toolkit [10] as Interface Focus (2011) Audited Credential Delegation A. N. Haidar et al. 465 auditing service authentication service authorization service VPH system functionalities Task 1 audit log checks username credentials access monitor workflows success checks if task Task 2 authentication GRID records is permitted for grant who server simulations DEISA the username NGS accessed what, Task 3 when, from deny imaging tools where, and failure TeraGrid outcome result from functional system patient records Task n grid resources Figure 1. The ACD security wrapper comprises auditing, authentication and authorization wrappers. Any request to perform a task within a VPH environment has to pass successfully through all wrappers before it can be executed, otherwise the request fails. we will show in §§5 and 6. These tools are usually speci- App Engine are examples of such clouds [20]. There fied as ‘black boxes’ so that scientists can use them to are many security issues in cloud computing that are access patient data without knowing their internal yet to be resolved concerned with data storage, compli- details. The interface of the tool is the only information ance of the cloud system with legislation (DPA, available to the designer about how it will be connected HIPPA) and information assurance [19,20]. The main with its environment. These tools have to be customized difference between clouds and VOs used in ACD is in some way to match the global requirements of the that the VO has full control of where data are stored VPH environment described in §3, such as the need and the processes that access these data whereas for extra security features or blocking unneeded func- within the VO, in a cloud environment, the service tionality provided by a tool. By placing VPH tools and data maintenance are provided by third party ven- within a security wrapper such as ACD, all the requests dors, potentially leaving the client ignorant of where the coming to and/or replies from the wrapped tools are processes are running or even where the data reside. passed through the authentication, authorization and The location of data storage is very important so that auditing wrappers. These security wrappers hide the applicable laws and regulations governing the data are details of the interface of the tool from external clients identified [4]. Only recently, Amazon and Microsoft and act as an interface between its caller and the started offering data storage guaranteed to be in wrapped tool. The interface of the wrapped tool is differ- Europe to address the legal aspect. Users of cloud ser- ent from the interface of the security wrapper. The vices have to trust the provider as to where and how wrapper’s interface will include the names of the tasks the data are protected and the adequacy of the security provided by the wrapped component in addition to the controls in place, both critical issues for VPH projects. tasks provided by the security wrapper. The security The design of ACD has been focused around several wrappers will define how a call to perform a task offered objectives. First and foremost is the requirement to pro- by the wrapped component will be processed. In this vide secure yet facile access to grid resources and to way, ACD controls who can access the specific function- ensure the confidentiality and integrity of patient ality provided by a VPH tool, determines whether the data used in a research environment. There is a need user is allowed to access the functionality and traces for a solution that can be easily extended, because users who have invoked this functionality. Without new tools are developed during the lifetime of VPH pro- such wrappers, the interface of a tool is accessed directly jects as well as acquired from third parties; these also without any protection. need to be exposed to end-users in a secure way. Keeping ACD provides much of the functionality required for this in mind, ACD has been designed around Web ser- secure cloud computing [19], a business model of grid vices, providing interfaces compliant with Web services computing, that provides access to various resources standards such as web service description language, such as CPU, memory and storage (known as infra- SOAP, WS-Policy and WS-Security [21]. This enables structure services) and applications. However, it is not integration of new VPH tools written in programming designed to be a cloud computing security solution. languages that have Web services libraries with ACD. Amazon’s Elastic Compute Cloud (EC2) and Google In addition, ACD has been developed by adopting best Interface Focus (2011) 466 Audited Credential Delegation A. N. Haidar et al. practice software engineering principles that enable it to 4.2. Overview of ACD Architecture evolve as new functionalities are needed or changes in ACD has four components: security policies are required, without the need to rewrite the whole solution from scratch or perform major modifications. Besides secure access to patient — A local authentication service (LAS): one of the main data, ACD enables VPH scientists to seamlessly access objectives of ACD is to remove digital certificates grid resources using various authentication mechanisms from the end-users’ experience. The current imple- such as a local ACD username – password, or Shibboleth mentation supports a username – password credentials, both of which are considered easier than database specifically for ACD. To be authenticated, acquiring and managing digital certificates, in order to a user has to provide a username – password pair run pre-installed applications on AHE, such as complex that matches an entry in the database. To avoid workflows and simulations that support patient-specific known vulnerabilities in usernames and passwords treatments. By