135 research outputs found
XSACd—Cross-domain resource sharing & access control for smart environments
Computing devices permeate working and living environments, affecting all aspects of modern everyday lives; a trend which is expected to intensify in the coming years. In the residential setting, the enhanced features and services provided by said computing devices constitute what is typically referred to as a “smart home”. However, the direct interaction smart devices often have with the physical world, along with the processing, storage and communication of data pertaining to users’ lives, i.e. private sensitive in nature, bring security concerns into the limelight. The resource-constraints of the platforms being integrated into a smart home environment, and their heterogeneity in hardware, network and overlaying technologies, only exacerbate the above issues. This paper presents XSACd, a cross-domain resource sharing & access control framework for smart environments, combining the well-studied fine-grained access control provided by the eXtensible Access Control Markup Language (XACML) with the benefits of Service Oriented Architectures, through the use of the Devices Profile for Web Services (DPWS). Based on standardized technologies, it enables seamless interactions and fine-grained policy-based management of heterogeneous smart devices, including support for communication between distributed networks, via the associated MQ Telemetry Transport protocol (MQTT)–based proxies. The framework is implemented in full, and its performance is evaluated on a test bed featuring relatively resource-constrained smart platforms and embedded devices, verifying the feasibility of the proposed approac
Tutorial: Identity Management Systems and Secured Access Control
Identity Management has been a serious problem since the establishment of the Internet. Yet little progress has been made toward an acceptable solution. Early Identity Management Systems (IdMS) were designed to control access to resources and match capabilities with people in well-defined situations, Today’s computing environment involves a variety of user and machine centric forms of digital identities and fuzzy organizational boundaries. With the advent of inter-organizational systems, social networks, e-commerce, m-commerce, service oriented computing, and automated agents, the characteristics of IdMS face a large number of technical and social challenges. The first part of the tutorial describes the history and conceptualization of IdMS, current trends and proposed paradigms, identity lifecycle, implementation challenges and social issues. The second part addresses standards, industry initia-tives, and vendor solutions. We conclude that there is disconnect between the need for a universal, seamless, trans-parent IdMS and current proposed standards and vendor solutions
Decision-cache based XACML authorisation and anonymisation for XML documents
Author's version of an article in the journal: Computer Standards and Interfaces. Also available from the publisher at: http://dx.doi.org/10.1016/j.csi.2011.10.007This paper describes a decision cache for the eXtensible Access Control Markup Language (XACML) that supports fine-grained authorisation and anonymisation of XML based messages and documents down to XML attribute and element level. The decision cache is implemented as an XACML obligation service, where a specification of the XML elements to be authorised and anonymised is sent to the Policy Enforcement Point (PEP) during initial authorisation. Further authorisation of individual XML elements according to the authorisation specification is then performed on all matching XML resources, and decisions are stored in the decision cache. This makes it possible to cache fine-grained XACML authorisation and anonymisation decisions, which reduces the authorisation load on the Policy Decision Point (PDP). The theoretical solution is related to a practical case study consisting of a privacy-enhanced intrusion detection system that needs to perform anonymisation of Intrusion Detection Message Exchange Format (IDMEF) XML messages before they are sent to a security operations centre that operates in privacy-preserving mode. The solution increases the scalability of XACML based authorisation significantly, and may be instrumental in implementing federated authorisation and anonymisation based on XACML in several areas, including intrusion detection systems, web services, content management systems and GRID based authentication and authorisation
Dynamic deployment of web services on the internet or grid
PhD ThesisThis thesis focuses on the area of dynamic Web Service deployment for grid and
Internet applications. It presents a new Dynamic Service Oriented Architecture
(DynaSOAr) that enables the deployment of Web Services at run-time in response to
consumer requests.
