Single sign-on in heterogeneous computer environments

Louwrens, Cecil Petrus

05 September 2012

M.Sc. / The aim of this dissertation (referred to as thesis in the rest of the document) is to investigate the concept of Single Sign-on (SSO) in heterogeneous computing environments and to provide guidelines and reference frameworks for the selection and successful implementation of SSO solutions. In doing so. it also provides an overview of the basic types of SSO, Secure Single Sign-on (SSSO) solutions, enabling technologies, as well as products currently available. Chapter 1 introduces the sign-on problem, the purpose and organization of the thesis and terminology and abbreviations used. The crux of the sign-on problem is that users are required to sign on to multiple systems, developed at different times and based on different technologies, each with its own set of signon procedures and passwords. This inevitably leads to frustration, loss of productivity and weakened security. Users frequently resort to writing down passwords or using trivial password that can easily be guessed. In Chapter 2 the concepts of Single Sign-on and a special subset of SSO, Secure Single Sign-on are defined. Five types of SSO solutions are identified, namely: Synchronization, Scripting, Proxies and Trusted Hosts. Trusted Authentication Server and Hybrid solutions. Of the available types of solutions, only Trusted Authentication Server and Hybrid solutions can provide Secure Single Sign-on if properly implemented. The security services for SSSO are identified as authentication, authorization, integrity, confidentiality, non-repudiation, security management and cryptographic services. Additional SSSO concepts, as well as the vulnerabilities, obstacles and pitfalls to introducing SSO solutions are discussed. Chapter 3 provides an overview of the most important SSO enabling technologies. The following technologies are discussed: OSF DCE, SESAME, Kerberos, DSSA/SPX, TESS, NetSp, Secure Tokens, GSS-API and Public key Cryptography. Chapter 4 discusses the Open Software Foundation's (OSF) Distributed Computing Environment (DCE). OSF DCE is one of the two open standards for distributed processing which are having a major influence on the development of single sign-on solutions and forms the basis of many existing SSO products. DCE is not a SSO product. but consists of specifications and software. The goal of DCE is to turn a computer network into a single, coherent computing engine. It is considered to be one of the fundamental building blocks for SSO solutions in the future. In Chapter 5 SESAME is discussed in some detail as another major enabling technology for SSO. Secure European System for Applications in a Multi-vendor Environment (SESAME) is an architecture that implements a model for the provision of security services within open systems developed by the European Computer Manufacturers Association (ECMA). The architecture was developed and implemented on a trial basis, by Bull, ICL and Siemens-Nixdorf in an initiative supported by the European Commission. Chapter 6 presents a list of 49 commercial SSO products currently available, classified according to the type of SSO solution. A few representative products are discussed in more detail to give an indication what functionality a prospective buyer could expect. The 'Ideal Single Sign-on' solution is presented in Chapter 7. Detailed requirements are listed. These requirements are uniquely identified by a code and classified as essential or recommended functionality required. Chapter 8 assimilates the information in the previous chapters into a structured evaluation, selection and implementation plan for SSO solutions, consisting of nine separate phases. It also proposes a reference framework for the evaluation and selection process. Chapter 9 concludes the thesis. Findings and conclusions are summarized as to the importance and impact of Single Sign-on as well as the expected future directions to be expected. In addition, recommendations for the future implementation of SSO and SSSO solutions in heterogeneous computing environments are made.

Computers - Access control.

Computers - Access control - Passwords.

Single sign-on.

