Situational Awareness based Risk-Adapatable Access Control in Enterprise Networks

As the computing landscape evolves towards distributed architectures such as Internet of Things (IoT),enterprises are moving away from traditional perimeter based security models toward so called zero trust networking (ZTN) models that treat both the intranet and Internet as equally untrustworthy. Such security models incorporate risk arising from dynamic and situational factors, such as device location and security risk level risk, into the access control decision. Researchers have developed a number of risk models such as RAdAC (Risk Adaptable Access Control) to handle dynamic contexts and these have been applied to medical and other scenarios. In this position paper we describe our ongoing work to apply RAdAC to ZTN. We develop a policy management framework, FURZE, to facilitate fuzzy risk evaluation that also defines how to adapt to dynamically changing contexts. We also consider how enterprise security situational awareness (SSA) - which describes the potential impact to an organisations mission based on the current threats and the relative importance of the information asset under threat - can be incorporated into a RAdAC schemeComment: 6 page

IaaS-cloud security enhancement: an intelligent attribute-based access control model and implementation

The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view. [Continues.

An access control and authorization model with Open stack cloud for Smart Grid

In compare to Authentication for identification and relationship of an identity of a user with its task and process within the system, authorization in access control is much anxious about confirming that user and its task in the form of system process, access to the assets of any particular domain is only approved when proven obedient to the identified policies. Access control and authorization is always an area of interest for researchers for enhancing security of critical assets from many decades. Our prime focus and interest is in the field of access control model based on Attribute base access control (ABAC) and with this paper we tried to integrate ABAC with openstack cloud for achieving finer level of granularity in access policies for domain like smart grid. Technical advancement of current era demands that critical infrastructure like traditional electrical grid open ups to the modern information and communication technology to get the benefit in terms of efficiency, scalability, accessibility and transparency for better adaptability in real world. Incorporation of ICT with electric grid makes it possible to do greater level of bi-directional interaction among stake holders like customer, generation units, distribution units and administrations and these leads international organization to contribute for standardization of smart grid concepts and technology so that the realization of smart grid becomes reality. Smart grid is a distributed system of very large scale by its nature and needs to integrate available legacy systems with its own security requirements. Cloud computing proven to be most efficient approach for said requirements and we have identified openstack as our cloud platform. We have integrated ABAC approach with default RBAC approach of openstack and provide a frame work that supports and integrate multiple access control polices in making authorization decisions. Smart grid domain in considered as case study which requires support of multiple access policies (RBAC, ABAC or DAC etc) with our model for access control and authorization

Data trust framework using blockchain and smart contracts

Lack of trust is the main barrier preventing more widespread data sharing. The lack of transparent and reliable infrastructure for data sharing prevents many data owners from sharing their data. Data trust is a paradigm that facilitates data sharing by forcing data controllers to be transparent about the process of sharing and reusing data. Blockchain technology has the potential to present the essential properties for creating a practical and secure data trust framework by transforming current auditing practices and automatic enforcement of smart contracts logic without relying on intermediaries to establish trust. Blockchain holds an enormous potential to remove the barriers of traditional centralized applications and propose a distributed and transparent administration by employing the involved parties to maintain consensus on the ledger. Furthermore, smart contracts are a programmable component that provides blockchain with more flexible and powerful capabilities. Recent advances in blockchain platforms toward smart contracts' development have revealed the possibility of implementing blockchain-based applications in various domains, such as health care, supply chain and digital identity. This dissertation investigates the blockchain's potential to present a framework for data trust. It starts with a comprehensive study of smart contracts as the main component of blockchain for developing decentralized data trust. Interrelated, three decentralized applications that address data sharing and access control problems in various fields, including healthcare data sharing, business process, and physical access control system, have been developed and examined. In addition, a general-purpose application based on an attribute-based access control model is proposed that can provide trusted auditability required for data sharing and access control systems and, ultimately, a data trust framework. Besides auditing, the system presents a transparency level that both access requesters (data users) and resource owners (data controllers) can benefit from. The proposed solutions have been validated through a use case of independent digital libraries. It also provides a detailed performance analysis of the system implementation. The performance results have been compared based on different consensus mechanisms and databases, indicating the system's high throughput and low latency. Finally, this dissertation presents an end-to-end data trust framework based on blockchain technology. The proposed framework promotes data trustworthiness by assessing input datasets, effectively managing access control, and presenting data provenance and activity monitoring. A trust assessment model that examines the trustworthiness of input data sets and calculates the trust value is presented. The number of transaction validators is defined adaptively with the trust value. This research provides solutions for both data owners and data users’ by ensuring the trustworthiness and quality of the data at origin and transparent and secure usage of the data at the end. A comprehensive experimental study indicates the presented system effectively handles a large number of transactions with low latency

