Privacy in Database Designs: A Role Based Approach

Poe, Gary A

30 November 2007

Privacy concerns have always been present in every society. The introduction of information technology information has enabled a reduction in the cost of gathering information, management of that information and the permitted that same information to become increasingly portable. Coupled with these reductions of cost has been an increase in the demand for information as well as the concern that privacy expectations be respected and enforced through security systems that safeguard access to private-type data. Security systems enforce privacy expectations. Unfortunately there is no consensus on a definition of privacy making the specification of security often over broad and resulting in the loss of critical functionality in the systems produced. This research expands the understanding of privacy by proposing a replicable type-based taxonomy of privacy that is grounded in philosophy and law. This type-based system is applied to a Role Based Access Control System to specify and control access to data in a in a hospital setting as a proof of concept.

Privacy

Security

Taxonomy

Access Control Systems

Philosophy

Law

RBAC

Role Based Access Control

American Studies

Arts and Humanities

Refined Access Control in a Distributed Environment / Finkornig åtkomstkontroll i en distribuerad miljö

Boström, Erik

January 2002

<p>In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. </p><p>This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. </p><p>In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.</p>

Informationsteknik

access control

PKI

VPN

X.509

RBAC

role-based access control

computer security

cryptography

Informationsteknik

Information technology

Informationsteknik

Μηχανισμός πρόσβασης για υπηρεσίες ιστού (web services) για βιομηχανικές εφαρμογές

Κατσαρού, Κατερίνα

22 January 2009

Η διπλωματική εργασία ασχολείται με την ανάγκη για έναν προηγμένο μηχανισμό ασφάλειας που θα παρέχει προστασία πληροφοριών από τους μη εξουσιοδοτημένους χρήστες. Τα περισσότερα συστήματα σε εταιρικό και βιομηχανικό επίπεδο χρησιμοποιούν την απλή εξουσιοδότηση (simple authorization) ή all-or-nothing όπου έχουμε παραχώρηση πρόσβασης στους πόρους του συστήματος εάν ο χρήστης είναι εξουσιοδοτημένος ή εάν δεν είναι άρνηση πρόβλεψης χωρίς να έχει προβλεφθεί κάποια ενδιάμεση λύση. Στην περίπτωση του ελέγχου πρόσβασης για υπηρεσίες Ιστού (web services) –που είναι εφαρμογές που παρέχονται μέσω Διαδικτύου όπως φαίνεται και από το όνομά τους- δεν είναι ικανοποιητική η παραχώρηση πρόσβασης σε ολόκληρη την υπηρεσία Ιστού δηλαδή η πρόσβαση στο υψηλότερο επίπεδο (coarse-grained access control) αλλά απαιτείται και η πρόσβαση σε κάποια ή κάποιες από τις μεθόδους την υπηρεσίας Ιστού δηλαδή η διαβαθμισμένη πρόσβαση (fine-grained access control). Η πολιτική ελέγχου πρόσβασης που χρησιμοποιήσαμε είναι ο έλεγχος πρόσβασης βασισμένος σε ρόλους (Role-based Access Control) όπου οι χρήστες αποκτούν πρόσβαση στους προστατευόμενους πόρους (μια ολόκληρη υπηρεσία Ιστού ή μέθοδο) συνδεόμενοι με ρόλους με τις κατάλληλες άδειες πρόσβασης δηλαδή μόνο εξουσιοδοτημένοι χρήστες έχουν πρόσβαση στους προστατευόμενους πόρους. Τέλος υποθέσαμε μία βιομηχανική υποδομή που παρέχει σε πελάτες πρόσβαση μέσω ενός OPC XML-DA server όπου το OPC είναι ένα σύνολο από ανοικτά πρότυπα που παρέχουν δια-λειτουργικότητα (interoperability) και συνδεσιμότητα (connectivity) μεταξύ βιομηχανικού αυτοματισμού και επιχειρησιακών συστημάτων. / -

