Distributed Access Control for Web and Business Processes

Middleware influenced the research community in developing a number of systems for controlling access to distributed resources. Nowadays a new paradigm for the lightweight integration of business resources from different partners is starting to take hold – Web Services and Business Processes for Web Services. Security and access control policies for Web Services protocols and distributed systems are well studied and almost standardized, but there is not yet a comprehensive proposal for an access control architecture for business processes. So, it is worth looking at the available approaches to distributed authorization as a starting point for a better understanding of what they already have and what they still need to address the security challenges for business processes

A Reference Architecture Proposal for Secure Data Management in Mobile Health

Mobile health (mHealth) is becoming a prominent component of healthcare. As the border between wearable consumer devices and medical devices begins to thin, we extend the mHealth definition including sports, lifestyle, and wellbeing apps that may connect to smart bracelets and watches as well as medical device apps running on consumer platforms and dedicated connected medical devices. This trend raises security and privacy concerns, since these technologies collect data ubiquitously and continuously, both on the individual user and on the surroundings. Security issues include lack of authentication and authorization mechanisms, as well as insecure data transmission and storage. Privacy issues include users' lack of control on data flow, poor quality consent management, and limitations on the possibility to remain anonymous. In response to these threats, we propose an advanced reference platform, securing the use of wearables and mobile apps in the mHealth domains through citizens' active protection and information

ELECTRON: An Architectural Framework for Securing the Smart Electrical Grid with Federated Detection, Dynamic Risk Assessment and Self-Healing

The electrical grid has significantly evolved over the years, thus creating a smart paradigm, which is well known as the smart electrical grid. However, this evolution creates critical cybersecurity risks due to the vulnerable nature of the industrial systems and the involvement of new technologies. Therefore, in this paper, the ELECTRON architecture is presented as an integrated platform to detect, mitigate and prevent potential cyberthreats timely. ELECTRON combines both cybersecurity and energy defence mechanisms in a collaborative way. The key aspects of ELECTRON are (a) dynamic risk assessment, (b) asset certification, (c) federated intrusion detection and correlation, (d) Software Defined Networking (SDN) mitigation, (e) proactive islanding and (f) cybersecurity training and certification

Interactive Access Control in Autonomic Communication

Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational and management boundaries and is provided by entities that see each other just as business partners. Policy-based network access and management already requires a paradigm shift in the access control mechanism: from identity-based access control to trust management and negotiation, but this is not enough for cross organizational autonomic communication. For many services no autonomic communication partner may guess a priori what will be sent by clients and clients may not know a priori what credentials are demanded for completing a service requiring the orchestration of many different autonomic nodes. To solve this problem we propose to use interactive access control for autonomic communication: servers should be able to get back to clients asking for missing credentials, whereas the latter may decide to supply or decline requested credentials and so on until a final decision is made. This proposal is grounded in a formal model on policy-based access control using abduction. We identify the key algorithm for interactive access and show its correctness. The Web Services-based implementation that we have developed is also sketched

An Access Control System for Business Processes for Web Services

Web Services and Business Processes for Web Services are the new paradigms for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major difference is that business process describe complex services that cross organizational boundaries and are provided by entities that sees each other as just partners and nothing else. This calls for a number of differences with traditional aspects of access control architectures such as: - credential vs classical user-based access control, - interactive and partner-based vs one-server-gathers-all requests of credentials from clients, - controlled disclosure of information vs all-or-nothing access control decisions, - abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models, - "source-code" authorization processes vs data describing policies for communicating policies or for orchestrating the work of authorization servers. Looking at the access control field we find good approximation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper

Abduction and Deduction in Logic Programming for Access Control for Autonomic Systems

Autonomic communication and computing is the new paradigm for dynamic service integration over a network. An autonomic network crosses organizational and management boundaries and is provided by entities that see each other just as partners that need to collaborate with little known or even unknown parties. Policy-based network access and management already requires a paradigm shift in the access control mechanism: from identity-based access control to trust management and negotiation, but even this is not enough for cross-organizational autonomic communication. For many services no autonomic partner may guess a priori what will be sent by clients and clients may not know a priori what credentials are demanded for completing a service, which may require the orchestration of many different autonomic nodes. To solve this problem we propose to use interactive access control: servers should be able to get back to clients asking for missing or excessing credentials, whereas the latter may decide to supply or decline requested credentials and so on until a final decision is taken. This proposal is grounded in a formal model on policy-based access control. It identifies the formal reasoning services of deduction, abduction and consistency checking that characterize the problem. It proposes two access control algorithms for stateless and stateful autonomic services and shows their completeness and correctness

Interactive Access Control in Autonomic Communication

Autonomic Communication is a new paradigm for dynamic network integration. An Autonomic Network crosses organizational and management boundaries and is provided by entities that see each other just as business partners. Policy-based network access and management already requires a paradigm shift in the access control mechanism: from identity-based access control to trust management and negotiation, but this is not enough for cross organizational autonomic communication. For many services no autonomic communication partner may guess a priori what will be sent by clients and clients may not know a priori what credentials are demanded for completing a service requiring the orchestration of many different autonomic nodes. To solve this problem we propose to use interactive access control for autonomic communication: servers should be able to get back to clients asking for missing credentials, whereas the latter may decide to supply or decline requested credentials and so on until a final decision is made. This proposal is grounded in a formal model on policy-based access control using abduction. We identify the key algorithm for interactive access and show its correctness. The Web Services-based implementation tha