Access Control Model Research Articles

Trust Management Systems in Cloud Services Environment: Taxonomy of Reputation Attacks and Defense Mechanisms

Using cloud data storage, large amounts of data can be stored by data owners in a flexible way and at low cost. Hence, there has been a major increase in online cloud service providers and their users. The privacy and security of data in the cloud computing environment is a major issue. Data privacy can be ensured by using a cryptographic access control method, so that data can only be accessed by authorized customers while keeping it inaccessible to unauthorized users. However, this type of cryptographic approach does not address the issue of trust. An integration between several trust models and cryptographic access control models has been presented in many research papers, the aim of which is to make data stored in cloud storage systems more secure. The objective of this study is to determine a solution that can suitably handle trust issues in access control models to decrease the risk as greater security to cloud storage systems, and the quality of decisions being made by data owners and cloud operators is improved. In this paper, we have presented a taxonomy for trust criteria and reputation attacks in cloud computing. Also, some of the fundamental concepts regarding trust management of services within cloud environments have been presented in this paper, along with the latest technologies. There are three layers in the model, and a series of dimensions are further determined for every layer (which are the assessment criteria), which serve as the benchmark to evaluate many research prototypes of trust models in a cloud computing environment by comparing these criteria when evaluating several trust models in a cloud computing environment. In this paper, a comparison of fifteen representative trust management research samples in cloud computing and the appropriate research domains were also carried out by employing this analytical model.

Secure Data Sharing with Efficient Key Update for Industrial Cloud-based Access Control

Sharing data in industrial cloud requires both secure and flexibility management of data shared among users in the industry. Users should have ability to access authorized portion of data from smart edge devices with integrated secure protocol for interacting with cloud storage. Among cryptographic-based access control solutions, ciphertext-policy attribute-based encryption (CP-ABE) is recognized as a suitable solution for supporting secure and fine-grained data access control for outsourced data. However, the attribute revocation is a major drawback of CP-ABE since it introduces subsequent costs such as ciphertext re-encryption, user key re-generation, and key re-distribution. Existing revocable CP-ABE based access control models have focused on minimizing the cost of communication and computation cost for ciphertext re-encryption. Unfortunately, the key update issue is subject to re-key generation as traditional CP-ABE does. In essence, key update becomes crucial when there are a high number of users accessing shared data in the cloud. In this paper, we propose a lightweight access control model featured with the efficient key updating scheme. Finally, the performance evaluation is conducted to demonstrate the efficiency of our proposed scheme.

Improving Performance of ABAC Security Policies Validation using a Novel Clustering Approach

Cloud computing offers several services, such as storage, software, networking, and other computing services. Cloud storage is a boon for big data and big data owners. Although big data owners can easily avail cloud storage without spending much on infrastructure and software to manage their data, security is a big issue, and protecting the outsourced big data is challenging and ongoing research. Cloud service providers use the attribute-based access control model to detect malicious intruders and address the security requirements of today’s new computing technologies. Anomalies in security policies are removed to improve the efficiency of the access control model. This paper implements a novel clustering approach to cluster security policies. Our proposed approach uses a rule-specific cluster merging technique that compares the rule with the clusters where the probability of similarity is high. Hence this technique reduces the cost, time, and complexity of clustering. Rather than verifying all rules, detecting and removing anomalies in every cluster of rules improve the performance of the intrusion detection system. Our novel clustering approach is useful for the researchers and practitioners in the ABAC policy validation.

An access control model based on matrix domain security label

The large complex organization that needs to strictly implement the ‘Need to Know’ secure principle should establish a multi-level security information identification and access control mechanism. In this paper, it proposes that a large-scale complex organization is a matrix structure; hence, a matrix security label that conforms to the characteristics of the matrix domain shall be established. On the basis of RBAC and MLS Model, this paper supplements the definitions of security label and necessary constraints, and thus forms an improved access control model.