Υπηρεσίες ιστού

005.8

Web services

Fine-grained access control

Role-based access control

Algorithmic Problems in Access Control

Mousavi, Nima

29 July 2014

Access control is used to provide regulated access to resources by principals. It is an important and foundational aspect of information security. Role-Based Access Control (RBAC) is a popular and widely-used access control model, that, as prior work argues, is ideally suited for enterprise settings. In this dissertation, we address two problems in the context of RBAC. One is the User Authorization Query (UAQ) problem, which relates to sessions that a user creates to exercise permissions. UAQ's objective is the identification of a set of roles that a user needs to activate such that the session is authorized to all permissions that the user wants to exercise in that session. The roles that are activated must respect a set of Separation of Duty constraints. Such constraints restrict the roles that can be activated together in a session. UAQ is known to be intractable (NP-hard). In this dissertation, we give a precise formulation of UAQ as a joint-optimization problem, and analyze it. We examine the manner in which each input parameter contributes to its intractability. We then propose an approach to mitigate its intractability based on our observation that a corresponding decision version of the problem is in NP. We efficiently reduce UAQ to Boolean satisfiability in conjunctive normal form (CNF-SAT), a well-known NP-complete problem for which solvers exist that are efficient for large classes of instances. We also present results for UAQ posed as an approximation problem; our results suggest that efficient approximation is not promising for UAQ. We discuss an open-source implementation of our approach and a corresponding empirical assessment that we have conducted. The other problem we consider in this dissertation regards an efficient data structure for distributed access enforcement. Access enforcement is the process of validating an access request to a resource. Distributed access enforcement has become important with the proliferation of data, which requires access control systems to scale to tens of thousands of resources and permissions. Prior work has shown the effectiveness of a data structure called the Cascade Bloom Filter (CBF) for this problem. In this dissertation, we study the construction of instances of the CBF. We formulate the problem of finding an optimal instance of a CBF, where optimality refers to the number of false positives incurred and the number of hash functions used. We prove that this problem is NP-hard, and a meaningful decision version is in NP. We then propose an approach to mitigate the intractability of the problem by reducing it to CNF-SAT, that allows us to use a SAT solver for instances that arise in practice. We discuss an open-source implementation of our approach and an empirical assessment based on it.

Análise de políticas de controle de acesso baseado em papéis com rede de Petri colorida. / Policies analysis of role based access control with colored Petri net.

Ueda, Eduardo Takeo

24 May 2012

Controle de acesso é um tópico de pesquisa importante tanto para a academia quanto para a indústria. Controle de Acesso Baseado em Papéis (CABP) foi desenvolvido no início dos anos 1990, tornando-se um padrão generalizado para controle de acesso em vários produtos e soluções computacionais. Embora modelos CABP sejam largamente aceitos e adotados, ainda existem questões para responder. Um dos principais desafios de pesquisa em segurança baseada em papéis é determinar se uma política de controle de acesso é consistente em um ambiente altamente dinâmico. Nossa pesquisa visa preencher essa lacuna fornecendo um método para analisar políticas CABP com respeito a dois aspectos significativos: segurança e dinamismo envolvendo papéis e objetos. Para este propósito, desenvolvemos um modelo de descrição e simulação de política usando rede de Petri colorida e CPN Tools. O modelo descreve e é capaz de simular vários estados CABP em um contexto de educação a distância típico. Usando este modelo, foi possível analisar o espaço de estados produzido pela rede de Petri colorida em um cenário dinâmico envolvendo a criação de novos papéis e objetos. O resultado da análise de alcançabilidade da rede de Petri da política demonstrou que é possível verificar a consistência de políticas de controle de acesso considerando a dinamicidade de papéis e objetos, e apontou vantagens de aplicabilidade da modelagem de políticas de segurança em ambientes distribuídos utilizando rede de Petri colorida. / Access control is an important research topic both for academia and industry. Role Based Access Control (RBAC) was developed in the early 1990s, becoming a generalized standard of access control for many products and computing solutions. Although RBAC models have been widely accepted and adopted, there are issues to answer. One of the key challenges for role-based security research is to characterize whether an access control policy is consistent in a highly dynamic environment. Our research aims filling this gap providing a method to analyze RBAC policies with respect to two significant aspects: security and dynamics involving roles and objects. For this purpose, we developed a policy description and simulation model using colored Petri net and the CPN Tools. The model describes and is capable to simulate many RBAC states in a typical distance education context. Using this model it was possible to analyze the state space provided by colored Petri net that simulates a dynamic environment and the creation of new roles and objects. The result of the reachability analysis of Petri net policy showed that it is possible to check the consistency of access control policies considering dynamic of roles and objects, and point out the advantages and applicability of modeling security policies in distributed environments using colored Petri net.

Colored Petri net

Controle de acesso baseado em papéis

Modelagem

Modelling

Políticas de segurança

Rede de Petri colorida

Role based access control

Security policies

Simulação

Simulation

Análise de políticas de controle de acesso baseado em papéis com rede de Petri colorida. / Policies analysis of role based access control with colored Petri net.

