Access control infrastructure for on-demand provisioned virtualised infrastructure services

Cloud technologies are emerging as a new way of provisioning virtualised computing and infrastructure services on-demand for collaborative projects and groups. Security in provisioning virtual infrastructure services should address two general aspects: supporting secure operation of the provisioning infrastructure, and provisioning a dynamic access control infrastructure as part of the provisioned on-demand virtual infrastructure. The paper refers to the architectural framework for on-demand infrastructure services provisioning and defines the general security requirements to the security infrastructure. Dynamically provisioned access control infrastructure (DACI) reveals a wide spectrum of problems related to the distributed access control, policy and related security context management. Consistent security services design, deployment and operation require continuous security context management during the whole security services lifecycle, which is aligned to the main provisioned services lifecycle. The paper discusses conceptual issues, basic requirements and practical suggestions for provisioning dynamically configured access control services. The paper discusses security mechanisms that are required for consistent DACI operation, in particular use of authorisation tokens for access control and authorisation session context exchange between infrastructure services and providers. The proposed security infrastructure implementation is based on the GAAA-Toolkit that provides rich security session context management functionality with authorisation tickets and tokens. The defined Common Security Services Interface (CSSI) allows uniform call to security services both in the provisioning and virtual infrastructures.