providing support for Shibboleth, a large we adopted OWASP best security practices [23] class of end-users who belong to institutions subscribed such as storing passwords in an encrypted form, to Shibboleth services (e.g. academic institutions) will rejecting weak passwords chosen by users, forcing be able to invoke their local institutional credentials the password length to a minimum of eight charac- rather than acquiring a VO specific username – pass- ters including special characters, and changing the word. Within VPH, the correct execution of ACD password on a regular basis. This way, if the database functionalities to ensure integrity and confidentiality is compromised, the attacker will not get hold of any of patient data is extremely important. Hence, at the password. There is currently work in progress to sup- outset of its design, ACD was subjected to a rigorous port Shibboleth in ACD to give users more options to modelling activity based on formal methods to ensure choose from. Shibboleth is currently used by many that the security requirements were fully met [12]. universities in the UK and EU to allow students Another critical aspect addressed during the design and researchers to access online publishers’ resources of ACD is usability. ACD eliminates the steps performed by invoking their local university username – pass- by end-users listed in §2.1 which are now done only once word credentials. This way they will not need to by an expert-user (the VO administrator). It is impor- use a specific ACD username – password for the tant to emphasize that the time consuming steps VO. However, the support of Shibboleth will have described in §2a cannot be completely eliminated an impact on ACD availability since it is dependent because of the need to interoperate with grid resource on the availability of the external authentication ser- providers’ systems. What we have improved is that if vices provided. Without successful authentication, it there are say 10 scientists in a group, only one person is not possible to determine the role of the user in any (the expert user) has to go through the steps whereas given VPH project and, as a result, all requests to the others will enjoy genuinely seamless access there- perform tasks will be denied. after. Hiding complexity from end-users whenever — An authorization component: this component controls possible is a fundamental usability principle. We do all actions performed in the VO. It uses the parameter- not claim that there are no usability problems with pass- ized role-based access control (PRBAC) model in words but the usability issues associated with digital which permissions are assigned to roles [24] as shown certificates are substantially worse. A digital certificate in figure 2 (Role ! [Task]). The VO policy designer used to access grid resources is supposed to be protected associates each user in the VO with the role that best by a passphrase (i.e. a password), so with digital certifi- describes his/her job functions (UserID ! [Role]). cates we still have all the usability problems associated The policy is defined at the VO set-up because it with passwords as well. We have recently completed a depends on the VO functionalities. The tasks (per- comprehensive usability study [22] that involved com- missions) assigned to roles are drawn from the VO paring several middleware products for accessing grid functionality. Sections 5 and 6 show how this is done. environments. These include the AHE middleware, There are administrative tasks common to all VOs, introduced in §1 and described in detail in §5.1, which such as ‘create role’, ‘assign a VO user to one or more comes with graphical user and command line interfaces role’, ‘assign tasks to roles’ and so on. This component for accessing grid resources, a combination of AHE is usually configured during the VO set-up by the VO with ACD, as well as UNICORE and Globus. There administrator. In traditional role-based access control, were 40 participants drawn from different departments two users that perform similar roles in the VO must and faculties at UCL including Physics, Chemistry, have identical permissions. Sometimes this is not Computer Science, the Medical School, the Business desirable. For instance, when two scientists submit School, the Cancer Institute and the Law School. Each two jobs to a grid resource, each scientist should be participant was asked to run a simulation on a grid able to privately monitor, terminate or view the (NGS) using the different middleware to configure the result of his/her own job submission. Thus the security of their client tools and use the credentials PRBAC model is flexible and permits fine-grained given to them (username/password, X.509 certificate). access control. It is important to emphasize that The results unambiguously show that the combination the decision to permit a user to perform a task on a of AHE and ACD scored higher than all other tools grid resource is determined by the resource provider regarding the time needed to run a task, the ease of con- who has the final authority. The VO authorization figuring the security of the tools, and the ease of running component only manages the permissions (i.e. the overall task. the allowed tasks) given by the resource owner to Interface Focus (2011) Audited Credential Delegation A. N. Haidar et al. 467 verify user identity create VO credential repository add/remove VO user projectname certificate projectname userid authentication server asssign VO certificate key certificate local database kerberos proxy key shibboleth credential translation proxy userid search create role audit log parametrized role based access control Username | authorisation TaskName | assign user to role Granted/Denied | userrole: userid [role] Time | Source assign