A Role and Activity Based Access Control Model - Research Paper Example

A Role and Activity Based Access Control Model Abstract The increasing needs for updated information and collaborations around the world initiates the need to integrate access management systems with each other. The integration of access management system developed the concept of federated access management systems. However, even this development was not able to cease the need of keeping multiple accounts; it could only reduce the need. Therefore, new access management system has been proposed that will integrate all the federated access management systems on a single platform so that a single identity can provide access to all accounts. This ubiquitous access management system will also cater to the individual needs of the user in terms of language specifications, accessibility level, display setting and usability. 1. Introduction The advent of internet has made personal data vulnerable to malicious uses. New techniques and methods have been devised by web criminals to steal personal information of individuals which is then used for inappropriate purposes. Alan described privacy as the right of individuals, groups or institutions to keep their information safe and the right to decide as to how, when and at what level they want to disclose their information to others [1]. Digital identity is referred to the digital depiction of the personal information of an individual that might involve his login details or other personal details [4]. The vulnerability of the information arises due to the exchange of information from one source to the other. The criminal’s activities of online information theft and intrusion started with the idea of having fun but later evolved into motives to achieve financial gains [2]. The advent of e-commerce and numerous other services on the internet tempted the intruders to more malicious actions [6], [7]. Many technologies have been developed to overcome this issue that has been prevailing since the inception of internet. Identity management systems have witnessed remarkable changes that have improved the process of identification to a great extent. Access management systems provided authentication of users in one organization. With the increasing needs of updated information and resources [42], federated access management systems got introduced that were capable of managing the identities across several organizations. 2. Past: Access Management Systems With the passage of time, the need for effective security measures became evident and access management systems developed [16], [17]. Access management systems authorized access to the registered members on the basis of their identity attributes [4]. The management of credentials and information was given high priority and information was exchanged only with those sources that were considered reliable and authentic. This definition gave a broad concept of the respective systems whereas another definition by CafeSoft [5] stated that they were a unified source to manage the authentication process for individuals and apply business rules to safeguard the information of the customers. Business organizations and e-commerce websites are usually attractive for attackers [3], [14]. This definition included the aspect about business rules that is why it seems more comprehensive. 2.1 Different Terms for Access Management Systems Different Terms for AMS Description Area of Usage Traditional Identity Management Model [8] A system that has IP+SP authentication mechanism i.e. (Identity Provider from a specific Service Provider). Each SP authenticates its own IPs. Each SP maintains its own list of authorized accounts therefore users have to maintain numerous accounts [9-13]. E-commerce websites Online services like e-mail accounts, social networking websites. Identity Management systems [10] It is considered to provide broad administrative functions involving access rights, resource utilization limitations, etc of users within an organization. Dissemination of information and access control in an organization. Broadband Access Management Systems [36] This system consists of four types of architectures namely functional, network, system and software. Management and access control purposes of an organization. Role and Activity Based Access Control Model [37] This model facilitates the administration of users on the basis of roles. This model integrates the aspect of participation and activities into the system. Used as a university access control management system. Site Access Management Systems [38] Manages the access of the users on a certain website. The access of the users is differentiated with respect to their status for e.g. some data will be meant for registered users whereas some of it will be available for free to general users. Management of visitors on a website Table 1: Different terms for access management systems 2.2 Existing Systems of AMS Figure 1: conventional access management systems [8] Existing Systems Advantages Disadvantages Cafésoft Access Management System [5] Eliminates the need to develop security measures on each application. The centralized approach saves developmental and administration costs. Provides access management at an organizational level therefore no interoperability is possible with other organizations. User will have to maintain accounts on different sources. American Systems Identity and Access Management (IDM)[15] Links employees to the resources of the organization to help them become more productive Customers control sensitive data. Offers fast and efficient access to the resources that are managed by the system. The system is not scalable. Limited access to one organization. Table 2: Existing access management systems Many limitations were being experienced with the access management systems for instance organizational access rather than a broader perspective. This compelled the users to make different accounts for every organization. The maintenance of numerous accounts gets very tedious for users and they end up using the accounts less frequently. The less usage of accounts leads to losses for the organizations. Therefore all these reasons accumulated to the need of a new system that would provide access to numerous organizations with the single sign in details. 