Survey on Delegated and Self-Contained Authorization Techniques in CPS and IoT

Authentication, authorization, and digital identity management are core features required by secure digital systems. In this, authorization is a key component for regulating the detailed access credentials with respect to required service resources. Authorization, therefore, plays a significant role in the trust management of autonomous devices and services. Due to the heterogeneous nature of cyber-physical systems and the Internet of Things, several authorization techniques using different access control models, accounts, groups, tokens, and delegations have both strengths and weaknesses. Many studies exist in the literature that focus on other main security requirements, such as authentication, identity management, and confidentiality. However, there is a need for a comprehensive review of different authorization techniques in cyber-physical systems and the Internet of Things. A specific target of this paper is authorization in the cyber-physical system and Internet of Things networks with non-constrained devices in an industrial context with mobility, subcontractors, and autonomous machines that are able to carry out advanced tasks on behalf of others. We study the different authorization techniques using our three-dimensional classification, including access control models, subgranting models, and authorization governance. We focus on the state of the art of authorization subgranting, including delegation techniques by access control/authorization server and self-contained authorization using a new concept of power of attorney. Comparisons are performed with respect to several parameters, such as type of communication, method of authorization, control of expiration, and use of techniques such as public key certificate, encryption techniques, and tokens. The results show the differences and similarities of server-based and power of attorney-based authorization subgranting. The most common standards are also analyzed in light of those classifications.

Приёмы описания модели управления доступом ОССН Astra Linux Special Edition на формализованном языке метода Event-B для обеспечения её верификации инструментами Rodin и ProB

The paper presents techniques to specification access control model of OS Astra Linux Special Edition (the MROSL DP-model) in the formalized notation (formalized using the Event-B formal method), that are based on the use of several global types, separation of general total functions into specific total functions, reduction in the number of invariants and guard of events, which iterate over subsets of a certain set. The result of using these techniques was the simplification of automated deductive verification of formalized notation using the Rodin tool and adaptation of the model to verification by model checking formalized notation using the ProB tool. These techniques can be useful in development of the MROSL DP-model, and also in development of other access control models and verification using appropriate tools.

Activity Control Design Principles: Next Generation Access Control for Smart and Collaborative Systems

Traditionally, access control solutions have focused on how to utilize a specific type of decision parameter for access control decisions. While these “decision parameter”-focused approaches have been well accepted, they typically consider access control with centralized administration. Smart and collaborative computing systems (SCSs) such as online social networks, the Internet of Things (IoT) and connected cyber-physical systems (CPSs) require a disparate approach to meet their unique and complex access control requirements primarily because there are multiple participants who create, share, manage and protect resources (e.g., files, smart devices) individually, collaboratively or even competitively. A distinct feature of SCSs is the diffuse nature of control activities and their complex influence on other activities. Activity control (ACON) extends the scope of traditional access control models and considers how multiple administrative authorities (including users) can manage complex and interacting usage, service and control activities. In this paper, we articulate key characteristics and limitations of various existing access control models and highlight the significance and necessity of activity control in smart collaborative ecosystems. We then propose an extended ACON framework for catering to the needs of dynamic SCSs. Furthermore, we compare existing access control design principles and propose a set of activity control design principles for smart and collaborative computing systems. The proposed ACON framework and design principles will provide a solid foundation for secure SCS design and development.

T‐RBAC Model Based on Two‐Dimensional Dynamic Trust Evaluation under Medical Big Data

The professionalism and complexity of medical big data and the expensiveness of acquiring medical knowledge make it difficult for policymakers to judge whether the information accessed by doctors is necessary from a professional perspective and to formulate accurate access control strategies. To solve the above problems, this paper proposes a T‐RBAC (trust‐role based access control) model based on two‐dimensional dynamic trust assessment, Using AHP and Grey theory to quantify the role attribute trust in the dimension of the doctor’s own attributes, Using Euler’s measurement method and probability statistics to quantify doctors’ behavioral trust in the dimension of historical behavior, then, the trust rule base performs hierarchical authorization based on the comprehensive trust value obtained by the weighted average. Multiattribute trust comprehensive evaluation makes the access control model have finer access granularity and higher security. At the same time, the introduction of time decay function and penalty function enhances the model’s sensitivity, dynamics, and resistance to bleaching attacks.

