Flexible and Secure Logging of Grid Data Access

In grid collaborations, scientists use middleware to execute computational experiments, visualize results, and securely share data on resources ranging from desktop machines to supercomputers. While there has been significant effort in authentication and authorization for these distributed infrastructures, it is still difficult to determine, post-facto, exactly what information might have been accessed, what operations might have occurred, and for what reasons. To address this problem, we have designed and implemented a secure logging infrastructure for grid data access. We uniquely leverage and extend XACML with new capabilities so that data owners can specify logging policies and these policies can be used to engage logging mechanisms to record events of interest to the data owners. A case study based on GridFTP.NET is presented and analyzed, utilizing both local storage of log records and remote storage via SAWS, an independently developed secure audit Web service. We show that with relatively little performance overhead, data owners are provided with new flexibility for determining the post-facto conditions under which their grid data was accessed