permissions rolepermission: role [task] to role Figure 2. The main components of ACD include a credential repository for creating VOs and translating users’ credentials to proxies to access grid resources (ProjectName refers to the VO name); an authorization component for defining VPH users’ roles within a VO and the permissions associated with those roles; an authentication service; and audit components for tracing users responsible for running a given task. the VO which controls the use of these permissions — An auditing component: this component records all within the VO (authorization delegation). actions within the VO including authorized and — A credential repository: this component is responsible unauthorized requests to perform tasks within the for managing the delegation of identity from the user VO, the username that requested them, the to ACD via a proxy certificate. It stores the certificates number of login attempts and login times. This acquired by the VO administrator through the steps in allows the VO management to identify those ACD §2.1 and their corresponding private keys in order to users responsible for having performed any tasks communicate with the grid (Certificate ! Key). The in a VPH environment. relation ProjectName ! UserID enables the creation and management of VO membership. In order to The main features of this architecture are the identity allow the members of a named VO access to grid delegation and authorization delegation which are resources, the VO is assigned a digital certificate (Pro- handled by a trusted entity, the VO, to make access to jectName ! Certificate) which is used behind the remote grid resources easier and to provide finer access scenes to authenticate requests issued by the VO at control decisions within the VO. Since end-users the resource provider site. The component also sometimes share certificates to get access to shared maintains a list of issued proxy certificates (delegated resources, ACD is just an organized way of doing so identities), their corresponding private keys (Proxy ! thereby mitigating and controlling the risks associated. Key) and the association between users and proxies (Proxy ! UserID) in order to trace which proxy was 5. INTEGRATION WITH THE APPLICATION used by which user. These proxies enable users’ HOSTING ENVIRONMENT requests to be authenticated at remote grid resources (known as identity federation) on behalf of the users. This section describes how ACD is integrated with the At the grid resource owner’s end, all requests to AHE to enable construction of VOs that enable scien- access grid resources appear as coming from the tists to run pre-configured applications on remote grid named VO, not individual users. Two users who sub- resources using ACD username – password credentials. mitted jobs on the same grid resource site will have different proxies issued by the same VO certificate. 5.1. Overview of application hosting The resource provider will not be able to tell which environment individual used this proxy to run an application on its resources but ACD can provide this information. The AHE [14,25] is a lightweight mechanism for expos- The grid resource owner provides the VO administra- ing scientific applications (i.e. workflows and complex tor with the proxy’s public key. From the relation simulations) as Web services, and allowing users to (Proxy ! UserID) the VO administrator can tell interact with those applications using simple client which person used this proxy and take any appropriate tools (AHE client). AHE enables the launching of pre- action. existing scientific applications installed by an expert Interface Focus (2011) 468 Audited Credential Delegation A. N. Haidar et al. user on a variety of different computational resources, new user account which generates a username and a from national and international grids of supercomputers, random password that are given to the user. The VO through institutional and departmental clusters, to administrator assigns the user to the ‘scientist’ role single processor desktop machines [26]. The end user is described above and assigns the user to a VO that has presented with a choice of very lightweight clients, access to NGS resources (figure 3). When a user logs in specifically designed to obviate the need to deal with for the first time to the AHE þ ACD client application, Globus and UNICORE middleware for job management, he is prompted to change his password. The communi- allowing the user to submit, monitor and download cations between the AHE þ ACD client and the wrapped application results, as well as to terminate applications AHE server, as well as between the latter and the grid as they run. resources, are protected by the SSL security protocol. In order to submit a job to a grid resource, the user invokes a request to perform the ‘submit job’ task 5.2. AHE with ACD: usable and secure access within the combined AHE þ ACD client as shown in to grid resources figure 3 (1). This request is intercepted by the ACD The current security model for AHE requires each indi- authentication component which checks whether the vidual VPH user to have a digital certificate, which username and password match an entry in the data- carries with it the need to go through the steps base. The result of the authentication is recorded in described in §2.1. In order to remove the need for the auditing component (2). The role of the user is such a certificate, we have integrated ACD with AHE. picked up from the authorization component, userID The first step of the integration requires understanding ! [Role], in this case ‘scientist’. The authorization the interface of AHE and ACD combined, in other checks whether the task ‘submit job’ is permitted for words, the functional and administrative tasks that the ‘scientist’ role held by the user, which is true (3). can be performed within the integrated system. The The result of the access control check is recorded in administrative tasks offered by ACD include create the audit log (4), and the operation ‘submit job’ is VO, assign certificate to VO, add user to VO, reset invoked from the AHE server (5). Once the request is user password, create role, assign tasks to roles, and granted, ACD picks the certificate associated with the assign users to roles. The functional tasks offered by VO the user wants to use (i.e. NGS) and checks whether AHE include prepare job, submit job, monitor job, down- the user is assigned to this VO. If the check is success- load and terminate job. Note that AHE’s functional tasks ful, then ACD generates a proxy certificate from the are the same as the tasks permitted for any authorized VO-assigned certificate, ProjectName ! Certificate user on a grid resource site that uses Globus or UNICORE (6), uploads it to the MyProxy server (7) and records middleware such as in NGS, DEISA and TeraGrid. the issued proxies, Proxy ! UserID (credential del- Therefore, the permission assignment to the VO is done egation occurs here), in the credential repository. by the grid resource owner first, then the VO administra- ACD sends the randomly generated username/pass- tor re-assigns these permissions to the roles in the VO word pair needed to access MyProxy to the AHE according to the VO authorization requirements. server to download the session proxy (8) and (9). In the combined ACD þ AHE environment, the auth- Finally, the AHE server sends the request to the grid orization requirements determined by the VO resource site along with the proxy. At the NGS site, administrator are expressed through the introduction of the proxy is validated, since the proxy is issued from two roles: VO administrator and scientist. The former is a valid trusted certification authority. Certificate permitted to perform all the administrative operations authentication succeeds, and the distinguished name above in addition to terminate, monitor and download on the proxy (VOName) is checked against the grid- any job submitted to grid resources. The latter is per- map file within the NGS authorization system to mitted to perform all AHE operations in such a way determine the role of the VOName, which is Scientist. that a person who submitted a specified job can only per- Since this role is allowed to submit a job to NGS the form AHE functional operations on this application. As a task will be invoked. From NGS’s perspective, it is result, two VPH users running applications using differ- the VOName that submitted the task, not ‘John ent patient data will not be able to view the results of Smith’. In order to find out who invoked the ‘submit each other’s digital activities. In addition, the scientist job’ task on NGS using a specific proxy, the NGS role only permits a user to change his/her own password. administrator passes the public key of the proxy to The construction of a VO requires that an expert- the VO administrator who can identify the name of user goes through the lengthy process described in the user from (6), which records the issued proxy in §2.1. Once this is done, the VO administrator creates Proxy ! UserID. In this way, requests from within a VO (see supplementary document §2) and assigns the combined ACD þ AHE are audited. It is thus poss- the certificate to the named VO using the AHE þ ACD ible to identify legitimate users and to ensure that only client. Then, it becomes possible to add users instantly such users are allowed access to grid resources, in con- to the VO and give them genuinely seamless access to formance with the policies enforced by the grid grid resources. To illustrate how this system works infrastructure management. In addition, it is possible consider a user named ‘John Smith’ who is a member of to detect unauthorized attempts to access resources a research group in a UK university and would like to from within the VO and to identify persons responsible use NGS grid resources to run scientific applications for such attempts. This form of accountability is an using AHE. The user contacts the local VO administrator essential requirement for resource providers to be and requests an account. The VO administrator creates a prepared to accept the ACD security model. Interface Focus (2011) Audited Credential Delegation A. N. Haidar et al. 469 GRID NGS DEISA NGS myproxy server TeraGrid (7) upload proxy (9) download contructuion of VO proxy (10) proxy and run rask auditing service credential repository AHE server (6) generate proxy audit log Certificate Key records who (8) get proxy workflows accessed what, Proxy Key username/password when, from Proxy UserID where, and submit job outcome projcetName UserID application 1 projectName Certificate (2) record nanitor job success/fail application 2 (4) record granted/denied cancel job (1) task, u1,pw1, authentication service authorization service (5) task local database UserRole: UserID [Role] AHE client internet RolePermission: Role [Task] Kerberos download results (3) task, u1 application n (11) result Shibboleth end-user scientist note: all communications between AHE client, AHE server, NGS myproxy server and grid uses HTTPS. Figure 3. The steps involved when a user performs a task within the integrated AHE þ ACD environment are numbered sequen- tially according to their temporal order. The ACD security wrappers intercept the request, check the credentials against an authentication service, then verify whether the task is authorized for that user against an authorization service, and finally translate the credentials to a proxy so as to access grid resources. The results of these checks are audited. To illustrate how unauthorized