A Certificate Based, Context Aware Access Control Model For Multi Domain Environments

Yortanli, Ahmet

01 February 2011

A certificate based approach is proposed for access control operations of context aware systems for multi domain environments. New model deals with the removal of inter-domain communication requirement in access request evaluation process. The study is applied on a prototype implementation with configuration for two dierent cases to show the applicability of the proposed certificate based, context aware access control model for multi domain environments. The outputs for the cases show that proposed access control model can satisfy the requirements of a context aware access control model while removing inter domain communication needs which may cause some latency in access request evaluation phase.

QA Computer Software 76.75-76.765

Assurance Management Framework for Access Control Systems

January 2012

abstract: Access control is one of the most fundamental security mechanisms used in the design and management of modern information systems. However, there still exists an open question on how formal access control models can be automatically analyzed and fully realized in secure system development. Furthermore, specifying and managing access control policies are often error-prone due to the lack of effective analysis mechanisms and tools. In this dissertation, I present an Assurance Management Framework (AMF) that is designed to cope with various assurance management requirements from both access control system development and policy-based computing. On one hand, the AMF framework facilitates comprehensive analysis and thorough realization of formal access control models in secure system development. I demonstrate how this method can be applied to build role-based access control systems by adopting the NIST/ANSI RBAC standard as an underlying security model. On the other hand, the AMF framework ensures the correctness of access control policies in policy-based computing through automated reasoning techniques and anomaly management mechanisms. A systematic method is presented to formulate XACML in Answer Set Programming (ASP) that allows users to leverage off-the-shelf ASP solvers for a variety of analysis services. In addition, I introduce a novel anomaly management mechanism, along with a grid-based visualization approach, which enables systematic and effective detection and resolution of policy anomalies. I further evaluate the AMF framework through modeling and analyzing multiparty access control in Online Social Networks (OSNs). A MultiParty Access Control (MPAC) model is formulated to capture the essence of multiparty authorization requirements in OSNs. In particular, I show how AMF can be applied to OSNs for identifying and resolving privacy conflicts, and representing and reasoning about MPAC model and policy. To demonstrate the feasibility of the proposed methodology, a suite of proof-of-concept prototype systems is implemented as well. / Dissertation/Thesis / Ph.D. Computer Science 2012

Computer science

Access control model

Access control policy

Analysis

Privacy

Security

Social network

User Behavior Trust Based Cloud Computing Access Control Model

Jiangcheng, Qin

January 2016

Context. With the development of computer software, hardware, and communication technologies, a new type of human-centered computing model, called Cloud Computing (CC) has been established as a commercial computer network service. However, the openness of CC brings huge security challenge to the identity-based access control system, as it not able to effectively prevent malicious users accessing; information security problems, system stability problems, and also the trust issues between cloud service users (CSUs) and cloud service providers (CSPs) are arising therefrom. User behavior trust (UBT) evaluation is a valid method to solve security dilemmas of identity-based access control system, but current studies of UBT based access control model is still not mature enough, existing the problems like UBT evaluation complexity, trust dynamic update efficiency, evaluation accuracy, etc. Objective. The aim of the study is to design and develop an improved UBT based CC access control model compare to the current state-of-art. Including an improved UBT evaluation method, able to reflect the user’s credibility according to the user’s interaction behavior, provides access control model with valid evidence to making access control decision; and a dynamic authorization control and re-allocation strategy, able to timely response to user’s malicious behavior during entire interaction process through real-time behavior trust evaluation. Timely updating CSUs trust value and re-allocating authority degree. Methods. This study presented a systematical literature review (SLR) to identify the working structure of UBT based access control model; summarize the CSUs’ behaviors that can be collected as UBT evaluation evidence; identify the attributes of trust that will affect the accuracy of UBT evaluation; and evaluated the current state-of-art of UBT based access control models and their potential advantages, opportunities, and weaknesses. Using the acquired knowledge, design a UBT based access control model, and adopt prototype method to simulate the performance of the model, in order to verify its validation, verify improvements, and limitations. Results. Through the SLR, two types of UBT based access control model working structures are identified and illustrated, essential elements are summarized, and a dynamic trust and access update module is described; 23 CSU’s behavior evidence items are identified and classified into three classes; four important trust attributes, influences, and corresponding countermeasures are identified and summarized; and eight current state-of-art of UBT based access control models are identified and evaluated. A Triple Dynamic Window based Access Control model (TDW) was designed and established as a prototype, the simulation result indicates the TDW model is well performed on the trust fraud problem and trust expiration problem. Conclusions. From the research results that we obtained from this study, we have identified several basic elements of UBT evaluation method, evaluated the current state-of-art UBT based access control models. Towards the weaknesses of trust fraud prevention and trust expiration problem, this paper designed a TDW based access control model. In comparing to the current state-of-art of UBT models, the TDW model has the following advantages, such as it is effectively preventing trust fraud problem with “slow rise” principle, able to timely response to malicious behavior by constantly aggravate punishment strategy (“rapid decrease” principle), effectively prevent malicious behavior and malicious user, and able to reflect the recent credibility of accessing user by expired trust update strategy and most recent trust calculation; finally, it has simple and customizable data structure, simple trust evaluation method, which has good scalability.