A Top-Down Policy Engineering Framework for Attribute-Based Access Control

Narouei, Masoud

05 1900

The purpose of this study is to propose a top-down policy engineering framework for attribute-based access control (ABAC) that aims to automatically extract ACPs from requirement specifications documents, and then, using the extracted policies, build or update an ABAC model. We specify a procedure that consists of three main components: 1) ACP sentence identification, 2) policy element extraction, and 3) ABAC model creation and update. ACP sentence identification processes unrestricted natural language documents and identify the sentences that carry ACP content. We propose and compare three different methodologies from different disciplines, namely deep recurrent neural networks (RNN-based), biological immune system (BIS-based), and a combination of multiple natural language processing techniques (PMI-based) in order to identify the proper methodology for extracting ACP sentences from irrelevant text. Our evaluation results improve the state-of-the-art by a margin of 5% F1-Measure. To aid future research, we also introduce a new dataset that includes 5000 sentences from real-world policy documents. ABAC policy extraction extracts ACP elements such as subject, object, and action from the identified ACPs. We use semantic roles and correctly identify ACP elements with an average F1 score of 75%, which bests the previous work by 15%. Furthermore, as SRL tools are often trained on publicly available corpora such as Wall Street Journal, we investigate the idea of improving SRL performance using domain-related knowledge. We utilize domain adaptation and semi-supervised learning techniques and improve the SRL performance by 2% using only a small amount of access control data. The third component, ABAC model creation and update, builds a new ABAC model or updates an existing one using the extracted ACP elements. For this purpose, we present an efficient methodology based on a particle swarm optimization algorithm for solving ABAC policy mining with minimal perturbation. Experimental results demonstrate that the proposed methodology generates much less complex policies than previous works using the same realistic case studies. Furthermore, we perform experiments on how to find an ABAC state as similar as possible to both the existing state and the optimal state. Part of the data utilized in this study was collected from the University of North Texas Policy Office, as well as policy documents from the university of North Texas Health Science Center, for the school years 2015-2016 through 2016-2017.

Attribute-based Access Control

Policy Engineering

Access Control Policy

Airport Security: Examining The Current State Of Acceptance Of Biometrics And The Propensity Of Adopting Biometric Technology Fo

Sumner, Kristine

01 January 2007

The terrorist attacks of September 11, 2001 propelled the issue of aviation security to the forefront of the U.S. domestic agenda. Although hundreds of individual airports exist in the U.S., the travel activities at each of these airports combine to holistically comprise an aviation system that represents a significant portion of the U.S. social and economic infrastructure. Disruption at one airport resulting from a criminal act, such as terrorism, could exert detrimental effects upon the aviation system and U.S national security (9/11 Commission, 2004). Each U.S. airport is individually responsible for various aspects of security including the control of physical access to sensitive and secure areas and facilities (9/11 Commission, 2004). Biometric technology has been examined as one method of enhancing airport access control to mitigate the possibility of criminal acts against airports. However, successful implementation of biometric technology depends largely on how individual security directors at each airport perceive, understand, and accept that technology. Backgrounds, attitudes, and personal characteristics influence individual decisions about technology implementation (Rogers, 1995; Tornatzky and Fleischer, 1990). This study examines the problem of airport access control, as well as, the current trends in biometric technology. Utilizing a survey of airport security directors and security managers, this study draws upon innovation diffusion theory and organizational theories to determine what personal, organizational, and technical variables contribute to the propensity of airport security directors and managers to adopt biometric technology for airport access control.

biometric technology

access control

airport access control

Criminology and Criminal Justice

Self defence in open systems : protecting and sharing resources in a distributed open environment

Low, Marie Rose

January 1994

No description available.

005

User verification; Access control

Query Evaluation in the Presence of Fine-grained Access Control

Zhang, Huaxin

January 2008

Access controls are mechanisms to enhance security by protecting data from unauthorized accesses. In contrast to traditional access controls that grant access rights at the granularity of the whole tables or views, fine-grained access controls specify access controls at finer granularity, e.g., individual nodes in XML databases and individual tuples in relational databases. While there is a voluminous literature on specifying and modeling fine-grained access controls, less work has been done to address the performance issues of database systems with fine-grained access controls. This thesis addresses the performance issues of fine-grained access controls and proposes corresponding solutions. In particular, the following issues are addressed: effective storage of massive access controls, efficient query planning for secure query evaluation, and accurate cardinality estimation for access controlled data. Because fine-grained access controls specify access rights from each user to each piece of data in the system, they are effectively a massive matrix of the size as the product of the number of users and the size of data. Therefore, fine-grained access controls require a very compact encoding to be feasible. The proposed storage system in this thesis achieves an unprecedented level of compactness by leveraging the high correlation of access controls found in real system data. This correlation comes from two sides: the structural similarity of access rights between data, and the similarity of access patterns from different users. This encoding can be embedded into a linearized representation of XML data such that a query evaluation framework is able to compute the answer to the access controlled query with minimal disk I/O to the access controls. Query optimization is a crucial component for database systems. This thesis proposes an intelligent query plan caching mechanism that has lower amortized cost for query planning in the presence of fine-grained access controls. The rationale behind this query plan caching mechanism is that the queries, customized by different access controls from different users, may share common upper-level join trees in their optimal query plans. Since join plan generation is an expensive step in query optimization, reusing the upper-level join trees will reduce query optimization significantly. The proposed caching mechanism is able to match efficient query plans to access controlled query plans with minimal runtime cost. In case of a query plan cache miss, the optimizer needs to optimize an access controlled query from scratch. This depends on accurate cardinality estimation on the size of the intermediate query results. This thesis proposes a novel sampling scheme that has better accuracy than traditional cardinality estimation techniques.