The service-oriented approach to grid and Internet computing is centred on two
parties: the service provider and the service consumer. This thesis investigates the
introduction of mobility into this service-oriented approach allowing for better use of
resources and improved quality of service. To this end, it examines the role of the
service provider and makes the case for a clear separation of its concerns into two
distinct roles: that of a Web Service Provider, whose responsibility is to receive and
direct consumer requests and supply service implementations, and a Host Provider,
whose role is to deploy services and process consumers' requests on available
resources. This separation of concerns breaks the implicit bond between a published
Web Service endpoint (network address) and the resource upon which the service is
deployed. It also allows the architecture to respond dynamically to changes in service
demand and the quality of service requirements. Clearly defined interfaces for each
role are presented, which form the infrastructure of DynaSOAr. The approach taken
is wholly based on Web Services.
The dynamic deployment of service code between separate roles, potentially running
in different administrative domains, raises a number of security issues which are
addressed. A DynaSOAr service invocation involves three parties: the requesting
Consumer, a Web Service Provider and a Host Provider; this tripartite relationship
requires a security model that allows the concerns of each party to be enforced for a
given invocation. This thesis, therefore, presents a Tripartite Security Model and an
architecture that allows the representation, propagation and enforcement of three
separate sets of constraints.
A prototype implementation of DynaSOAr is used to evaluate the claims made, and
the results show that a significant benefit in terms of round-trip execution time for
data-intensive applications is achieved. Additional benefits in terms of parallel
deployments to satisfy multiple concurrent requests are also shown
Adding Privacy Protection to Policy Based Authorisation Systems
An authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional authorisation decision system, which is simply called authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an authorisation system that will provide privacy for personal data by including sticky authorisation policies from the issuers and data subjects, to supplement the authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data.
A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the
authorisation system. Hence, the designed authorisation system also includes the authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection
Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable.
Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts.
As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract.
The authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions
Assured information sharing for ad-hoc collaboration
Collaborative information sharing tends to be highly dynamic and often ad hoc among organizations. The dynamic natures and sharing patterns in ad-hoc collaboration impose a need for a comprehensive and flexible approach to reflecting and coping with the unique access control requirements associated with the environment.
This dissertation outlines a Role-based Access Management for Ad-hoc Resource Shar- ing framework (RAMARS) to enable secure and selective information sharing in the het- erogeneous ad-hoc collaborative environment. Our framework incorporates a role-based approach to addressing originator control, delegation and dissemination control. A special trust-aware feature is incorporated to deal with dynamic user and trust management, and a novel resource modeling scheme is proposed to support fine-grained selective sharing of composite data. As a policy-driven approach, we formally specify the necessary pol- icy components in our framework and develop access control policies using standardized eXtensible Access Control Markup Language (XACML). The feasibility of our approach is evaluated in two emerging collaborative information sharing infrastructures: peer-to- peer networking (P2P) and Grid computing. As a potential application domain, RAMARS framework is further extended and adopted in secure healthcare services, with a unified patient-centric access control scheme being proposed to enable selective and authorized sharing of Electronic Health Records (EHRs), accommodating various privacy protection requirements at different levels of granularity
Plataforma ABAC para aplicações da IoT baseada na norma OASIS XACML
Mestrado em Engenharia de Computadores e TelemáticaA IoT (Internet of Things) é uma área que apresenta grande potencial
mas embora muitos dos seus problemas já terem soluções satisfatórias,
a segurança permanece um pouco esquecida, mantendo-se um como
questão ainda por resolver. Um dos aspectos da segurança que ainda
não foi endereçado é o controlo de acessos. O controlo de acesso é
uma forma de reforçar a segurança que envolve avaliar os pedidos de
acesso a recursos e negar o acesso caso este nĂŁo seja autorizado,