A symbolic attribute-based access control model for data security in the cloud

There have been several attempts made in literature to develop access control techniques to stem data security problems. Many of these techniques had been found to have one deficiency or other. Hence, this study developed a Symbolic Attribute-Based Access Control (SABAC) system for data security in the cloud service environment. SABAC system was implemented by developing Hash-tag Symbol Authentication (HSA) algorithm using the Message Digest-5 encryption. SABAC utilizes a 3-Tier continuous authentication method by combining the use of username and password, HSA code, and real-time image monitoring and verification. HSA code is generated by combining 5-tuple user attributes and the string generated from the user’s image using Obfuscation Technique. The concatenated string is converted to hexadecimal which serves as input to MD5 to produces a unique HSA code. SABAC was evaluated using three major security metrics of confidentiality, integrity, and avail-ability. The result of security metrics tests showed a confidence level of 99.993%, integrity threshold of 99.998%, and availability throughput of 150 users/second. This implies that SABAC is highly efficient for cloud data security. It shows that hackers would find it impossible to match any fake identity with valid HSA in the database. The study concluded that SABAC could be used for access control in a cloud environment for assuring data security. It was recommended that the SABAC system should be adopted by Cloud Solution Providers and Security Specialists.

ВЕРИФИКАЦИЯ СИСТЕМ УПРАВЛЕНИЯ ДОСТУПОМ НА ОСНОВЕ МОДЕЛИРОВАНИЯ РАСКРАШЕННЫМИ СЕТЯМИ ПЕТРИ

Introduction: the complexity of the information systems (IS) being developed increases the requirements for the error-free design of the access control system and increases the likelihood of the presence and impact of vulnerabilities on the state of information security. Formal verification of the IS project at the development stage allows minimizing the appearance of architectural vulnerabilities. Changes carried out by regulators in the field of certification of information security means actualizing issues related to the development and analysis of formal models. Purpose: development of an approach to the construction and formal verification of models that has an intuitively, completeness presentation and effective analysis. Methods: construction of models by the mathematical apparatus of colored Petri nets in the CPN Tools modeling environment with the subsequent study of the properties of the net. Results: an approach has been developed that has structural, logical and dynamic completeness. The clarity of the models developed using the presented approach reduces the time for detecting incorrect functioning and developing compensatory measures with the subsequent confirmation of their effectiveness. The analyze of the state space showed the need to supplement the modeling environment for the complete construction of the state space in the case of complex models and a large number of markers during the initial marking of the Petri net. Practical relevance: the developed approach is proposed to be used for formal verification of access control models and filtering information flows in the certification procedure for information security tools. The versatility and simplicity of the approach allows you to implement the formal verification procedure in the development stages of various kinds of systems. Development prospects: development of additional software that allows building a complete state space for com" plex models, as well as complementing the method with approaches using ASK-CTL logic.

An Activity Theory Approach to Leak Detection and Mitigation in Patient Health Information (PHI)

The migration to electronic health records (EHR) in the healthcare industry has raised issues with respect to security and privacy. One issue that has become a concern for healthcare providers, insurance companies, and pharmacies is patient health information (PHI) leaks because PHI leaks can lead to violation of privacy laws, which protect the privacy of individuals’ identifiable health information, potentially resulting in a healthcare crisis. This study explores the issue of PHI leaks from an access control viewpoint. We utilize access control policies and PHI leak scenarios derived from semi structured interviews with four healthcare practitioners and use the lens of activity theory to articulate the design of an access control model for detecting and mitigating PHI leaks. Subsequently, we follow up with a prototype as a proof of concept.

Research on Adaptive Relationship Between Trust and Privacy in Cloud Service

To prevent privacy leakage, cloud services need to take corresponding methods, so participants often face the dilemma of service utility and privacy protection. In this paper, we propose a dynamic adaptive access control model based on trust permission and privacy protection to solve the problem of privacy disclosure and utility in the cloud service. Firstly, we add the concept of obligation and purpose into access control and establish the privacy information tree and privacy policy tree. Secondly, we establish a new trust evaluation and give the corresponding weight algorithm. Thirdly, we quantify the privacy information with the normal space and correlation coefficient method. Further, we propose a tradeoff relationship model between trust permission and privacy protection, each participant can select the corresponding parameters according to the actual requirement and personal preference. Experimental analysis and comparison results verify the feasibility, effectiveness, and superiority of our method. Finally, we summarize the work of this paper and point out the future development direction.