query

access control

Computer Science

Query Evaluation in the Presence of Fine-grained Access Control

Zhang, Huaxin

January 2008

Access controls are mechanisms to enhance security by protecting data from unauthorized accesses. In contrast to traditional access controls that grant access rights at the granularity of the whole tables or views, fine-grained access controls specify access controls at finer granularity, e.g., individual nodes in XML databases and individual tuples in relational databases. While there is a voluminous literature on specifying and modeling fine-grained access controls, less work has been done to address the performance issues of database systems with fine-grained access controls. This thesis addresses the performance issues of fine-grained access controls and proposes corresponding solutions. In particular, the following issues are addressed: effective storage of massive access controls, efficient query planning for secure query evaluation, and accurate cardinality estimation for access controlled data. Because fine-grained access controls specify access rights from each user to each piece of data in the system, they are effectively a massive matrix of the size as the product of the number of users and the size of data. Therefore, fine-grained access controls require a very compact encoding to be feasible. The proposed storage system in this thesis achieves an unprecedented level of compactness by leveraging the high correlation of access controls found in real system data. This correlation comes from two sides: the structural similarity of access rights between data, and the similarity of access patterns from different users. This encoding can be embedded into a linearized representation of XML data such that a query evaluation framework is able to compute the answer to the access controlled query with minimal disk I/O to the access controls. Query optimization is a crucial component for database systems. This thesis proposes an intelligent query plan caching mechanism that has lower amortized cost for query planning in the presence of fine-grained access controls. The rationale behind this query plan caching mechanism is that the queries, customized by different access controls from different users, may share common upper-level join trees in their optimal query plans. Since join plan generation is an expensive step in query optimization, reusing the upper-level join trees will reduce query optimization significantly. The proposed caching mechanism is able to match efficient query plans to access controlled query plans with minimal runtime cost. In case of a query plan cache miss, the optimizer needs to optimize an access controlled query from scratch. This depends on accurate cardinality estimation on the size of the intermediate query results. This thesis proposes a novel sampling scheme that has better accuracy than traditional cardinality estimation techniques.

query

access control

Computer Science

MIMO-aware Medium Access Control in IEEE 802.11 Networks

Ashtaiwi, ABDULADHIM

27 January 2009

Wireless Mesh Networks (WMNs) are dynamically self-organized and self-configured, where the nodes in the network automatically establish an ad hoc network and maintain mesh connectivity. These properties make WMNs a key technology for next generation wireless networking. However, supporting Quality of Service (QoS) to enable multimedia services is still one of the major issues in next-generation WMNs. In distributed systems like WMNs, the Medium Access Control (MAC) layer is considered very important in the IEEE 802.11-based wireless networks, as it supports many crucial operational functions. Hence, QoS support in WMNs can be enhanced through the efficient cross-layer design of MAC protocols that utilizes advanced physical layer technologies viz Multiple-Input Multiple-Output (MIMO) with its multiple spatial channels that are capable of simultaneous receive or transmit streams. MIMO has become a very attractive technology in providing support for different QoS requirements. In this thesis we propose a novel QoS MIMO-aware MAC Protocol (QMMP). QMMP is a MAC protocol framework that exploits the MIMO system gains to boost QoS support. The proposed MAC framework includes the following components. The first component enables concurrent sharing of the increased MIMO bandwidth, i.e., instead of allocating all the spatial channels to one connection, connections can concurrently share the increase bandwidth via splitting the spatial channels. The second component reduces the medium access collisions problem. In distributed systems like WMNs, medium access collisions have a noticeably negative impact on resource (bandwidth) utilization as they leave the bandwidth unutilized for a long time. To address this problem, we propose a spatial channels sharing scheme during medium contention period. The third component boosts the bandwidth utilization during data transmission. We propose resource management schemes that adapt the physical data rate and the aggregation frame length according to the instantaneous channel quality. Then we propose a QoS-aware bandwidth provisioning mechanism that performs effective bandwidth distribution to further boost QoS support. / Thesis (Ph.D, Electrical & Computer Engineering) -- Queen's University, 2009-01-26 10:11:16.729