3. Present: Federated Access Management Systems As stated earlier, AMS had a major constraint of limiting the access to the resources that were present within the vicinity of an organization. The demanding needs for updated information in the field of business, technology, medicine etc. raises the need to share information amongst other organizations [44, 45]. Due to these requirements, federated access management systems were developed that offer access across different organizations and provide the convenience through single sign in service [29], [39]. Every system in the federated network behaves like a node in the wider access management system. Every system manages the data that resides in it; private data is handled such that no other user can access it and semi-private data is managed such that authorized users can access it [18]. Though, this definition does not specify the owner of the authority regarding the content in the dispersed systems. 3.1 Different Terms Different Terms Description Where to use it Federated Authorization Service [19] This service provides access to learning objects repositories that might be maintained in different organizations. It provides uniform access to the data that might be protected by different authorization protocols. E-learning: Collection of data that is termed as learning objects; can be accessed by learners as well as teachers. Organizations: Can be used in an organization for the exchange of information between the colleagues. Federated Rights Expression Model (FORM) [20] FORM provides access to content that might be spread across different organizations. It also provides the rights to the content providers and identity providers to give out licenses for the nature of usage of their provided content or objects. Online Music Magazine where users can access their favourite music. User Access Management system (UAMS) [37] UAMS is defined as the system component that serves as an interface for the end-users for applications that might be residing locally or remotely. Organization of various applications across different organizations. Hybrid Trust Management System [41] The roles and access to the system are defined on the basis of the history of the user. If the user has had a good history with the system with no malicious usage on record then he will be considered a more reliable user. Reliable users will have the privilege to access sensitive data. Used by armed forces institutions to differentiate the level of access to their sensitive data. Table 3: Different terms for federated access management systems 3.2 Existing Systems Protocols Description of Protocols Example of current applications Description of the applications using these protocols Liberty Alliance Users are authenticated on the basis of pseudonyms; this authentication attribute does not contain any user identifying information therefore it can be considered safer [25], [26]. Liberty Alliance Project Provides a platform for the users to perform their online transactions in a secure manner. The identities of the users are federated therefore greater access can be achieved [27]. SAML It is a platform independent framework that is utilized to transfer access approval and authentication information [21]. It is limited to performing authorization commands [22], [40]. Shibboleth Shibboleth is an open source website that provides the facility of single sign-in service to the customers [23], [43]. It offers access to the internal as well as external content of the organization [24]. Sun Solutions Sun Solutions provide compatibility and flexibility with multiple protocols, thereby reducing the need to use numerous protocols for federated identity [28]. OpenSSO It offers single sign-in service across different domains to save the user from the trouble of resetting forgotten passwords that proves to be a tedious process for the organization if many users initiate it [28]. OpenID OpenID protocol offers simplicity and convenience in the deployment of the federated identity service [28]. OpenID FingerID OpenID is a single sign-in service for the maintenance of multiple accounts. It provides the service of even registering at any website with the credentials provided at OpenID, on user’s request. FingerID also offers the maintenance of multiple accounts and viewing facility on a single platform. However, FingerID offers greater accessibility and convenience due to fingerprint recognition and user-friendly displays, respectively. Table 4: Existing systems for federated access management systems 4. Future of Access Management Systems The federated access management systems claim to provide access over numerous sources and give the facility of single sign-in. Although there exists a limitation among these applications and system; the user still has to maintain different identities for every federated system for e.g. an OpenID account and identity will not work for FingerID services [30], [31]. Different applications offer different services therefore the user might make accounts on multiple systems. This will again raise the need to remember multiple passwords. It can be stated that there is no single sign-in service or federated access across all federated access management systems. The federated access management systems provide access to their respective specific set of domains therefore the user will make different accounts to get access to the domains which are not accessible by a certain federated access management system. Other aspects of federated access management systems that constraint its usage are the lack of usability and accessibility features in most of the federated access management systems. The systems should not only be federated with respect to the access with different systems but also federated with respect to the different needs of the people. Research is being conducted in the respective field to overcome the limitations and constraints in the current federated access management systems. 