Identity and Access Management System: a Web-Based Approach for an Enterprise

Managing digital identities and access control for enterprise users and applications remains one of the greatest challenges facing computing today. An attempt to address this issue led to the proposed security paradigm called Identity and Access Management (IAM) service based on IAM standards. Current approaches such as Lightweight Directory Access Protocol (LDAP), Central Authentication Service (CAS) and Security Assertion Markup Language (SAML) lack comprehensive analysis from conception to physical implementation to incorporate these solutions thereby resulting in impractical and fractured solutions. In this paper, we have implemented Identity and Access Management System (IAMSys) using the Lightweight Directory Access Protocol (LDAP) which focuses on authentication, authorization, administration of identities and audit reporting. Its primary concern is verification of the identity of the entity and granting correct level of access for resources which are protected in either the cloud environment or on-premise systems. A phased approach methodology was used in the research where it requires any enterprise or organization willing to adopt this must carry out a careful planning and demonstrated a good understanding of the technologies involved. The results of the experimental evaluation indicated that the average rating score is 72.0 % for the participants involved in this study. This implies that the idea of IAMSys is a way to mitigating security challenges associated with authentication, authorization, data protection and accountability if properly deployed

Issues in financial institution capital in emerging market economies

This paper was presented at the conference "Financial services at the crossroads: capital regulation in the twenty-first century" as part of session 6, "The role of capital regulation in bank supervision." The conference, held at the Federal Reserve Bank of New York on February 26-27, 1998, was designed to encourage a consensus between the public and private sectors on an agenda for capital regulation in the new century.Financial institutions ; Bank capital ; Developing countries

Validating a Web Service Security Abstraction by Typing

An XML web service is, to a first approximation, an RPC service in which requests and responses are encoded in XML as SOAP envelopes, and transported over HTTP. We consider the problem of authenticating requests and responses at the SOAP-level, rather than relying on transport-level security. We propose a security abstraction, inspired by earlier work on secure RPC, in which the methods exported by a web service are annotated with one of three security levels: none, authenticated, or both authenticated and encrypted. We model our abstraction as an object calculus with primitives for defining and calling web services. We describe the semantics of our object calculus by translating to a lower-level language with primitives for message passing and cryptography. To validate our semantics, we embed correspondence assertions that specify the correct authentication of requests and responses. By appeal to the type theory for cryptographic protocols of Gordon and Jeffrey's Cryptyc, we verify the correspondence assertions simply by typing. Finally, we describe an implementation of our semantics via custom SOAP headers.Comment: 44 pages. A preliminary version appears in the Proceedings of the Workshop on XML Security 2002, pp. 18-29, November 200

Operator-based approaches to harm minimisation in gambling: summary, review and future directions

In this report we give critical consideration to the nature and effectiveness of harm minimisation in gambling. We identify gambling-related harm as both personal (e.g., health, wellbeing, relationships) and economic (e.g., financial) harm that occurs from exceeding one’s disposable income or disposable leisure time. We have elected to use the term ‘harm minimisation’ as the most appropriate term for reducing the impact of problem gambling, given its breadth in regard to the range of goals it seeks to achieve, and the range of means by which they may be achieved. The extent to which an employee can proactively identify a problem gambler in a gambling venue is uncertain. Research suggests that indicators do exist, such as sessional information (e.g., duration or frequency of play) and negative emotional responses to gambling losses. However, the practical implications of requiring employees to identify and interact with customers suspected of experiencing harm are questionable, particularly as the employees may not possess the clinical intervention skills which may be necessary. Based on emerging evidence, behavioural indicators identifiable in industryheld data, could be used to identify customers experiencing harm. A programme of research is underway in Great Britain and in other jurisdiction

Authorization Framework for the Internet-of-Things

This paper describes a framework that allows fine-grained and flexible access control to connected devices with very limited processing power and memory. We propose a set of security and performance requirements for this setting and derive an authorization framework distributing processing costs between constrained devices and less constrained back-end servers while keeping message exchanges with the constrained devices at a minimum. As a proof of concept we present performance results from a prototype implementing the device part of the framework

Reviewing the Drivers and Challenges in RFID Implementation in the Pharmaceutical Supply Chain

Counterfeiting is a global phenomenon that poses a serious financial threat to the pharmaceutical industry and more importantly jeopardizes public safety and security. Different measures, including new laws and regulations, have been put in place to mitigate the threat and tighten control in the pharmaceuticals supply chain. However, it appears that the most promising countermeasure is track-and-trace technology such as electronic-pedigree (E-pedigree) with Radio Frequency Identification (RFID) technology. In this study we present a framework exploring the antecedents and consequences of RFID applications in the pharmaceutical supply chain. The framework proposes that counterfeiting and E-pedigree regulation will drive the implementation of RFID in the pharmaceutical supply chain, which in turn provides strategic and operational benefits that enable competitive advantage. Meanwhile, the implementation of RFID requires overcoming many operational, technical and financial challenges. The framework provides a springboard that future study can explore using empirical data

Formal Verification of Security Protocol Implementations: A Survey

Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac

Nonbanks and risk in retail payments

This paper documents the importance of nonbanks in retail payments in the United States and in 15 European countries and analyzes the implications of the importance and multiple roles played by nonbanks on retail payment risks. This paper also reviews the main regulatory safeguards in place, and concludes that there may be a need to reconsider some of them in view of the growing role of nonbanks and of the global reach of risks in the electronic era.