Search results

The paper aims to propose a flexible framework to support X-STROWL model. Extensible access control markup language (XACML) is an international standard used for access control in distributed systems. However, XACML and its existing extensions are not sufficient to fulfill sophisticated security requirements (e.g. access control based on user’s roles, context-aware authorizations and the ability of reasoning). Remarkably, X-STROWL, a generalized extension of XACML for spatiotemporal role-based access control (RBAC) model with reasoning ability, is a comprehensive model that overcomes these shortcomings. It mainly focuses on the architecture design as well as the implementation and evaluation of proposed framework and the comparison with others.

Based on the concept of X-STROWL model, the paper reviewed a large amount of open sources implementing XACML with defined criteria and chose the most suitable framework to be extended for the implementation. The paper also presented a case study used to evaluate the research result.

Holistic enterprise-ready application security framework – architecture framework (HERAS-AF) is chosen as the most suitable framework to be extended to implement X-STROWL model. Extending HERAS-AF to support spatiotemporal aspect and other contextual conditions as well as the way to integrate security in the access request, together with ability of reasoning for hierarchical roles, are striking features that make the proposed framework able to meet more sophisticated security requirements in comparison with others.

Due to the research content, the performance of proposed framework is not the focused issue of this work.

The proposed framework is a crucial contribution of our research to provide a holistic, extensible and intelligent authorization decision engine.

This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control.

Existing access control and privacy protection systems are typically unilateral and provider‐centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user‐centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties.

The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today.

This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery.

The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise.

Provide a secure solution for web services (WS). A new interoperable and distributed access control for WS is presented.

Based on the separation of the access control (AC) and authorization function.

Mechanisms presented allow seamless integration of external authorization entities in the AC system. The Semantic Policy Language (SPL) developed facilitates specification of policies and semantic policy validation. SPL specifications are modular and can be composed without ambiguity. Also addressed was the problem of the association of policies to resources (WS or their operations) in a dynamic, flexible and automated way.

The ACProxy component is currently under development. Ongoing work is focused on achieving a richer “use control” for some types of WS.

Administrators of WS can specify AC policies and validate them to find syntactic and semantic errors. Components for automated validation of policies at different levels are included. This ensures that the AC policies produce the desired effects, facilitating the creation and maintenance of policies. It also provides mechanisms for the use of interoperable authorizations.

A practical system that provides a secure solution to AC for WS. To the best of one's knowledge, no other system provides mechanisms for semantic validation of policies based on external authorization entities. Likewise, the mechanisms for interoperability of external authorization entities are also novel. The system provides content‐based access control and a secure, decentralized and dynamic solution for authorization that facilitates the management of complex systems and enhances the overall security of the AC.

Data protection requirements heavily increased due to the rising awareness of data security, legal requirements and technological developments. Today, NoSQL databases are increasingly used in security-critical domains. Current survey works on databases and data security only consider authorization and access control in a very general way and do not regard most of today’s sophisticated requirements. Accordingly, the purpose of this paper is to discuss authorization and access control for relational and NoSQL database models in detail with respect to requirements and current state of the art.

This paper follows a systematic literature review approach to study authorization and access control for different database models. Starting with a research on survey works on authorization and access control in databases, the study continues with the identification and definition of advanced authorization and access control requirements, which are generally applicable to any database model. This paper then discusses and compares current database models based on these requirements.

As no survey works consider requirements for authorization and access control in different database models so far, the authors define their requirements. Furthermore, the authors discuss the current state of the art for the relational, key-value, column-oriented, document-based and graph database models in comparison to the defined requirements.

This paper focuses on authorization and access control for various database models, not concrete products. This paper identifies today’s sophisticated – yet general – requirements from the literature and compares them with research results and access control features of current products for the relational and NoSQL database models.

This contribution aims to present the core components of a framework and illustrate the main concepts of a methodology for the systematic design and realization of security‐critical inter‐organizational workflows with a portion of a workflow‐scenario drawn from e‐government. It is additionally shown how the framework can be adapted to incorporate advanced security patterns like the Qualified Signature, which extends the concept of digital signature by requiring a natural person to sign.

The framework is based on a methodology that focuses on the correct implementation of security‐requirements and consists of a suite of tools that facilitates the cost‐efficient realization and management of decentralized, security‐critical workflows.