DF-RBAC: Dynamic and Fine-grained Role-Based Access Control Scheme with Smart Contract

Access control is a technology that can guarantee the security of information in network transmission, in which role-based access control is to separate the subject from the permission, and to assign the permission by distributing the corresponding role of the user. However, the traditional role-based access control scheme is generally centralized, the allocation of user’s role lacks fine granularity, and there is static in the allocation of the role and permission, which is not consistent with the distributed and dynamic network architecture nowadays. Hence, we propose a dynamic and fine-grained role-based access control model DF-RBAC, which can realize the flexible assignment of roles by resource owners and security verification of assigned roles. Further, we take advantage of blockchain technology and cryptography technology to combine with the DF-RBAC framework to achieve access to the activity log security audit function, which can ensure the security of the overall architecture. By safety and experimental analysis, our framework has proved to be feasible.

FairAccess 2.0: a smart contract-based authorization framework for enabling granular access control in IoT

In this paper, we explore access control area as one of the most crucial aspect of security and privacy in IoT. Actually, conventional security and privacy solutions tend to be less tailored for IoT. Then, designing a distributed access control with user-driven approach and privacy-preserving awareness in an IoT environment is of paramount importance. In this direction, we have investigated in our previous work a new way to build a distributed access control framework based on the blockchain technology through our proposed framework, FairAccess. The first version of FairAccess was based on the Bitcoin's UTXO model. However, this version presented limitations in expressing more granular access control policies. To tackle this issue, this paper upgrades the proposed framework to FairAccess2.0 that uses SmartContract concept instead of the locking/unlocking scripts. Thus, we show a possible working implementation based on ABAC policies, deployed on the ethereum blockchain. The obtained results show the efficiency of FairAccess2.0 and its compatibility with a wide range of existing access control models mainly the ABAC model. Finally, a performance and cost evaluation, discussion and future work are elaborated.

FairAccess2.0: a smart contract-based authorisation framework for enabling granular access control in IoT

In this paper, we explore access control area as one of the most crucial aspect of security and privacy in IoT. Actually, conventional security and privacy solutions tend to be less tailored for IoT. Then, designing a distributed access control with user-driven approach and privacy-preserving awareness in an IoT environment is of paramount importance. In this direction, we have investigated in our previous work a new way to build a distributed access control framework based on the blockchain technology through our proposed framework, FairAccess. The first version of FairAccess was based on the Bitcoin's UTXO model. However, this version presented limitations in expressing more granular access control policies. To tackle this issue, this paper upgrades the proposed framework to FairAccess2.0 that uses SmartContract concept instead of the locking/unlocking scripts. Thus, we show a possible working implementation based on ABAC policies, deployed on the ethereum blockchain. The obtained results show the efficiency of FairAccess2.0 and its compatibility with a wide range of existing access control models mainly the ABAC model. Finally, a performance and cost evaluation, discussion and future work are elaborated.

Leveraging Network Functions Virtualization Orchestrators to Achieve Software-Defined Access Control in the Clouds

Network Functions Virtualization (NFV) has been widely recognized as an effective way to implement and consolidate hardware-based network functions by using software-based approaches, with a potential to significantly reducing CAPEX and OPEX. In particular, NFV orchestrators (e.g., Tacker, Cloudify, and ONAP) play a vital role in managing and orchestrating various virtualized network resources (e.g., VMs, Virtualized Network Functions), and TOSCA is one of the standard data models to fulfil such a role. However, it remains unclear how the security mechanisms can be seamlessly integrated into the entire lifecycle of those virtualized network assets. Starting with a comparative analysis on the available NFV orchestrators, we extend the TOSCA model to incorporate security attributes of interest, and leverage the extended model to create access control policies at cloud scale. Specifically, a security orchestrator is developed, which contains a TOSCA-parser and a novel tenant-specific access control paradigm. One of the salient features of our security orchestrator is that it allows to dynamically generate access control models and policies for different tenant domains, resulting in a flexible and scalable protection coverage that is across different NFV layers and multiple data centers. To validate its feasibility and effectiveness, we develop a security orchestrator prototype and test its performance with respect to throughput, scalability, and adaptability. The experimental results demonstrate that all the desirable properties can be achieved, and the throughput of our security orchestrator can be maintained at a satisfactory level regardless of the varying number of tenants, users, or objects that are deployed in the cloud.