Eduardo Takeo Ueda

24 May 2012

Controle de acesso é um tópico de pesquisa importante tanto para a academia quanto para a indústria. Controle de Acesso Baseado em Papéis (CABP) foi desenvolvido no início dos anos 1990, tornando-se um padrão generalizado para controle de acesso em vários produtos e soluções computacionais. Embora modelos CABP sejam largamente aceitos e adotados, ainda existem questões para responder. Um dos principais desafios de pesquisa em segurança baseada em papéis é determinar se uma política de controle de acesso é consistente em um ambiente altamente dinâmico. Nossa pesquisa visa preencher essa lacuna fornecendo um método para analisar políticas CABP com respeito a dois aspectos significativos: segurança e dinamismo envolvendo papéis e objetos. Para este propósito, desenvolvemos um modelo de descrição e simulação de política usando rede de Petri colorida e CPN Tools. O modelo descreve e é capaz de simular vários estados CABP em um contexto de educação a distância típico. Usando este modelo, foi possível analisar o espaço de estados produzido pela rede de Petri colorida em um cenário dinâmico envolvendo a criação de novos papéis e objetos. O resultado da análise de alcançabilidade da rede de Petri da política demonstrou que é possível verificar a consistência de políticas de controle de acesso considerando a dinamicidade de papéis e objetos, e apontou vantagens de aplicabilidade da modelagem de políticas de segurança em ambientes distribuídos utilizando rede de Petri colorida. / Access control is an important research topic both for academia and industry. Role Based Access Control (RBAC) was developed in the early 1990s, becoming a generalized standard of access control for many products and computing solutions. Although RBAC models have been widely accepted and adopted, there are issues to answer. One of the key challenges for role-based security research is to characterize whether an access control policy is consistent in a highly dynamic environment. Our research aims filling this gap providing a method to analyze RBAC policies with respect to two significant aspects: security and dynamics involving roles and objects. For this purpose, we developed a policy description and simulation model using colored Petri net and the CPN Tools. The model describes and is capable to simulate many RBAC states in a typical distance education context. Using this model it was possible to analyze the state space provided by colored Petri net that simulates a dynamic environment and the creation of new roles and objects. The result of the reachability analysis of Petri net policy showed that it is possible to check the consistency of access control policies considering dynamic of roles and objects, and point out the advantages and applicability of modeling security policies in distributed environments using colored Petri net.

Controle de acesso baseado em papéis

Modelagem

Políticas de segurança

Rede de Petri colorida

Simulação

Colored Petri net

Modelling

Role based access control

Security policies

Simulation

A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its Validation

Komlenovic, Marko

14 January 2011

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.

Role Based Access Control

Distributed Access Enforcement in RBAC

RBAC

CPOL

Access Matrix

Directed Graph

Reference monitor

Access control policy

Electrical and Computer Engineering

A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its Validation

Komlenovic, Marko

14 January 2011

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.

Role Based Access Control

Distributed Access Enforcement in RBAC

RBAC

CPOL

Access Matrix

Directed Graph

Reference monitor

Access control policy

Electrical and Computer Engineering

Automated Testing for RBAC Policies

January 2014

abstract: Access control is necessary for information assurance in many of today's applications such as banking and electronic health record. Access control breaches are critical security problems that can result from unintended and improper implementation of security policies. Security testing can help identify security vulnerabilities early and avoid unexpected expensive cost in handling breaches for security architects and security engineers. The process of security testing which involves creating tests that effectively examine vulnerabilities is a challenging task. Role-Based Access Control (RBAC) has been widely adopted to support fine-grained access control. However, in practice, due to its complexity including role management, role hierarchy with hundreds of roles, and their associated privileges and users, systematically testing RBAC systems is crucial to ensure the security in various domains ranging from cyber-infrastructure to mission-critical applications. In this thesis, we introduce i) a security testing technique for RBAC systems considering the principle of maximum privileges, the structure of the role hierarchy, and a new security test coverage criterion; ii) a MTBDD (Multi-Terminal Binary Decision Diagram) based representation of RBAC security policy including RHMTBDD (Role Hierarchy MTBDD) to efficiently generate effective positive and negative security test cases; and iii) a security testing framework which takes an XACML-based RBAC security policy as an input, parses it into a RHMTBDD representation and then generates positive and negative test cases. We also demonstrate the efficacy of our approach through case studies. / Dissertation/Thesis / M.S. Computer Science 2014

Engineering

Computer science

Computer engineering

Information Assurance

Multi-terminal Binary Decision Diagram

Role-Based Access Control

Security

Security Testing

Software Testing

Refined Access Control in a Distributed Environment / Finkornig åtkomstkontroll i en distribuerad miljö

Boström, Erik

January 2002

In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.

Informationsteknik

access control

PKI

VPN

X.509

RBAC

role-based access control

computer security

cryptography

Informationsteknik

Computer and Information Sciences

Data- och informationsvetenskap