A Dynamic Access Control Model Using Authorising Workfow and Task Role-based Access Control

Access control is fundamental and prerequisite to govern and safeguard information assets within an organisation. Organisations generally use Web enabled remote access coupled with applications access distributed across various networks. These networks face various challenges including increase operational burden and monitoring issues due to the dynamic and complex nature of security policies for access control. The increasingly dynamic nature of collaborations means that in one context a user should have access to sensitive information, whilst not being allowed access in other contexts. The current access control models are static and lack Dynamic Segregation of Duties (SoD), Task instance level of Segregation, and decision making in real time. This thesis addresses these limitations describes tools to support access management in borderless network environments with dynamic SoD capability and real time access control decision making and policy enforcement. This thesis makes three contributions: i) Defining an Authorising Workflow Task Role Based Access Control (AW-TRBAC) using existing task and workflow concepts. This new workflow integrates dynamic SoD, whilst considering task instance restriction to ensure overall access governance and accountability. It enhances existing access control models such as Role Based Access Control (RBAC) by dynamically granting users access rights and providing access governance. ii) Extension of the OASIS standard of XACML policy language to support dynamic access control requirements and enforce access control rules for real time decision making. This mitigates risks relating to access control, such as escalation of privilege in broken access control, and insucient logging and monitoring. iii) The AW-TRBAC model is implemented by extending the open source XACML (Balana) policy engine to demonstrate its applicability to a real industrial use case from a financial institution. The results show that AW-TRBAC is scalable, can process relatively large numbers of complex requests, and meets the requirements of real time access control decision making, governance and mitigating broken access control risk