garantindo assim a segurança no acesso a recursos crĂticos ou
vulneráveis. O controlo de Acesso é um termo lato, existindo diversos
modelos ou paradigmas possĂveis, dos quais os mais significativos
sĂŁo: IBAC (Identity Based Access Control), RBAC (Role Based Access
Control) and ABAC (Attribute Based Access Control). Neste trabalho
será usado o ABAC, já que oferece uma maior flexibilidade
comparativamente a IBAC e RBAC. Além disso, devido à sua natureza
adaptativa o ABAC tem maior longevidade e menor necessidade de
manutenção. A OASIS (Organization for the Advancement of Structured
Information Standards) desenvolveu a norma XACML (eXtensible
Access Control Markup Language) para escrita/definição de polĂticas de
acesso e pedidos de acesso, e de avaliação de pedidos sobre
conjuntos de polĂticas com o propĂłsito de reforçar o controlo de acesso
sobre recursos. O XACML foi definido com a intenção de que os
pedidos e as polĂticas fossem de fácil leitura para os humanos,
garantindo, porém, uma estrutura bem definida que permita uma
avaliação precisa. A norma XACML usa ABAC. Este trabalho tem o
objetivo de criar uma plataforma de segurança que utilize os padrões
ABAC e XACML que possa ser usado por outros sistemas, reforçando o
controlo de acesso sobre recursos que careçam de proteção, e
garantindo acesso apenas a sujeitos autorizadas. Vai também
possibilitar a definição fina ou granular de regras e pedidos permitindo
uma avaliação com maior precisão e um maior grau de segurança. Os
casos de uso principais são grandes aplicações IoT, como aplicações
Smart City, que inclui monitorização inteligente de tráfego, consumo de
energia e outros recursos públicos, monitorização pessoal de saúde,
etc. Estas aplicações lidam com grandes quantidades de informação
(Big Data) que Ă© confidencial e/ou pessoal. Existe um nĂşmero
significativo de soluções NoSQL (Not Only SQL) para resolver o
problema do volume de dados, mas a segurança é ainda uma questão
por resolver. Este trabalho vai usar duas bases de dados NoSQL: uma
base de dados key-value (Redis) para armazenamento de polĂticas e
uma base de dados wide-column (Cassandra) para armazenamento de
informação de sensores e informação de atributos adicionais durante os
testes.IoT (Internet of Things) is an area which offers great opportunities and
although a lot of issues already have satisfactory solutions, security has
remained somewhat unaddressed and remains to be a big issue.
Among the security aspects, we emphasize access control. Access
Control is a way of enforcing security that involves evaluating requests
for accessing resources and denies access if it is unauthorised,
therefore providing security for vulnerable resources. Access Control is
a broad term that consists of several methodologies of which the most
significant are: IBAC (Identity Based Access Control), RBAC (Role
Based Access Control) and ABAC (Attribute Based Access Control). In
this work ABAC will be used as it offers the most flexibility compared to
IBAC and RBAC. Also, because of ABAC's adaptive nature, it offers
longevity and lower maintenance requirements. OASIS (Organization for
the Advancement of Structured Information Standards) developed the
XACML (eXtensible Access Control Markup Language) standard for
writing/defining requests and policies and the evaluation of the requests
over sets of policies for the purpose of enforcing access control over
resources. It is defined so the requests and policies are readable by
humans but also have a well defined structure allowing for precise
evaluation. The standard uses ABAC. This work aims to create a
security framework that utilizes ABAC and the XACML standard so that
it can be used by other systems and enforce access control over
resources that need to be protected by allowing access only to
authorised subjects. It will also allow for fine grained defining of rules
and requests for more precise evaluation and therefore a greater level
of security. The primary use-case scenarios are large IoT applications
such as Smart City applications including: smart traffic monitoring,
energy and utility consumption, personal healthcare monitoring, etc.
These applications deal with large quantities (Big Data) of confidential
and/or personal data. A number of NoSQL (Not Only SQL) solutions
exist for solving the problem of volume but security is still an issue. This
work will use two NoSQL databases. A key-value database (Redis) for
the storing of policies and a wide-column database (Cassandra) for
storing sensor data and additional attribute data during testing
Security Mechanisms for Workflows in Service-Oriented Architectures
Die Arbeit untersucht, wie sich Unterstützung für Sicherheit und Identitätsmanagement in ein Workflow-Management-System integrieren lässt. Basierend auf einer Anforderungsanalyse anhand eines Beispiels aus der beruflichen Weiterbildung und einem Abgleich mit dem Stand der Technik wird eine Architektur für die sichere Ausführung von Workflows und die Integration mit Identitätsmanagement-Systemen entwickelt, die neue Anwendungen mit verbesserter Sicherheit und Privatsphäre ermöglicht
- …