requests to access provide an environment (it can also be thought of as resources are detected, let us assume that the above a VO) that allows clinicians and researchers to use the user is attempting to invoke the ‘remove user from a tools developed as part of their clinical and research VO’ task, which is only permitted to a user holding practice in order to run workflows and simulations on the role ‘administrator’. When the request reaches the grid infrastructure, using a heterogeneous set of patient authorization wrapper in (3), the current user’s role is data provided by the University of Saarland Hospital determined, which is ‘scientist’ and it will not find the within an integrated IT environment, known as requested task among the permitted tasks for this Individualized MEdiciNe Simulation Environment role. As a result, the authorization wrapper will return (IMENSE) [15]. These data include heterogeneous ‘access denied’ and record this result in the audit log image scans (i.e. MRI, PET, CT), patient records, (4). After three unauthorized access attempts, the VO histopathology data and DNA profiles. The main func- administrator is notified by email via ACD that the tionalities provided by this VO include the ability to user named ‘John Smith’ has had three unauthori- bring together and query patient data, edit them, zed attempts to perform the task ‘remove user from a upload and download image data, and to invoke Web VO’ task. The VO administrator can then take the services that allow workflows including simulations to appropriate action. be run on grid infrastructure. For example, a workflow that checks whether a patient responds to a particular drug is a pre-configured application in AHE. 6. INTEGRATING AUDITED CREDENTIAL For the end-user, the workflow is viewed as a ‘black DELEGATION WITH THE box’ and users can only run the workflow using a INDIVIDUALIZED MEDICINE specific patient dataset and download the results SIMULATION ENVIRONMENT (see §3 in the electronic supplementary material). ACD only controls access to the interface of the work- 6.1. Overview of IMENSE environment flow. We use DEISA and TeraGrid for large-scale One of the main objectives of the VPH ContraCancrum computationally intensive patient-specific workflows (Clinically oriented translational cancer multilevel that involve moving data from within the VO via modelling) project (www.contracancrum.eu) is to an un-trusted public network to remote grid Interface Focus (2011) 470 Audited Credential Delegation A. N. Haidar et al. resources. Thus, the following security requirements of the segmentation request they submitted. The per- need to be addressed: missions in the VO are assigned to roles by the VO policy designer who understands what the users require — restricting access to the environment to authorized in order to do their jobs. users only; — enabling members of the project to run applications on grid infrastructure using username and password only; 7. RELATED WORK — allowing users responsible for running a given task There are certainly precedents for the concept of VOs on the environment to be traced; used in ACD whereby users invoke either their local cre- — ensuring the integrity of patient data by controlling dentials or a dedicated username and password, such as the tasks that process these data in order to offer in the ‘community account’ system provided by Tera- medical treatment; Grid [28] and SARoNGS [13] offered by NGS. For — protecting patient data when transferred onto instance, the community account system allows scien- public networks. tists to access grid resources using a dedicated username and password via a Web portal. The SAR- Prior to the integration, access to IMENSE function- oNGS project shares various similarities with our alities did not meet the above requirements. approach. It removes digital certificates from the end- users’ environment, enabling them to invoke their 6.2. Integration of ACD with IMENSE local credentials via a Shibboleth federated identity environment system, which is then translated into a grid identity cre- Having understood the functionalities of IMENSE dential to access UK NGS grid resources. It differs from introduced in the previous section, the integration ACD in that it passes individual identity and attributes with ACD can be done as follows. The administrative of the user to the grid layer whereas ACD presents operations of ACD remain as described in the previous a single identity (that of the ACD VO name). The section. However, the functional activities performed SARoNGS approach assumes the use of a web-portal within IMENSE now include uploading and down- and requires an end-user (or portal on behalf of the end loading patient-specific images, running workflows on user) to specify VO membership and role parameters patient data, viewing images, searching patient data before being able to access the grid. Like ACD, the mech- and image segmentation inter alia. The authorization anism is based on providing easy access to grid resources. requirements for this system are expressed again The main difference is that ACD controls the authoriz- through the introduction of two roles: VO administrator ation decision for the VO, whereas SARoNGS merely and scientist. The first role is permitted to perform all propagates authentic information about users and the operations above. The ‘scientist’ role is permitted their roles within their specified VOs to the resources to perform all the functional operations, in addition to where it is consumed and processed. Thus, a significant enabling the user holding this role to change his/her part of the authorization in SARoNGS takes place own password. The result of the integration is a con- within the grid resource provider’s service whereas trolled VO within