Access Control Within MQTT-based IoT environments

IoT applications, which allow devices, companies, and users to join the IoT ecosystems, are growing in popularity since they increase our lifestyle quality day by day. However, due to the personal nature of the managed data, numerous IoT applications represent a potential threat to user privacy and data confidentiality. Insufficient security protection mechanisms in IoT applications can cause unauthorized users to access data. To solve this security issue, the access control systems, which guarantee only authorized entities to access the resources, are proposed in academic and industrial environments. The main purpose of access control systems is to determine who can access specific resources under which circumstances via the access control policies. An access control model encapsulates the defined set of access control policies. Access control models have been proposed also for IoT environments to protect resources from unauthorized users. Among the existing solutions, the proposals which are based on Attribute-Based Access Control (ABAC) model, have been widely adopted in the last years. In the ABAC model, authorizations are determined by evaluating attributes associated with the subject, object, and environmental properties. ABAC model provides outstanding flexibility and supports fine-grained, context-based access control policies. These characteristics perfectly fit the IoT environments. In this thesis, we employ ABAC to regulate the reception and the publishing of messages exchanged within MQTT-based IoT environments. MQTT is a standard application layer protocol that enables the communication of IoT devices. Even though the current access control systems tailored for IoT environments in the literature handle data sharing among the IoT devices by employing various access control models and mechanisms to address the challenges that have been faced in IoT environments, surprisingly two research challenges have still not been sufficiently examined. The first challenge that we want to address in this thesis is to regulate data sharing among interconnected IoT environments. In interconnected IoT environments, data exchange is carried out by devices connected to different environments. The majority of proposed access control frameworks in the literature aimed at regulating the access to data generated and exchanged within a single IoT environment by adopting centralized enforcement mechanisms. However, currently, most of the IoT applications rely on IoT devices and services distributed in multiple IoT environments to satisfy users’ demands and improve their functionalities. The second challenge that we want to address in this thesis is to regulate data sharing within an IoT environment under ordinary and emergency situations. Recent emergencies, such as the COVID-19 pandemic, have shown that proper emergency management should provide data sharing during an emergency situation to monitor and possibly mitigate the effect of the emergency situation. IoT technologies provide valid support to the development of efficient data sharing and analysis services and appear well suited for building emergency management applications. Additionally, IoT has magnified the possibility of acquiring data from different sensors and employing these data to detect and manage emergencies. An emergency management application in an IoT environment should be complemented with a proper access control approach to control data sharing against unauthorized access. In this thesis, we do a step to address two open research challenges related to data protection in IoT environments which are briefly introduced above. To address these challenges, we propose two access control frameworks rely on ABAC model: the first one regulates data sharing among interconnected MQTT-based IoT environments, whereas the second one regulates data sharing within MQTT-based IoT environment during ordinary and emergency situations.IoT applications, which allow devices, companies, and users to join the IoT ecosystems, are growing in popularity since they increase our lifestyle quality day by day. However, due to the personal nature of the managed data, numerous IoT applications represent a potential threat to user privacy and data confidentiality. Insufficient security protection mechanisms in IoT applications can cause unauthorized users to access data. To solve this security issue, the access control systems, which guarantee only authorized entities to access the resources, are proposed in academic and industrial environments. The main purpose of access control systems is to determine who can access specific resources under which circumstances via the access control policies. An access control model encapsulates the defined set of access control policies. Access control models have been proposed also for IoT environments to protect resources from unauthorized users. Among the existing solutions, the proposals which are based on Attribute-Based Access Control (ABAC) model, have been widely adopted in the last years. In the ABAC model, authorizations are determined by evaluating attributes associated with the subject, object, and environmental properties. ABAC model provides outstanding flexibility and supports fine-grained, context-based access control policies. These characteristics perfectly fit the IoT environments. In this thesis, we employ ABAC to regulate the reception and the publishing of messages exchanged within MQTT-based IoT environments. MQTT is a standard application layer protocol that enables the communication of IoT devices. Even though the current access control systems tailored for IoT environments in the literature handle data sharing among the IoT devices by employing various access control models and mechanisms to address the challenges that have been faced in IoT environments, surprisingly two research challenges have still not been sufficiently examined. The first challenge that we want to address in this thesis is to regulate data sharing among interconnected IoT environments. In interconnected IoT environments, data exchange is carried out by devices connected to different environments. The majority of proposed access control frameworks in the literature aimed at regulating the access to data generated and exchanged within a single IoT environment by adopting centralized enforcement mechanisms. However, currently, most of the IoT applications rely on IoT devices and services distributed in multiple IoT environments to satisfy users’ demands and improve their functionalities. The second challenge that we want to address in this thesis is to regulate data sharing within an IoT environment under ordinary and emergency situations. Recent emergencies, such as the COVID-19 pandemic, have shown that proper emergency management should provide data sharing during an emergency situation to monitor and possibly mitigate the effect of the emergency situation. IoT technologies provide valid support to the development of efficient data sharing and analysis services and appear well suited for building emergency management applications. Additionally, IoT has magnified the possibility of acquiring data from different sensors and employing these data to detect and manage emergencies. An emergency management application in an IoT environment should be complemented with a proper access control approach to control data sharing against unauthorized access. In this thesis, we do a step to address two open research challenges related to data protection in IoT environments which are briefly introduced above. To address these challenges, we propose two access control frameworks rely on ABAC model: the first one regulates data sharing among interconnected MQTT-based IoT environments, whereas the second one regulates data sharing within MQTT-based IoT environment during ordinary and emergency situations

Ontology-based Access Control in Open Scenarios: Applications to Social Networks and the Cloud