User Behavior Trust

Access Control Model

Cloud Computing Security

Triple Dynamic Window

Computer Sciences

Datavetenskap (datalogi)

Implementation Of Database Security Features Using Bit Matrices

Gopal, K

04 1900

Information security is of utmost concern in a multiuser environment. The importance of security is felt much more with the widespread use of distributed database. Information is by itself a critical resource of an enterprise and thus the successful operation of an enterprise demands that data be made accessible only by authorized users and that the data be made to reflect the state of the enterprise. Since many databases are online, accessed by multiple users concurrently, special mechanisms are needed to insure integrity and security of relevant information, This thesis describes a model for computer database security that supports a wide variety of security policies. The terms security policies and security mechanism are presented in Chapter I. The interrelated topics of security and integrity are discussed in some detail. The importance and means of insuring security of information is also presented in this chapter. In Chapter 2, the work done In the field of Computer Security and related topic has been presented. In general computer security models could be classified broadly under the two categories. (1) Models based on Access Control Matrix and (2) Models based on Information Flow Control. The development of the models baaed on the above two schemes as also the policies supported by some of the schemes are presented in this chapter. A brief description of the work carried out in database security as aim the definition of related terns are given in Chapter 3. The interrelationship between the operating system security and database security is also presented in this chapter. In general the database security mechanism depends on the existing operating system. The database security mechanism are thus only as strong as the underlying operating system on which it is developed. The various schemes used for implementing database security such as access controller and capability lists are described in this chapter. In Chapter 4, a model for database security has been described. The model provides for: (a) Delegation of access rights by a user and (b) Revocation of access rights previously granted by a user. In addition, algorithms for enforcing context dependent and content dependent rules are provided in this cheer. The context-dependent rules are stored in the form of elements of a bit matrix. Context-dependent rules could then be enforced by suitably manipulating the bit matrix and interpreting the value of me elements of the matrix, The major advantage of representing the rules using bit matrices is that the matrix itself could be maintalnet3 in main memory. The time taken to examine if a user is authorized to access an object is drastically reduced because of the reduced time required to inspect main memory. The method presented in this chapter, in addition to reducing the time requirement for enforcing security also presents a method for enforcing decentralized authorization control, a facility that is useful in a distributed database environment. Chapter 5 describes a simulation method that is useful for comparing the various security schemes. The tasks involved in the simulation are – 1. Creation of an arrival (job). 2. Placing the incoming job either in the wait queue or in the run state depending on the type of access needed for: the object. 3. Checking that the user on whose behalf the job is being executed is authorized to access the object in the mode requested. 4. Checking for the successful completion of the job and termination of the job. 5. Collection of important parameters such as number of jobs processed, average connect time. Simulation was carried out for timing both the access controller scheme and bit matrix scheme, The results of the simulation run bear the fact that the bit matrix scheme provides a faster method Six types of access were assumed to be permissible, three of the access types requiring shared lock and the rest requiring exclusive locks on the objects concerned, In addition the only type of operation allowed was assumed to be for accessing the objects. It is be noted that the time taken to check for security violation is but one of the factors for rating the security system. In general, various other factors such as cost of implementing the security system, the flexibility that offers enforcing security policies also have to be taken into account while comparing the security systems. Finally, in Chapter 6, a comparison of the security schemes are made. In conclusion the bit matrix approach is seen to provide the following features. (a) The time required to check if an access request should be honoured is very small. (b) The time required to find a11 users accessing an object viz, accountability is quite small. (c) The time required to find all objects accessible by a user is also quite small. (dl The scheme supports both decentralized and centralized authorization control. (e) Mechanism for enforcing delegation of access rights and revocation of access rights could be built in easily. ( f ) The scheme supports content-dependent, context-dependent controls and also provides a means for enforcing history-dependent control. Finally, some recommendations for further study in the field of Computer Database Security are presented.

Computer and Information Science

Computer Security

Database Security

Information Flow Control

Access Control Model

Security Policies

Simulation Process

Bit matrix

Increasing Efficiency and Scalability in AWS IAM by Leveraging an Entity-centric Attribute- & Role-based Access Control (EARBAC) Model

Karlsson, Rasmus, Jönrup, Pontus

January 2023

Cloud computing is becoming increasingly popular among all types of companies due to its inherent benefits. However, because of its infrastructure, it might be difficult to manage access rights between users and resources. To address these difficulties, Amazon Web Services (AWS) provides Identity and Access Management (IAM) and features that support the use of different access control models, for example, Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC). Access control models are used for authorisation within systems to decide who gets access to what. Therefore, to determine what constitutes an efficient (the average time it takes to perform a task in AWS IAM) and secure access control model, a thorough study of background material and related work was conducted. Through this study, it was found that RBAC lacked scalability whilst ABAC lacked administrative capabilities. It was also found that flexibility and scalability were two important factors when designing access control models. Furthermore, by conducting a survey and designing an access control model for AWS through various iterations, a new access control model called Entity-centric Attribute- & Role-based Access Control (EARBAC) was developed. In an experiment comparing it with the RBAC model, the EARBAC model was found to be both efficient and secure, in addition to its flexibility and scalability. Furthermore, EARBAC was also found to be 27% faster than RBAC in AWS IAM. These results suggest that the model is useful when developing cloud infrastructures in AWS.

Cloud

Authorisation

Security

AWS

Amazon

RBAC

ABAC

EARBAC

Access Control

Access Control Model

Access Control Models

Principle of Least Privilege

Computer Sciences

Datavetenskap (datalogi)