The framework has been prototypically validated through case studies from the healthcare and e‐government sector. Positive results in pilot applications with industrial partners encourage further steps: the set of supported security requirements is continuously extended (e.g. rights delegation, four eyes principle), a testing environment for industrial settings is being implemented, and the requirements for the efficient management of inter‐organizational workflows are being analysed systematically.

The framework caters to the needs of an industrial audience, in need of a cost‐efficient support for the systematic and correct realization of secure, inter‐organizational workflows.

The contribution provides a description of the Sectet framework. It is shown how it can be adapted to incorporate advanced security patterns like the Qualified Signature, which implement a legal requirement specific to e‐government.

Pervasive environments are mostly based on the ad hoc networking paradigm and are characterized by ubiquity in both users and devices and artifacts. In these inherently unstable conditions and bearing in mind the resource’s limitations that are attributed to participating devices, the deployment of Knowledge Management techniques is considered complicated due to the particular requirements. Security considerations are also very important since the distribution of knowledge information to multiple locations over a network, poses inherent problems and calls for advanced methods in order to mitigate node misbehaviour and in order to enforce authorized and authenticated access to this information. This paper addresses the issue of secure and distributed knowledge management applications in pervasive environments. We present a prototype implementation after having discussed detailed design principles as far as the communications and the application itself is regarded. Robustness and lightweight implementation are the cornerstones of the proposed solution. The approach we have undertaken makes use of overlay networks to achieve efficiency and performance optimization, exploiting ontologies. The work presented in this paper extends our initial work to tackle this problem, as this was described in (28).

This paper seeks to present an overview and some preliminary results of the DAMe project. The main goal of this project was to define a unified authentication and authorisation system for federated services hosted in the eduroam network.

This paper presents the main initiatives and technologies related to the DAMe project and some first designs that show how the main goals are already being achieved.

At present, there are several activities of DAMe in progress, such as the design and implementation of a multiplatform PEAP supplicant, the middleware for managing the SSO tokens and the design of new common services for eduGAIN.

This paper is based on results from the DAMe project and the knowledge of the authors and will be of interest to those in the same field.

Authorization and access control have been a topic of research for several decades. However, existing definitions are inconsistent and even contradicting each other. Furthermore, there are numerous access control models and even more have recently evolved to conform with the challenging requirements of resource protection. That makes it hard to classify the models and decide for an appropriate one satisfying security needs. Therefore, this study aims to guide through the plenty of access control models in the current state of the art besides this opaque accumulation of terms meaning and how they are related.

This study follows the systematic literature review approach to investigate current research regarding access control models and illustrate the findings of the conducted review. To provide a detailed understanding of the topic, this study identified the need for an additional study on the terms related to the domain of authorization and access control.

The authors’ research results in this paper are the distinction between authorization and access control with respect to definition, strategies, and models in addition to the classification schema. This study provides a comprehensive overview of existing models and an analysis according to the proposed five classes of access control models.

Based on the authors’ definitions of authorization and access control along with their related terms, i.e. authorization strategy, model and policy as well as access control model and mechanism, this study gives an overview of authorization strategies and propose a classification of access control models providing examples for each category. In contrast to other comparative studies, this study discusses more access control models, including the conventional state-of-the-art models and novel ones. This study also summarizes each of the literature works after selecting the relevant ones focusing on the database system domain or providing a survey, a classification or evaluation criteria of access control models. Additionally, the introduced categories of models are analyzed with respect to various criteria that are partly selected from the standard access control system evaluation metrics by the National Institute of Standards and Technology.

In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.

Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.

Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.

While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.

Current business challenges force companies to exchange critical and sensitive data. The data provider pays great attention to the usage of their data and wants to control it by policies. The purpose of this paper is to develop usage control architecture options to enable data sovereignty in business ecosystems.

The architecture options are developed following the design science research process. Based on requirements from an automotive use case, the authors develop architecture options. The different architecture options are demonstrated and evaluated based on the case study with practitioners from the automotive industry.

This paper introduces different architecture options for implementing usage control (UC). The proposed architecture options represent solutions for UC in business ecosystems. The comparison of the architecture options shows the respective advantages and disadvantages for data provider and data consumer.

In this work, the authors address only one case stemming from the German automotive sector.

Technical enforcement of data providers policies instead of relying on trust to support collaborative data exchange between companies.

This research is among the first to introduce architecture options that provide a technical concept for the implementation of data sovereignty in business ecosystems using UC. Consequently, it supports the decision process for the technical implementation of data sovereignty.