4.1 Ubiquitous Access Management System The future of access management system is to follow a ubiquitous approach that will perform on multi-core systems. The differentiating aspect about the ubiquitous systems will be that the decision making power of the system should not be embedded in it; rather it should be according to a standard policy to be followed by all the access management systems. The standards will induce uniformity across the systems as well as produce effective changes whenever there are any required modifications [32]. These systems will be more efficient in terms of concurrency, energy-saving and networking. The performance of a system may be disturbed if another system’s functions replace the previous one. To avoid such instances, resource isolation is implemented so that all the systems can be accessed in an ordered manner [33]. The required identity attributes are retrieved from the respective systems on need basis and are not already present on the system in any form. The literal meaning of the word ‘ubiquitous’ is to be present or seem to be present everywhere at the same time [34]. The concept of ubiquitous computing has attracted the attention of many researchers over the past few years. Ubiquitous computing tends to amalgamate several systems and devices at the same time for the convenience of the user and offers greater accessibility to systems and everyday objects [35]. The same approach can be used to combine all the federated systems on one platform to avoid the maintenance of several federated systems’ login credentials. 5. Conclusion The development in the area of access management systems has been nothing less than remarkable. The limited access provided by the conventional access management systems was overcome by the federated access management systems. Federated access management systems provided the facility of single sign-in service across several systems that reduced the need to remember multiple login credentials. One of the constraints that has been experienced after the acceptance of federated access management systems is that a specific system would provide access to a certain set of systems for example; a registered user at Shibboleth and a registered user at OpenAuth do not have any means to communicate with each other. Therefore users have to make separate accounts to gain access to another set of systems. A new ubiquitous access management system will address the above stated issues and provide unified identity on all federated access management systems. 5.1 Future Work Ubiquitous access management systems will provide the real meaning of the term ‘single sign-in’ and apply the single identity on all federated access management systems. Other innovative aspects of the revolutionary access management system will be to personalize the service according to the needs of the users. These needs might involve the language specification, display, level of security and privacy etc for example; a user who might reside in Saudi Arabia can change the language specification to Arabic. The system shall also cater to the needs of the users with disabilities and make the whole experience of accessing the web more pleasant and convenient. This area of research will be studied in more depth and the best way will be searched to cater to the individual needs of the users in the midst of accessing unified federated access management systems. References [1] A. Westin, Privacy and Freedom. Atheneum, New York, 1967. [2] Federation of Small Businesses, Inhibiting Enterprise: Fraud and Online Crime Against Small Businesses, 2009, ISBN: 978 0 906779 95 8 [3] Identity and Access Management, “How do local identity, SSO and federated identity management models differ?” [Online], Available: http://go4idm.blogspot.com/2010/10/how-do-local-identity-sso-and-federated.html, 2010, [October 28, 2010] [4] A. Squicciarini, A. Bhargav, A. Czeskis, E. Bertino, “Traceable and Automatic Compliance of Privacy Policies in Federated Digital Identity Management”, 6th Workshop on Privacy Enhancing Technologies, 2006 [5] CafeSoft, Access Management, [Online], Available: http://www.cafesoft.com/products/cams/access-management-white-paper.html#Introduction, 2010, [October 28, 2010] [6] K. Chen, "Protecting Personal Infomation Online: A Survey of User Privacy Concerns and Control Techniques," The Journal of Computer Information Systems, 2004. [7] O. T. Seierstad, "Microsoft Windows CardSpace and the Identity Metasystem," Telektronikk, vol. 103, p. 9- 10, 2007. [8] S. Bhatt, S. R. Rajagopalan, P. Rao, “Federated Security Management for Dynamic Coalitions”, IEEE, 2003 [9] A. J. Pope, "User Centric Identity Management”, AusCERT - Asia Pacific Information Technology Security Conference Refereed R&D Stream, Gold Coast, Australia, 2005. [10] CA, “The business value of Identity Federation”, [Online], Available: http://www.comnews.com/WhitePaper_Library/Security/pdfs/CAfedbi z_drivers.pdf, 2007, [October 28 