La integració d'Internet a la societat actual ha fet possible compartir fàcilment grans quantitats d'informació electrònica i recursos informàtics (que inclouen maquinari, serveis informàtics, etc.) en entorns distribuïts oberts. Aquests entorns serveixen de plataforma comuna per a usuaris heterogenis (per exemple, empreses, individus, etc.) on es proporciona allotjament d'aplicacions i sistemes d'usuari personalitzades; i on s'ofereix un accés als recursos compartits des de qualsevol lloc i amb menys esforços administratius. El resultat és un entorn que permet a individus i empreses augmentar significativament la seva productivitat. Com ja s'ha dit, l'intercanvi de recursos en entorns oberts proporciona importants avantatges per als diferents usuaris, però, també augmenta significativament les amenaces a la seva privacitat. Les dades electròniques compartides poden ser explotades per tercers (per exemple, entitats conegudes com "Data Brokers"). Més concretament, aquestes organitzacions poden agregar la informació compartida i inferir certes característiques personals sensibles dels usuaris, la qual cosa pot afectar la seva privacitat. Una manera de del.liar aquest problema consisteix a controlar l'accés dels usuaris als recursos potencialment sensibles. En concret, la gestió de control d'accés regula l'accés als recursos compartits d'acord amb les credencials dels usuaris, el tipus de recurs i les preferències de privacitat dels propietaris dels recursos/dades. La gestió eficient de control d'accés és crucial en entorns grans i dinàmics. D'altra banda, per tal de proposar una solució viable i escalable, cal eliminar la gestió manual de regles i restriccions (en la qual, la majoria de les solucions disponibles depenen), atès que aquesta constitueix una pesada càrrega per a usuaris i administradors . Finalment, la gestió del control d'accés ha de ser intuïtiu per als usuaris finals, que en general no tenen grans coneixements tècnics.La integración de Internet en la sociedad actual ha hecho posible compartir fácilmente grandes cantidades de información electrónica y recursos informáticos (que incluyen hardware, servicios informáticos, etc.) en entornos distribuidos abiertos. Estos entornos sirven de plataforma común para usuarios heterogéneos (por ejemplo, empresas, individuos, etc.) donde se proporciona alojamiento de aplicaciones y sistemas de usuario personalizadas; y donde se ofrece un acceso ubicuo y con menos esfuerzos administrativos a los recursos compartidos. El resultado es un entorno que permite a individuos y empresas aumentar significativamente su productividad. Como ya se ha dicho, el intercambio de recursos en entornos abiertos proporciona importantes ventajas para los distintos usuarios, no obstante, también aumenta significativamente las amenazas a su privacidad. Los datos electrónicos compartidos pueden ser explotados por terceros (por ejemplo, entidades conocidas como “Data Brokers”). Más concretamente, estas organizaciones pueden agregar la información compartida e inferir ciertas características personales sensibles de los usuarios, lo cual puede afectar a su privacidad. Una manera de paliar este problema consiste en controlar el acceso de los usuarios a los recursos potencialmente sensibles. En concreto, la gestión de control de acceso regula el acceso a los recursos compartidos de acuerdo con las credenciales de los usuarios, el tipo de recurso y las preferencias de privacidad de los propietarios de los recursos/datos. La gestión eficiente de control de acceso es crucial en entornos grandes y dinámicos. Por otra parte, con el fin de proponer una solución viable y escalable, es necesario eliminar la gestión manual de reglas y restricciones (en la cual, la mayoría de las soluciones disponibles dependen), dado que ésta constituye una pesada carga para usuarios y administradores. Por último, la gestión del control de acceso debe ser intuitivo para los usuarios finales, que por lo general carecen de grandes conocimientos técnicos.Thanks to the advent of the Internet, it is now possible to easily share vast amounts of electronic information and computer resources (which include hardware, computer services, etc.) in open distributed environments. These environments serve as a common platform for heterogeneous users (e.g., corporate, individuals etc.) by hosting customized user applications and systems, providing ubiquitous access to the shared resources and requiring less administrative efforts; as a result, they enable users and companies to increase their productivity. Unfortunately, sharing of resources in open environments has significantly increased the privacy threats to the users. Indeed, shared electronic data may be exploited by third parties, such as Data Brokers, which may aggregate, infer and redistribute (sensitive) personal features, thus potentially impairing the privacy of the individuals. A way to palliate this problem consists on controlling the access of users over the potentially sensitive resources. Specifically, access control management regulates the access to the shared resources according to the credentials of the users, the type of resource and the privacy preferences of the resource/data owners. The efficient management of access control is crucial in large and dynamic environments such as the ones described above. Moreover, in order to propose a feasible and scalable solution, we need to get rid of manual management of rules/constraints (in which most available solutions rely) that constitutes a serious burden for the users and the administrators. Finally, access control management should be intuitive for the end users, who usually lack technical expertise, and they may find access control mechanism more difficult to understand and rigid to apply due to its complex configuration settings