which each request to perform a ACD assumes the role of a delegated authorization task goes through all three security wrappers previously decision maker for those resources. The SARoNGS described: authentication, authorization and auditing. model is essentially the VOMS model [6] with Shibboleth We illustrate this through an example (see figure 4). presented to the user and the grid X.509 Certificates A user can join the IMENSE VO in the way described hidden [13]. The advantages of ACD over SARoNGS in the previous section. Consider the same user ‘John are that the VO members’ activities can be more tightly Smith’ who wishes to run image segmentation on appro- controlled (helping VO-based security) and managed priate grid resources. The request to perform this task is (delegating responsibility for usability to the VO and first intercepted by the authentication wrapper which the AHE). A limitation is that resource providers can checks the user credentials against the ACD authentica- only make their authorization decisions on a VO level: tion service. The outcome of the authentication is they are not be able to identify individuals without con- recorded in the audit log. After successful authentica- sulting the ACD VO administrator. tion, the role of the user is determined from the It is important to emphasize that what we present in authorization component (userID ! [Role]), which is this approach is a holistic VO-based authorization sol- ‘scientist’, permitted to perform the ‘image segmenta- ution which has control of actions as well as identity. tion’ task. The result of the access control check is also This is not the case in any other established grid recorded in the audit log. Once access is granted the environment. We have integrated our work with an task is performed in the VO; as a result, all the steps environment which allows the user to actually run described in the previous section steps (1) to (11) applications on the grid (namely the AHE); ACD is needed to run ‘submit job’ are performed behind the not simply a security layer, as in MyProxy, Kerberos, scenes to run the image segmentation application pre- Active Directory, Shibboleth or Fermilab’s security installed on AHE. Once segmentation finishes, the user mechanisms [9]. These security components only is notified to download the result. The same level of address authentication issues whereas ACD addresses auditing is also provided in this environment. This authorization and accountability as well. Some of the ensures that only authorized personnel can run tasks comparisons between the examples cited above and in the VO and that the user can only access the result ACD are discussed in Beckles et al. [9]. The Member Interface Focus (2011) Audited Credential Delegation A. N. Haidar et al. 471 GRID NGS DEISA TeraGrid auditing service authentication service authorization service scoring functionalities checks username and password registration internet against a audit log data base username, password,task access monitor modelling success checks if task grant upload authentication results records is permitted for SSL/HTTPS who server the username accessed DICOM what, data modelling images when, from deny where, and failure outcome VPH XML scientist result from functional system metadata data preview segmented segmentation images firewall Figure 4. The sequence of steps to be performed when a VPH user invokes a task within the IMENSE environment. All communi- cations are performed over SSL. Integrated X.509 PKI Credential Services (MICS) management relies exclusively on the individual resource (http://www.tagpma.org/authn_profiles) is a profile provider’s audit logs. ACD provides auditing for every used in technologies such as MyProxy CAs. These, how- VO set up based on the tasks that need to be monitored. ever, focus on providing the user with certificate-based These tasks are derived from the functionality of the VO credentials for authentication, do not deal with VO/ and, moreover, allow VO management to corroborate Community attributes and leave authorization to the resource providers’ claims in case of a security breach. resources alone; by contrast, ACD in combination with AHE manages VO-specific authentication and authorization. Any solution which involves each end- 8. DISCUSSION AND CONCLUSION user having to obtain an individual certificate (even if they immediately deposit it in a credential repository The ACD security mechanism has required an evolution and thereafter employ a username and password to of grid security policies because it violates the standard access the certificate in the repository) is unsuitable one-user-one-certificate security model prevalent in because the end user will still have to go through the current grid infrastructures. A key requirement from steps described in §2.1. resource providers in order for them to consider the ACD CROWN [29] and gLite [30] middleware adopt the security model is the ability for them to audit all actions Globus security model and use X.509 certificates for related to accessing their resources. This is addressed by authentication, one of the main problems ACD solves. the fine-grained auditing features of ACD. The com- gLite also uses the VOMS model for authorization. bined ACD þ AHE is now listed among the gateways Unlike CROWN and gLite, authorization in ACD has on the TeraGrid Science gateways (www.teragrid.org/ been extended to the end users’ technical environment web/science-gateways/gateway_list) that are allowed to provide fine-grained access control. This fits natu- to provide a community of users access to TeraGrid rally within the VO model because, from a remote resources using the ACD security model. resource provider’s perspective, all VO users appear as ACD integrated with AHE has been