2010] [11] CA. “Identity Federation: Concepts, Use Cases and Industry Standards” [Online], Available: http://images.vnunet.com/v7_static/itw/pdf/identity_federation_wp.pdf, 2007, [October 29 2010] [12] SpendOnLife.com. “2009 Identity Theft Statistics” [Online], Available: http://www.spendonlife.com/guide/2009-identity-theftstatistics, 2009, [October 29 2010] [13] Microsoft Corporation, “Online Identity Theft: Changing the Game Protecting Personal Information on the Internet”, [Online], Available: http://download.microsoft.com/download/0/d/3/0d34ccfa-5498-4fabbb32- 16c881bafba7/Online%20ID%20Theft- %20Changing%20the%20Game.pdf, 2008, [October 29 2010] [14] CafeSoft, “Access Management”, [Online], Available: http://www.cafesoft.com/products/cams/access-management-white-paper.html#Cams, 2010, [October 29 2010] [15] American Systems, “Identity and Access Management systems”, [Online], Available: http://www.2asc.com/Services/ConsultingServices/IdentityAndAccessManagement/default.htm 2010, [October 29 2010] [16] H. C. Choi1, Y. H. Yi, J. H. Seo, B. N. Noh, H. H. Lee, “A Privacy Protection Model in ID Management Using Access Control”, Lecture Notes In Computer Science, vol. 3481, pp. 82 – 91, 2005. [17] L. F. Cranor, Web Privacy with P3P. AT&T, O’Reily and Associates, 2002 [18] M. Wiedijk, H. Afsarmanesh, and L.O. Hertzberger, “Co-working and Management of Federated Information- Clusters”, Lecture Notes In Computer Science; vol. 1134, 1996, [19] J. Noel Colin, T. D. Le, D. Massart, “A Federated Authorization Service for Bridging Learning Object Distribution Models”, Lecture Notes in Computer Science, vol. 5686, pp. 116–125, 2009 [20] T. Sans, F. Cuppens, N. C. Boulahia, “FORM: A Federated Rights Expression Model for Open DRM Frameworks”, Lecture Notes In Computer Science, vol. 4435, pp. 45–59, 2007. [21] OASIS, Security Services Technical Committee: OASIS. http://www.oasisopen. org/committees/security, IEEE, 2010 [22] Sun Microsystems, “Sun's XACML Implementation”, [Online], Available: http://sunxacml.sourceforge.net/, July 16, 2004, [October 30 2010] [23] Shibboleth, [Online], Available: http://shibboleth.internet2.edulabout.htm [24] Z. A. Khattak, S. Sulaiman, L. A. Manan, “A Study on Threat Model for Federated Identities in Federated Identity Management System”, IEEE, 2010 [25] Liberty Alliance, “Liberty Alliance Architecture Glossary”, vol. 1.3. [Online], Available: http://www.Projectliberty.orglliberty/contentldownloadlI987113875lfilel liberty-200409 12.zip, 2010, [October 30 2010] [26] Liberty Alliance, “Liberty Alliance Protocols and Schema Specification”, vol. 1.2, [Online], Available: http://www. projectliberty .org/Iiberty/contentldownloadl2197/14625/filel draft-Ii berty-idff-protocols-schema-I.2-errata-v3 .0. pdf, 2002, [October 30 2010] [27] Kantara initiative, “Liberty Alliance project”, [Online], Available: http://www.projectliberty.org/, 2010, [October 30, 2010] [28] E. Maler, “Federated Identity through the Eyes of the Deployer”, Oracle Corporation, [Online], Available: http://developers.sun.com/identity/reference/techart/deployment.html, February 29, 2008, [October 30, 2010] [29] S. S. García, A. G. Oliva, R. Meersman, P. Herrero, T. Dillon, “Solving Identity Management and Interoperability Problems at Pan-European Level”, Lecture Notes In Computer Science, vol. 5872, pp. 805–809, 2009. [30] T. Lundquist, P. Stenstrom, “Timing Anomalies in Dynamically Scheduled Microprocessors”, 20th IEEE Real-Time Systems Symposium, 1999 [31] K. Seth, A. Anantaraman, F. Mueller, E. Rotenberg, “Fast: Frequency-aware static timing analysis”, ACM Transaction Embedded Computing Systems 5(1), pp 200–224, 2006 [32] R. Wilhelm, M. Maffei, “Ubiquitous Verification of Ubiquitous Systems”, Lecture Notes in Computer Science, vol. 4239, pp. 73 – 81, 2006 [33] A.John, “Future of identity management is…now!” Identity and Access management, [Online], Available: http://go4idm.blogspot.com/2010/10/future-of-identity-management-is-now.html, 2010, [October 31, 2010] [34] Collins English Dictionary, “Ubiquitous”, [Online], Available: http://www.thefreedictionary.com/ubiquitous, 2003, [October 31, 2010] [35] U. Hansmann, Pervasive Computing: The Mobile World, Springer, 2003, ISBN 3540002189. [36] T.Kawagoe, H.Kawakami, K.Soga, K.Tanaka, H.Okazaki and S.Hasegawa, “On the Design and an Implementation of Broadband Access Management Systems, IEEE, 1996 [37] M.J. Muller, J.S. Kaminski, G.J. Stuk, J.C. Zolnowski, A. ShHferstein, J.G. Smith, J.E. Daniel, D.T. Bartel, J.A. Wotus, G.J. Schwerdtman, “Issues in a User Access Management System”, IEEE, 1988 [38] S. Zheng, D. Jiang, Q. Liu, “A Role and Activity Based Access Control Model for University Identity and Access Management System”, 2009 Fifth International Conference on Information Assurance and Security, 2009 [39] G.A. Douglas, “Technical Considerations in Site Access Management Systems, IEEE, 2000 [40] SAML OASIS Standard, “Security Assertion Markup Language (SAML) V2.0”, [Online], Available: http://saml.xml.org/saml-specifications, 2010, [October 31 2010] [41] R. Akbani, T. Korkmaz, and G.V.S. Raju, “A Hybrid Trust Management System for automated Fine-Grained Access Control”, IEEE, 2009 [42] M. Borza, M. Pritikin, “Secure Device Identity”, IEEE, 2007 [43] K. Yamaji, T. Kataoka, M. Nakamura, T. Orawiwattanakul, N. Sonehara, “Attribute Aggregating System for Shibboleth based Access Management Federation”, 2010 10th Annual International Symposium on Applications and the Internet, 2010 [44] W. Jinfei, L. Hai, “The Access Control Research of Management Information System”, IEEE, 2010 [45] L. Zhang, X. Zhans, “User rights management implementation of management information system”, Journal of Shenyang Normal University (Natural Science Edition), pp.267-270, 2005 Read More