Wireless LANs

Medium Access Control

A Tag-Based, Logical Access-Control Framework for Personal File Sharing

Mazurek, Michelle L.

01 May 2014

People store and share ever-increasing numbers of digital documents, photos, and other files, both on personal devices and within online services. In this environment, proper access control is critical to help users obtain the benefits of sharing varied content with different groups of people while avoiding trouble at work, embarrassment, identity theft, and other problems related to unintended disclosure. Current approaches often fail, either because they insufficiently protect data or because they confuse users about policy specification. Historically, correctly managing access control has proven difficult, timeconsuming, and error-prone, even for experts; to make matters worse, access control remains a secondary task most non-experts are unwilling to spend significant time on. To solve this problem, access control for file-sharing tools and services should provide verifiable security, make policy configuration and management simple and understandable for users, reduce the risk of user error, and minimize the required user effort. This thesis presents three user studies that provide insight into people’s access-control needs and preferences. Drawing on the results of these studies, I present Penumbra, a prototype distributed file system that combines semantic, tag-based policy specification with logicbased access control, flexibly supporting intuitive policies while providing high assurance of correctness. Penumbra is evaluated using a set of detailed, realistic case studies drawn from the presented user studies. Using microbenchmarks and traces generated from the case studies, Penumbra can enforce users’ policies with overhead less than 5% for most system calls. Finally, I present lessons learned, which can inform the further development of usable access-control mechanisms both for sharing files and in the broader context of personal data.

access control

file systems

usability

Consent based privacy for eHealth systems

Habibi, Ryan

31 August 2018

Access to Personal Health Information (PHI) is a valuable part of the modern health care model. Timely access to relevant PHI assists care providers in making clinical decisions and ensure that patients receive the highest quality of care. PHI is highly sensitive and unauthorized disclosure of PHI has potential to lead to social, economic, or even physical harm to the patient. Traditional electronic health (eHealth) tools are designed for the needs of care providers and are insufficient for the needs of patients. Our research goal is to investigate the requirements of electronic health care systems which place patient health and privacy above all other concerns. Control of secure resources is a well established area of research in which many techniques such as cryptography, access control, authentication, and organizational policy can be combined to maintain the confidentiality and integrity of data. Access control is the dominant data owner facing privacy control. To better understand this domain we conducted a scoping literature review to rapidly map the key concepts underpinning patient facing access controls in eHealth systems. We present the analysis of that corpus as well as a set of identified requirements. Based on the identified requirements we developed Circle of Health based Access Control (CoHBAC), a patient centered access control model. We then performed a second scoping review to extend our research beyond just access controls, which are insufficient to provide reasonable privacy alone. The second review yielded a larger, more comprehensive, set of sixty five requirements for patient centered privacy systems. We refined CoHBAC into Privacy Centered Access Control (PCAC) to meet the needs of our second set of requirements. Using the conceptual model of accountability that emerged from the reviewed literature we present the identified requirements organized into the Patient Centered Privacy Framework. We applied our framework to the Canadian health care context to demonstrate its applicability. / Graduate

Access Control

eHealth

Consent

Privacy

Rekenaarsekerheid in mikrorekenaarstelsels

Van Dyk, Pierre-Aldo

07 October 2014

M.Sc. (Computer Science) / Please refer to full text to view abstract

Microcomputers - Access control

Microcomputer security