successfully a single user since the VO certificate is used to generate deployed on TeraGrid, NGS and DEISA. A detailed the proxies on the users’ behalf. In all the above alternative usability study involving undergraduates, scientists security solutions, auditing is performed at resource provi- and system administrators will be published in the ders’ sites. In case of a security breach, the VO near future [22]. A small-scale pilot usability trial of Interface Focus (2011) 472 Audited Credential Delegation A. N. Haidar et al. this security architecture, in which it is compared with ‘p-medicine’ (EU-FP7-270089). Support for different the traditional PKI-based authentication mechanisms types of credentials such as Kerberos and Shibboleth is used in many existing computational grid environments, planned in future work which will give end users more has already shown that users favour the familiar user- options to choose from. name and password paradigm supported by ACD. The ACD software will be available free of charge via While that study only involved undergraduates at UCL the VPH Toolkit (toolkit.vph-noe.eu/) and will feature with no prior experience of using computational grid in future releases of the AHE that will also be distributed environments, the findings are fully borne out by the via the VPH Toolkit. extended study [22]. Usability issues associated with username – password combinations remain but they are The authors would like to thank Prof. Dr Norbert Graf and Prof. Dr Rainer Bohle (University of Saarland) for helpful easier to deal with than those of digital certificates. discussions on acquiring and transferring patient data to ACD addresses many common security requirements IMENSE. The authors also wish to thank Prof. Dr Nikolaus such as the one described in §3. However, some projects Forgo´ (Leibniz University, Hannover) for helpful discussions that deal with data that can identify individual patients on patient data protection and data security law. We are might require a higher level of assurance (LoA), mean- also grateful to Nancy Wilkins-Diehr (TeraGrid), Gavin ing that the username – password dual on its own might Pringle (DEISA) and David Wallom (UK NGS) for giving not always be sufficient. ACD supports the National us permission to deploy ACD on their grid infrastructures. Institute of Standards and Technology (NIST) [31] This work has been supported by EPSRC through the User- LoA level 1 at best because there is little control of Friendly Authentication and Authorisation Security for where a GSI-Proxy credential is kept, how it is pro- Grid Environments [32] (EP/D051754/1) and RealityGrid tected, its cryptographic makeup, and its longevity. Platform (EP/C536452/1) grants, as well as the EU FP7 ContraCancrum Project (EU-FP7-223979) [27] and Virtual Certainly this could be improved but ACD’s main Physiological Human Network of Excellence (FP7-2007-IST- focus is user management and controlled access first 223920) grants. and foremost and not about upgrading the entire infra- structure to cope with multiple (higher) LoAs. The LoA required will depend on the sensitivity of the shared data. This requires a vulnerability assessment of the var- REFERENCES ious types of patient data (e.g. MRI and PET scans, 1 Sadiq, S. K. et al. 2008 Patient-specific simulation as a basis genetic sequences) that describes the impact of loss of for clinical decision-making. Phil. Trans. R. Soc. A 366, data confidentiality, integrity and availability so that 3199–3219. (doi:10.1098/rsta.2008.0100). See http://rsta. appropriate security mechanisms can be deployed. royalsocietypublishing.org/content/366/1878/3199. Once these vulnerabilities are understood, it is possible 2 Credit Reporting Agency Limited. 2010 Identity theft to choose the appropriate security control to mitigate and data loss. See http://www.annualcreditreport.co.uk/ the risks. For instance, there might be a need for using identity-theft/data-loss.htm. two level authentication that involves a pin number in 3 Infosecurity-magazine. 2010 Data loss. See http://www. infosecurity-magazine.com/category/75/data-loss/. addition to a username – password pair, as currently 4 Arning, M., Forgo´, N. & Kru¨gel, T. A. 2009 Data protec- employed in online banking security systems. tion in grid-based multicentric clinical trials: killjoy or ACD balances different risks. On one hand, the ACD confidence-building measure? Phil. Trans. R. Soc. A delegated authentication model may lead to the situation 367, 2729–2739. (doi:10.1098/rsta.2009.0060) wherein one misuse may result in the whole VO being 5 Martin, A. & Spence, D. 2008 Trust and security in blocked; it is therefore essential to the VO that it vets virtual communities, report on first workshop: the appli- and controls activities because the scale of withdrawal cation-led security agenda for e-science. Workshop of service is much more of an issue than for an individual report, University of Oxford. See (http://wiki.esi.ac.uk/ user. On the other hand, an individual should be encour- w/files/7/7b/Theme8-workshop1-Final-report.pdf ). aged by the easy access to grid resources and therefore 6 Alfieri, R., Cecchini, R., Ciaschini, V., dell’Agnello, L., Frohner, A ´ , Gianoli, A., Loˇrentey, K. & Spataro, F. 2004 very likely make far greater use of these resources. VOMS, an authorization system for virtual organizations. ACD fits well with the distributed computing require- In Grid computing, vol. 2970 (eds F. Ferna´ndez-Rivera, ments of the VPH initiative and translational, G. T. Bubak Marian & D. R. Andre´s), pp. 33 –40. Lecture computationally based biomedical research more gener- Notes in Computer Science, Berlin, Germany: Springer. ally. A dedicated VO for clinicians and scientists who 7 Pearlman, L., Welch, V., Foster, I., Kesselman, C. & require access to grid resources can be created and Tuecke, S. 2002 A community authorization service for secure access to shared medical data provided using group collaboration. In Proc. of the IEEE 3rd Int. Work- fine grained authorization. In addition, the accountabil- shop on Policies for Distributed Systems and Networks, ity provided by ACD makes it possible to track local pp. 50–59. Washington, DC: IEEE Computer Society. users responsible for performing tasks in distributed 8 Haidar, A. N. 2003 Critical evaluation of current environments in case of misuse or violation of the secur- approaches to grid security. Master’s thesis, Royal Hollo- ity policy for the VO. Indeed, the fact that ACD is based way University of London. 