OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cloudauthz-comment] Related work on distributed (federated) authorization

Maarten,

 

Very Interesting summary for the first link:

From these results, we can conclude that federated authorization comes with

a performance penalty compared to full provider-side authorization. However,

depending on the relative amount of tenant attributes in the tenant policies, fed-

erated authorization can achieve better performance than provider-side autho-

rization with federated authentication. To illustrate a realistic case, the example

policy rules from the e-health case study presented in Section 3.1 require sig-

nificantly more tenant attributes than provider attributes: the tenant hosts the

subject roles, treating relationships, pa

tient consent and patient diseases while

the provider hosts ownership relations and the application data itself.”

 

The high end overhead is about ½ a second – for about 30 attributes per policy. 

 

Regards,

Radu Marian, MSCS, SCEA, CISSP

Bank of America - Charlotte, NC

VP, Architect 2, Security Architecture and Innovation

Business phone number: (704) 628-6874

an Enterprise without Ontology is like a country without a map.

 

From: cloudauthz-comment@lists.oasis-open.org [mailto:cloudauthz-comment@lists.oasis-open.org] On Behalf Of Maarten Decat
Sent: Thursday, October 24, 2013 3:38 AM
To: cloudauthz-comment@lists.oasis-open.org
Subject: [cloudauthz-comment] Related work on distributed (federated) authorization

 

Hi all,

I recently came across the Cloud Authorization TC and was happy to see how well this initiative aligns with the current focus of my research. As part of our focus on access control, we recently published some work on the topic of federated authorization (called 'distributed authorization' in your use cases):

1. https://lirias.kuleuven.be/bitstream/123456789/415411/1/81850342.pdf: discusses the topic of federated authorization in general

2. https://lirias.kuleuven.be/bitstream/123456789/363474/3/mw4ng12-maarten-decat.pdf : proposes a performance enhancing tactic for federated authorization in which the tenant's access control policies are split and distributed over tenant and provider. This is an early version of the idea, we have been working on extending it.

I will definitely keep track of the advances of this TC and hope this related work is useful for you as well. If you have any questions, you can always contact me on this e-mail address.

Kind regards,

Maarten Decat
DistriNet research group - KU Leuven - Belgium

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm for more information.

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]