An authorisation certificate-based access control model

An authorisation certificate-based access control model

A Review of Access Control Metamodels

Abstract The emergence of ubiquitous computing, especially with the Internet of Things (IoT), releases new prospects to traditional information systems by merging new technologies and services for seamless access to information sources at anytime and anywhere. Concurrently, this emergence opens new threats to information security and new challenges to control access to the resources. To ensure security, several techniques have been employed, and access control (AC) is one of the essential security requirements for IoT and non-IoT systems. Various authentication and AC methods are proposed to enforce AC policy and to prevent any unauthorized access to logical/physical assets. The continuous technology upgrades and the diversity of AC models force the need to find AC metamodels with higher level of abstraction that serve as a unifying framework for specifying any AC policy. AC metamodels are proposed to encompass AC features and are used to derive various instances of AC models and methods. In this paper we review the proposed AC metamodels and their implementation scenarios, we analyze them, their objectives, their limitations, and present open research questions and issues that still need to be addressed.

Secured Data Storage and Retrieval using Elliptic Curve Cryptography in Cloud

Security of data stored in the cloud databases is a challenging and complex issue to be addressed due to the presence of malicious attacks, data breaches and unsecured access points. In the past, many researchers proposed security mechanisms including access control, intrusion detection and prevention models, Encryption based storage methods and key management schemes. However, the role based access control policies that were developed to provide security for the data stored in cloud databases based on the sensitivity of the information are compromised by the attackers through the misuse of privileges gained by them from multiple roles. Therefore, it is necessary to propose more efficient mechanisms for securing the sensitive information through attribute based encryption by analyzing the association between the various attributes. For handling the security issue related to the large volume of cloud data effectively, the association rule mining algorithm has been extended with temporal constraints in this work in order to find the association among the attributes so that it is possible to form groups among the attributes as public attributes with insensitive data, group attributes with medium sensitive data and owner with highly sensitive attributes and data for enhancing the strength of attribute based encryption scheme. Based on the associations among the attributes and temporal constraints, it is possible to encrypt the sensitive data with stronger keys and algorithms. Hence, a new key generation and encryption algorithm is proposed in this paper by combining the Greatest common divisor and the Least common multiple between the primary key value and the first numeric non key attribute that is medium sensitive attributes and data present in the cloud database for providing secured storage through effective attribute based encryption. Moreover, a new intelligent algorithm called Elliptic Curve Cryptography with Base100 Table algorithm is also proposed in this paper for performing encryption and decryption operations over the most sensitive data for the data owners. From the experiments conducted in this work, it is observed that the proposed model enhances the data security by more than 5% when it is compared with other existing secured storage models available for cloud

A Fine-Grained and Lightweight Data Access Control Model for Mobile Cloud Computing

With rapidly increasing adoption of cloud computing and the advancement of today mobile computing, it is inevitable that mobile devices are used to receive and send the data through the mobile cloud platform. This increases the convenience and flexibility of data access over the cloud computing since data users are able to access the shared data anytime, anywhere via mobile devices. However, using mobile devices in accessing shared data in a cloud where the sensitive data is encrypted is not practical because mobile devices have limited computing resources in dealing with heavy cryptographic operations. In this article, we propose a lightweight collaborative ciphertext policy attribute role-based encryption (LW-C-CP-ARBE) scheme to support a fine-grained and lightweight access control for mobile cloud environment. We apply CP-ABE approach as a core cryptographic access control and introduce a new proxy re-encryption (PRE) protocol to reduce data re-encryption and decryption cost for the mobile users. To this end, the overhead in running the cryptographic operation at the end-user device is small. In addition, we develop secure access policy sharing and re-encryption protocol to enable users having write privilege to update the data and request the proxy to perform data re-encryption. Finally, we present the evaluation and experiments to demonstrate the efficiency and practicality of our system.