9 Beckles, B., Welch, V. & Basney, J. 2005 Mechanisms on a formal model means that it is well documented and for increasing the usability of grid security. Int. J. Human– can be certified in the future. Finally, the design of ACD Computer Stud. 63, 74–101. (doi:10.1016/j.ijhcs.2005. is flexible enough for it to be included within the VPH 04.017) Toolkit for which successful integration with AHE 10 Cooper, J. et al. 2010 The Virtual Physiological human leads the way; its integration with IMENSE will con- toolkit. Phil. Trans. R. Soc. A 368, 3925–3936. (doi:10. tinue to be developed in a major new project called 1098/rsta.2010.0144) Interface Focus (2011) Audited Credential Delegation A. N. Haidar et al. 473 11 Beckles, B., Haidar, A. N., Zasada, S. J. & Coveney, P. V. 21 Kuno, H., Mchiraju, V., Alonso, G. & Casati, F. 2004 Web 2010 Audited credential delegation: a sensible approach to services: concepts, architectures and applications. Berlin, grid authentication. In 5th Int. Conf. e-Science, Washing- Germany: Springer. ton, DC, December 2010, pp. 19–30. Silver Spring, MD: 22 Zasada, S. J., Haidar, A. N. & Coveney, P. V. 2011 On the IEEE Computer Society. Usability of Grid Middleware and Security Mechanisms. 12 Haidar, A. N., Coveney, P. V., Abdallah, A. E., Ryan, UK e-Science AHM 2010 theme issue of the Philosophical P. Y. A., Beckles, B., Brooke, J. M. & Jones, M. A. S. 2009 Transactions of the Royal Society A, accepted for Formal modelling of a usable identity management solution publication. for virtual organisations. Electron. Proc. Theoret. Comput. 23 OWASP Top 10 Vulnerabilities. 2010 The open web Sci. 16, 41 –50. (doi:http://arxiv.org/abs/1001.5050) application security Project Top 10 vulnerabilities. See 13 Wang, X. D. et al. 2010 Shibboleth access for resources on http://www.owasp.org/index.php/Top_10_2010-Main. the national grid service (SARoNGS). J. Inform. Assur- 24 Abdallah, A. E. & Khayat, E. J. 2006 Formal Z specifica- ance Security 5, 293 –300. (doi:10.1109/IAS.2009.163) tions of several flat role-based access control models. In 14 Zasada, S. J. & Coveney, P. V. 2009 Virtualizing access to 30th Annu. IEEE/NASA Software Engineering Workshop, scientific applications with the application hosting pp. 282–292. Washington, DC: IEEE Computer Society. environment. Comput. Phys. Commun. 180, 2513–2525. 25 Coveney, P. V., Saksena, R. S., Zasada, S. J., McKeown, M. & (doi:10.1016/j.cpc.2009.06.008) Pickles, S. 2007 The application hosting environment: light- 15 Zasada, S. J., Wang, T., Haidar, A. N., Liu, E., Graf, N., weight middleware for grid-based computational science. Clapworthy, G., Manos, S. & Coveney, P. V. 2011 Comput. Phys. Commun. 176, 406–418. IMENSE: An e-infrastructure environment for patient 26 Zasada, S. J. & Coveney, P. V. 2009 From campus specific multiscale modelling and treatment. Preprint. resources to federated international grids: bridging the 16 Haidar, A. N., Zasada, S. J., Coveney, P. V., Abdallah, gap with the application hosting environment. In Proc. A. E. & Beckles, B. 2010 Audited credential del- of the 5th Grid Computing Environments Workshop, egation—a user-centric identity management solution for GCE ’09, pp. 10:1–10:10. New York, NY: ACM Press. computational grid environments. In Sixth Int. Conf. on 27 EU-FP7-ContraCancrum. 2010 ContraCancrum—clini- Information Assurance and Security, August 2010, pp. cally oriented translational cancer multilevel modelling. 222 –227. Washington, DC: IEEE Computer Society. See http://www.contracancrum.eu. 17 Cox, B. M. & Hatzaras, K. S. 2010 Online project deliver- 28 TeraGrid. 2010 Science gateways home. See http://www. ables. See http://www.biomedtown.org/biomed_town/ teragrid.org/web/science-gateways/home. VPH/VPHnews/radical/. 29 Huai, J., Hu, C., Wo, T. & Li, J. 2008 CROWN: a service- 18 EHealthInsider. 2008 European Court fines Finland for oriented grid middleware system: experience and appli- data breach. See http://www.e-health-insider.com/news/. cations. In th IEEE Int. Symp. on Object Oriented Real- 19 Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L. L. Time Distributed Computing, May 2008, pp. 141–147. 2009 On technical security issues in cloud computing. In Washington, DC: IEEE Computer Society. IEEE Int. Conf. on Cloud Computing, September 2009, 30 gLite. 2010 Lightweight Middleware for Grid Computing. pp. 109 –116. Washington, DC: IEEE Computer Society. See http://glite.web.cern.ch/glite/. 20 Tsai, C. L., Lin, U. C., Chang, A. Y. & Chen, C. J. 2010 31 NIST. The National Institute of Standards and Technology Information security issue of enterprises adopting the (NIST). See http://csrc.nist.gov/publications/nistpubs/ application of cloud computing. In Sixth Int. Conf. on Net- 800-63/SP800-63V1_0_2.pdf. worked Computing and Advanced Information 32 UFSSGE. 2010 User-friendly authentication and authoris- Management August 2010, pp. 645 –649. Washington, ation for grid environments project. See http://www. DC: IEEE Computer Society. realitygrid.org/uf-security/. Interface Focus (2011) View publication stats