The DTN implementation has been simulated and tested in a networked environment. Re- sults from the DTN simulation [11] was discussed in Section 9.6. The main points to observe from the simulation is that DTN performance drops exponentially as the number of overlap- ping COT s increases. In the simulation, no limit was placed on the number of nodes that could exist in a COT as it would not reflect reality. Placing a limit on the number of nodes in a COT would be similar to limiting the formation of trust relationships, hence unrealistic. The effect of overlapping COTs is related to the effect of the number-of-hops. Based on the simulation, DTN was tested across four COTs in a networked environment. No limit was placed on the number of nodes in each of the COTs, but they were all ultimately constrained by the number of nodes (8 nodes) in the test environment.
The performance of the implementation was tested using several scenarios. Each of the scenarios was tested over several runs on similar network (trust) topologies, each with a total of 8 nodes. Each scenario explores the effect of the different amount of trust relationships, i.e. number of nodes in a COT and the number of TCs between nodes. Each run in a scenario involved varying the node that acts as the sender node and node that acts as the target node. Each run also involved varying the attributes a sender node makes available for trust negotiation.
Each node was hosted on a 2.2Ghz Celeron with 512Mbytes RAM running Linux. All nodes had GT4 installed, which hosted both the discovery and negotiation services. Discovery scenarios involved choosing a node to act as a source node to request the discovery of a
target node by sending route messages to nodes that exists in its COT. On average the discovery scenario executed in 43 seconds, ranging from 10 to 65 seconds, for all next-hop nodes to a target node to be discovered by a source node. Negotiation scenarios involved a source node negotiating security attributes with nodes that serve as intermediaries for a target resource. On average the negotiation scenario ran for about 15 seconds, ranging from 5 to 25 seconds, for all negotiation responses to be received the source node. In network terms, the run time or duration was similar to Transmission Control Protocol (TCP) round-trip time (RTT) [206].
The reasons for the spread of duration values between discovery and negotiation processes varies. The discovery process involves a partial multicast of messages on the network com- pared to the negotiation process that is tightly controlled. It is a partial multicast because not every node on the network will receive a discovery message. However, some nodes will receive a message more than once as route requests for a target node are likely to be sent more than once through multiple nodes. Another associated reason for the variance in dis- covery duration is due to the fact that the process is a service that runs at the application layer [207]. As such, it is susceptible to application errors and network load factors as nodes are connected over the internet, and other processes running in the application layer. The reasons for variation in negotiation duration include the network size, i.e. the number of nodes involved in trust negotiations between a sender and target node; the number of negotiation hops and the number of trust contracts that exist between nodes. The combined factor of the number-of-hops and number of trust contracts has the most effect on negotiation duration. Like the discovery service, the negotiation service is somewhat affected by the fact that it runs in the application layer.
A property of the discovery and negotiation protocol is its time-out value. The value deter- mines what is called the negotiation window. The initial time-out value used in DTN is based on the performance tests and is computed to be the sum of the maximum values of discovery and negotiation run times. Periodically nodes may re-adjust their time-out or negotiation window value based on the maximum duration values of discovery and negotiation run times over a period of time. More research needs to be done in this area to determine how best to calculate the value of the discovery time and hence the time-out or negotiation window.
9.9 Summary
This chapter discussed the implementation and testing of DTN in a clinical trial setting. The two systems developed for VOTES were described, and the implementation of DTN in these systems was discussed.
The first system referred to as the VOTES distributed data framework, provided access to multiple data repository including clinical software systems such as SCI-Store. Using Grid middleware services such as OGSA-DAI, it was shown how repositories could be made available in a common web services-oriented format. The chapter described a key component of the system used for patient consent, i.e. how data could be accessed and used. It discussed how the access matrix model discussed in Section 2.2.3 was implemented as an authorisation mechanism and showed how access policies from various sites could be combined to form a single access policy. Another key component of the system described here was a federated data component. This component was designed using a multi-database approach, which supported the decomposition of queries and aggregation of query results. The chapter also argued that the access matrix model offered only a single policy approach and hence was not scalable. It discussed how the ideal approach would be when local resource providers could control and enforce access to their resources in a dynamic manner. It was shown how DTN facilitates this by introducing a negotiation layer, where the local trust policies could be managed by resource managers that grant or deny access to resources based on negotiated attributes.
The chapter also presented the VOTES VANGUARD system. It described how this sys- tem provides a secure anonymised data access and linkage model that meets the needs of data providers. In particular it was shown how VANGUARD offers a pull and push model approach, where clinical data providers pull query requests and push query results to Grid based services. It was described why this was necessary, as data providers are wary of al- lowing direct access to their resources, i.e. through their firewalls. The chapter described how VANGUARD presents an authorisation challenge, since data providers are not willing to yield access control to a centralised authority. It was also outlined how DTN offers a solution in that it provides an underlying trust layer that makes decentralised access control possible. Finally the chapter presented and discussed the experimental results showing the feasibility, performance, and application of DTN. The chapter concluded with a performance evaluation of the DTN implementation itself.
Areas of Further Work
A couple of things have been assumed in this work. First, it assumes that a means of au- thentication exists across e-Health domains either by federated or centralised authentication. Key to these models, and the Grid in particular, is the notion of single sign-on. Secondly, the thesis assumes that a limited trust relationship exists between all the nodes for federated authentication for single sign-on to exist. This implies that nodes are able to identify and communicate with one another from a service (application) layer perspective. The focus of this work is mainly in the area of security attributes and credentials, which acts as a basis for trust realisation and that are useful for authorisation decisions.
This chapter provides an overview of the work described in this dissertation. It presents the conclusions and discussion. Finally it describes potential areas of future work.
10.1 Summary
This chapter has drawn conclusions and identified the main results of the work as a whole. These primarily stem from the design and development of DTN and how it addresses cross- boundary decentralised authorisation issues. This includes how the DTN approach supports trust discovery and trust realisation in e-Health environments. This thesis contribution can be summarised as follows:
• Inter-domain authorisation – DTN offers a novel approach to address inter-domain authorisation challenges. By negotiating trust on the lines of linked trust contracts, authorisation across domains is made possible.
• Access to resources across organisational boundaries – DTN offers the possibility where a non-trusted remote entity can request resources and present credentials that are
acceptable, useable and tenable for local authorisation decisions, to remote and initially non-trusting resources.
• DTN proposes an alternative to the single global attribute ontology approach. Instead of having one large security attribute ontology, many peer-to-peer security attributes can be linked together by means of trust contracts and circles-of-trust, which are able to offer the same benefit as large ontologies, but without the overhead of supporting and maintaining such large ontologies.
• Multiple negotiation hops in trust negotiations – DTN introduces trusted intermediary parties (TIP), which are similar to locally trusted third parties (LTTP) [117] in auto- mated trust negotiation (ATN). Unlike ATN however, more than one TIP can exist in a trust negotiation between two peers. With TIP, multiple negotiation paths can be explored. Apart from providing richer negotiation opportunities they can also increase the chances of a successful trust negotiation.
• The discovery and establishment of trust pathways – Different routing algorithms were investigated in order to address trust pathway discovery and realisation requirements. The AODV algorithm was chosen since it provided a basis for the discovery proto- col used in DTN. This protocol makes it possible to discover and establish trust in decentralised security-oriented environments such as e-Health.