scispace - formally typeset
Search or ask a question
Author

Anthony Nadalin

Bio: Anthony Nadalin is an academic researcher from IBM. The author has contributed to research in topics: Access control & Computer security model. The author has an hindex of 29, co-authored 78 publications receiving 2952 citations.


Papers
More filters
Patent
21 Nov 2003
TL;DR: In this article, techniques for federating identity management within a distributed portal server leveraging Web services techniques and a number of industry standards are described, where identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services.
Abstract: Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

186 citations

Patent
31 Dec 2002
TL;DR: In this paper, a system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with userselected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction.
Abstract: A system is presented for facilitating management of user attribute information at one or more attribute information providers (AIPs), which can manage the user's attribute information in accordance with user-selected or administratively-determined options, including options that are stored in attribute release policies and/or dynamically determined during a transaction. E-commerce service providers (ECSPs), such as online banks or merchants, may maintain a trust relationship with an AIP such that the ECSP can trust the user attribute information that is provided by the AIP on behalf of the user. The user can complete transactions that require user attribute information at any ECSP without having to have previously established a relationship with that particular ECSP. If the ECSP does not have a trust relationship with one of the user's AIPs, then the ECSP can rely upon a trust proxy to interpret and validate an attribute assertion that is received from an AIP.

184 citations

01 Jan 2002
TL;DR: This document proposes a strategy for addressing security within the Open Grid Services Architecture (OGSA), and presents a set of use patterns that show how these components can be used together in a secure Grid environment.
Abstract: This document proposes a strategy for addressing security within the Open Grid Services Architecture (OGSA). It defines a comprehensive Grid security architecture that supports, integrates and unifies popular security models, mechanisms, protocols, platforms and technologies in a way that enables a variety of systems to interoperate securely. This security architecture is intended to be consistent with the security model that is currently being defined for the Web services framework used to realize OGSA’s service-oriented architecture. The document presents a security model, describes a set of security components that need to be realized in the OGSA security architecture, and presents a set of use patterns that show how these components can be used together in a secure Grid environment.

170 citations

Patent
03 Jan 1996
TL;DR: In this paper, an object may be part of multiple object groups, and based upon an environment's policy, granting access to the object based on a single default object group or on the access granted by the union of all of its object groups.
Abstract: A system, method and article of manufacture, for improving object security in an object oriented system, includes one or more processors, a memory system, one or more I/O controllers, each controlling one or more I/O devices, a bus connecting the processors, the memory system and the I/O controllers, an operating system controlling operation of the processors, the memory system and the I/O controllers, and an object oriented control means which includes means for grouping objects which share common access control policies, where an access control list becomes associated with each object group and the policy applicable to the members of the group. An object may be part of multiple groups, and based upon an environment's policy, granting access to the object may be based on a single default object group or on the access granted by the union of all of its object groups.

159 citations

Patent
30 Aug 2001
TL;DR: In this article, methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments, and the disclosed techniques improve administration and enforcement of security policies.
Abstract: Methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments. The disclosed techniques improve administration and enforcement of security policies. Allowed actions on resources, also called permissions, (such as invocations of particular methods, read or write access of a particular row or perhaps a particular column in a database table, and so forth) are grouped, and each group of permissions is associated with a role name. A particular action on a particular resource may be specified in more than one group, and therefore may be associated with more than one role. Each role is administered as a security object. Users and/or user groups may be associated with one or more roles. At run-time, access to a resource is protected by determining whether the invoking user has been associated with (granted) at least one of the roles required for this type of access on this resource.

137 citations


Cited by
More filters
Patent
03 Nov 2000
TL;DR: An execution architecture, a development architecture and an operations architecture for a netcentric computing system are described in this paper, where the purpose of the development environment is to support the tasks involved in the analysis, design, construction and maintenance of business systems, as well as the associated management processes.
Abstract: An execution architecture, a development architecture and an operations architecture for a netcentric computing system. The execution architecture contains common, run-time services required when an application executes in the netcentric computing system. The development architecture is the production environment for one or several systems development projects as well as for maintenance efforts. The purpose of the development environment is to support the tasks involved in the analysis, design, construction, and maintenance of business systems, as well as the associated management processes. It is important to note that the environment should adequately support all the development tasks, not just the code/compile/test/debug cycle. The operations architecture is a combination of tools and support services required to keep a production system up and running efficiently.

1,220 citations

Patent
22 Jan 2001
TL;DR: In this paper, a system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on client for managing access to securable components as specified by the security policy.
Abstract: A system and method for maintaining security in a distributed computing environment comprises a policy manager located on a server for managing and distributing a security policy, and an application guard located on a client for managing access to securable components as specified by the security policy. In the preferred embodiment, a global policy specifies access privileges of the user to securable components. The policy manager may then preferably distribute a local client policy based on the global policy to the client. An application guard located on the client then manages access to the securable components as specified by the local policy.

680 citations

Patent
27 Jul 2007
TL;DR: In this article, the authors describe a system and methods for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences.
Abstract: Systems and methods are described for performing policy-managed, peer-to-peer service orchestration in a manner that supports the formation of self-organizing service networks that enable rich media experiences. In one embodiment, services are distributed across peer-to-peer communicating nodes, and each node provides message routing and orchestration using a message pump and workflow collator. Distributed policy management of service interfaces helps to provide trust and security, supporting commercial exchange of value. Peer-to-peer messaging and workflow collation allow services to be dynamically created from a heterogeneous set of primitive services. The shared resources are services of many different types, using different service interface bindings beyond those typically supported in a web service deployments built on UDDI, SOAP, and WSDL. In a preferred embodiment, a media services framework is provided that enables nodes to find one another, interact, exchange value, and cooperate across tiers of networks from WANs to PANs.

667 citations

Patent
19 May 2010
TL;DR: In this paper, the authors present a framework for delivery of video, audio, data, etc. over a content delivery network, in which the content is packetized using an Internet Protocol (IP) and delivered by a service provider over both managed and unmanaged networks to subscribers of the provider, so as to provide delivery at any time, at any location, and via any designated user device.
Abstract: Methods and apparatus for delivery of packetized content (e.g., video, audio, data, etc.) over a content delivery network. In one embodiment, the content is packetized using an Internet Protocol (IP), and delivered by a service provider over both managed and unmanaged networks to subscribers of the provider, so as to provide delivery at any time, at any location, and via any designated user device. The delivered content may originate from the service provider, third-party content sources (e.g., networks or studios), the subscriber(s) themselves, or other sources including the Internet. Use of a common control and service functions within the network afford the ability to integrate or blend services together, thereby affording the service provider and subscriber new service and economic opportunities. Content delivery sessions may also be migrated from one device to another. A network-based user interface infrastructure, and gateway-based client-side architecture, are also disclosed.

646 citations

Patent
04 Mar 1998
TL;DR: In this paper, a scalable access filter is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers.
Abstract: A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter use a local copy of an access control data base to determine whether an access request made by a user. Changes made by administrators in the local copies are propagated to all of the other local copies. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to of access policies which define access in terms of the user groups and information sets. The rights of administrators are similarly determined by administrative policies. Access is further permitted only if the trust levels of a mode of identification of the user and of the path in the network by which the access is made are sufficient for the sensitivity level of the information resource. If necessary, the access filter automatically encrypts the request with an encryption method whose trust level is sufficient. The first access filter in the path performs the access check and encrypts and authenticates the request; the other access filters in the path do not repeat the access check.

529 citations