An investigation of interoperability issues between authorisation systems within web services

The existing authorisation systems within the context of Web Services mainly apply two access control approaches – Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). The RBAC approach links an authenticated Web Service Requester to its specific access control permission through roles, but RBAC is not flexible enough to cater for some cases where extra attribute information is needed in addition to the identity. By contrast, the ABAC approach has more flexibility, as it allows a Web Service Requester to submit necessary credentials containing extra attribute information that can fulfil the policies declared by a Web Service Provider, which aims to protect the sensitive resources/services.RBAC and ABAC can only help to establish a unilateral trust relationship between two Web Services to enable a Web Service Provider to make an access control decision. Unfortunately, the nature of Web Services presents a high probability that two Web Services may not know each other. Therefore, successful authorisation may fail, if the Web Service Requester does not trust the Web Service Provider.Trust Negotiation (TN) is also an access control approach, which can provide a bilateral trust relationship between two unknown entities, so it sometimes can enable authorisation success in situations where success is not possible through RBAC or ABAC approaches. However, interoperability issues will arise between authorisation systems within Web Services, where a bilateral trust-based authorisation solution is applied. In addition, a lack of a unified approach that can address the interoperability issues remains as a research problem. This research aims to explore possible factors causing the lack of interoperability first, and then to explore an approach that can address the interoperability issues. The main contributions of this research are an improved interoperability model illustrating interoperability issues at different layers of abstraction, and a novel interoperability-solution design along with an improved TN protocol as an example of utilising this design to provide interoperability between authorisation systems within Web Services

Extended role-based access control model for enterprise systems and web services

This thesis intends to develop application-level access control models to address several major security issues in enterprise environments. The first goal is to provide simple and efficient authorization specifications to reduce the complexity of security management. The second goal is to provide dynamic access control for Web service applications. The third goal is to provide an access control framework for Semantic Web services. In this thesis, an Authorization-Function-Based Role-based Access Control (FB-RBAC) model is proposed for controlling enterprise systems at the application level. The unique features of the proposed model are authorization-function-based access control and constraint-based finegrained access control. This model significantly simplifies the management of an access control system by adopting roles and authorization-functions in authorization specifications. An extension of FB-RBAC, Extended FB-RBAC (ERBAC), is applied to Web service applications. New features such as credential-based access control and dynamic role assignment are added to FB-RBAC in order to address user heterogeneity and dynamicity in the Web environment. The proposed ERBAC model is then extended to support Semantic Web services. Each component of the ERBAC model is described by security ontologies. These correlated security ontologies are integrated with Semantic Web services to form a complete ontology network. Ontology-based role assignment is facilitated so that security information can be queries and discovered through a network of ontologies

WSACT : a model for Web Services access control incorporating trust

Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is towards implementing collaborating applications that are supported by web services technology. Even though web services technology is rapidly becoming a fundamental development paradigm, adequate security constitutes the main concern and obstacle to its adoption as an industry solution. An important issue to address is the development of suitable access control models that are able to not only restrict access to unauthorised users, but also to discriminate between users that originate from different collaborating parties. In web services environments, access control is required to cross the borders of security domains, in order to be implemented between heterogeneous systems. Traditional access control systems that are identity-based do not provide a solution, as web services providers have to deal with unknown users, manage a large user population, collaborate with others and at the same time be autonomous of nature. Previous research has pointed towards the adoption of attribute-based access control as a means to address some of these problems. This approach is still not adequate, as the trustworthiness of web services requestors cannot be determined. Trust in web services requestors is thus an important requirement to address. For this reason, the thesis investigated trust, as to promote the inclusion of trust in the web services access control model. A cognitive approach to trust computation was followed that addressed uncertain and imprecise information by means of fuzzy logic techniques. A web services trust formation framework was defined that aims to populate trust concepts by means of automated, machine-based trust assessments. The structure between trust concepts was made explicit by means of a trust taxonomy. This thesis presents the WSACT – or the Web Services Access Control incorporating Trust –model. The model incorporates traditional role-based access control, the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast to the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established. Such flexibility gives a web services provider the ability to foster meaningful business relationships with others, which portrays humanistic forms of trust. The WSACT architecture describes the interacting roles of an authorisation interface, authorisation manager and trust manager. A prototype finally illustrates that the incorporation of trust is a viable solution to the problem of web services access control when decisions of an autonomous nature are to be made.Thesis (PhD (Computer Science))--University of Pretoria, 2008.Computer Scienceunrestricte

Architecture design and access control of e-health portals

As an emerging form of enabling technology, Web-based e-Health portals provide patients easier accesses to their healthcare information and services. We design and implement such an e-Health portal which can integrate many backend medical services effectively. A major challenge in designing such a system is to meet critical security requirements, such as the confidentiality of patient data, the integrity of diagnosis results, and the availability of healthcare services. In this thesis I address the issue from the access control perspective. More specifically, I first propose a two-tier approach to access control for e-Health portals. The approach supplements existing Role Based Access Control (RBAC) capabilities with a rule-based access control module based on the classical Flexible Authorization Framework (FAF) model. I study conflict resolution and interaction between the two modules. I also address authentication for real-time services provided by remote service providers

ROLE BASED SECURED ACCESS OF DATA IN CLOUDS

In mobile wireless sensor network, coverage and energyCloud computing is a type of internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources e.g., computer networks, servers, storage, applications and services, which can be rapidly provisioned and released with minimal management effort. Attribute-based access control defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes such as user attributes, resource attributes, object and environment attributes etc. This model supports Boolean logic, in which rules contain "if-then" statements about who is making the request, the resource and the action. The main problem in attribute–based access control is not having user-centric approach for authorization rules. In ABAC model role hierarchy and object hierarchy is not achieved and restriction in level of expressiveness in access control rules.Secured role-based access control allows managing authorization based on rule-based approach where rules are under the control of data owner and provides enriched role-based expressiveness including role and object hierarchies. Data user without the knowledge of data owner cannot use the cloud server where privilege is provided to data user by data owner. Access control computations are delegated to the cloud service provider, being this not only unable to access the data, but also unable to release it to unauthorized parties. A identity-based proxy re-encryption scheme has been used in order to provide a comprehensive and feasible solution for data centric-approach. Semantic web technologies have been exposed for the representation and evaluation of the authorization model

Security Analysis and Improvement Model for Web-based Applications

Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

Enterprise Resource Bus and Views in Restful Web Services

Over the past few years RESTful Web Services (WSs) have gained immense popularity over the Web Service stack (WS*) to provide WS solutions. The WSs implemented using REST are lightweight and ideally suited for consumption for devices with limited processing capabilities like mobiles and tablets due to its dependence on HTTP. This enables the system architects to leverage the well-known capabilities of HTTP to develop their systems rapidly. However, this introduces the challenges of compromised security and unmanageable systems. This research presents a novel middleware architecture called Enterprise Resource Bus for Resource Oriented systems to tackle the issues of security, access control and resource management. The middleware architecture put forward in this research is focused on remedying these issues by abstracting the logic of access control and security to the concept of view resources to be managed in the middleware. This research draws inspiration from the middleware architecture implemented in SOA called Enterprise Service Bus. Since, the implementation of ERB is inspired from ESB we have emulated some functionalities of ESB and translated them to resource oriented architecture. In addition, this research also introduces the idea of views on resources inspired from the concept of virtual relations in relational databases to provide customized view resources based on user privilege/ role in the system to control access. The middleware architecture was tested for its overhead, scalability and security features as opposed to a REST Web Service without a middleware. It can be concluded from the evaluation results that with a small overhead a secure and highly manageable REST Web Services are achievable