Access Control Architecture Research Articles

Access control in the Internet of Things: a survey of existing approaches and open research questions

The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies, and usable security.

Cloud-Based Access Control to Preserve Privacy in Academic Web Application

Emerging cloud computing has introduced new platforms for developing enterprise academic web applications, where software, platforms and infrastructures are published to the globe as services. Software developers can build their systems by multiple invocations of these services. This research is devoted to investigating the management and data flow control over enterprise academic web applications where web services and developed academic web application are constructing infrastructure-networking scheme at the application level. Academic web services are invoked over http port and using REST based protocol; thus traditional access control method is not enough to control the follow of data using host and port information. The new cloud based access control rules proposed here are to be designed and implemented to work at this level. The new proposed access control architecture will be a web service gateway, and it published itself as a service (SaaS). We used three case studies to test our moodle and then we apply JSON parsers to perceive web service description file (WSDL file) and supply policies according to data are to be allowed or denied based on user roll through our parsing.

Implementation and Operational Analysis of an Interactive Intensive Care Unit within a Smart Health Context.

In the context of hospital management and operation, Intensive Care Units (ICU) are one of the most challenging in terms of time responsiveness and criticality, in which adequate resource management and signal processing play a key role in overall system performance. In this work, a context aware Intensive Care Unit is implemented and analyzed to provide scalable signal acquisition capabilities, as well as to provide tracking and access control. Wireless channel analysis is performed by means of hybrid optimized 3D Ray Launching deterministic simulation to assess potential interference impact as well as to provide required coverage/capacity thresholds for employed transceivers. Wireless system operation within the ICU scenario, considering conventional transceiver operation, is feasible in terms of quality of service for the complete scenario. Extensive measurements of overall interference levels have also been carried out, enabling subsequent adequate coverage/capacity estimations, for a set of Zigbee based nodes. Real system operation has been tested, with ad-hoc designed Zigbee wireless motes, employing lightweight communication protocols to minimize energy and bandwidth usage. An ICU information gathering application and software architecture for Visitor Access Control has been implemented, providing monitoring of the Boxes external doors and the identification of visitors via a RFID system. The results enable a solution to provide ICU access control and tracking capabilities previously not exploited, providing a step forward in the implementation of a Smart Health framework.

RBACA: role-based access control architecture for multi-domain cloud environment

Cloud computing is an emerging area as a new arrangement of wide-area distributed computing. Sharing of resources and services over the network are heterogeneous, dynamic, and multi-domain. Security issue is also a serious problem in a cloud computing environment. Similarly, access control and authorisation are an important aspect of the security. The paper proposes a scalable access control architecture and authorisation, for cloud computing environment. A new access control architecture is proposed which is based on traditional access control, role-based access control (RBAC) model. The paper provides a flexible framework for policy announcement management approach for a multi-domain cloud environment. A policy language (XACML) is used for the demonstration of access control policies. This provides a general and standard provision of different resources and services.

RBACA: role-based access control architecture for multi-domain cloud environment

RBACA: role-based access control architecture for multi-domain cloud environment

Achieving fine-grained access control and mitigating role explosion by utilising ABE with RBAC

Cloud systems can store a vast amount of sensitive data whose access must be well regulated. A good access control policy ensures the security of this data while providing high flexibility in terms of access management. In this paper, we introduce access control architecture to mitigate the issue of role-explosion in RBAC and achieve a high degree of fine-grained access control by following an attribute-based encryption scheme with RBAC. In our model, we propose a user-tree with a hierarchical structure composed of groups and sub-groups to which a user will be assigned. These sub-groups will have their own sets of attributes as well as common inherited attributes. A user assigned to a specific sub-group will receive a key with the specific attributes of the sub-group as well as the inherited attributes.

Achieving fine-grained access control and mitigating role explosion by utilising ABE with RBAC

Cloud systems can store a vast amount of sensitive data whose access must be well regulated. A good access control policy ensures the security of this data while providing high flexibility in terms of access management. In this paper, we introduce access control architecture to mitigate the issue of role-explosion in RBAC and achieve a high degree of fine-grained access control by following an attribute-based encryption scheme with RBAC. In our model, we propose a user-tree with a hierarchical structure composed of groups and sub-groups to which a user will be assigned. These sub-groups will have their own sets of attributes as well as common inherited attributes. A user assigned to a specific sub-group will receive a key with the specific attributes of the sub-group as well as the inherited attributes.

Attribute-based data access control in mobile cloud computing: Taxonomy and open issues

With the thriving growth of the cloud computing, the security and privacy concerns of outsourcing data have been increasing dramatically. However, because of delegating the management of data to an untrusted cloud server in data outsourcing process, the data access control has been recognized as a challenging issue in cloud storage systems. One of the preeminent technologies to control data access in cloud computing is Attribute-based Encryption (ABE) as a cryptographic primitive, which establishes the decryption ability on the basis of a user’s attributes. This paper provides a comprehensive survey on attribute-based access control schemes and compares each scheme’s functionality and characteristic. We also present a thematic taxonomy of attribute-based approaches based on significant parameters, such as access control mode, architecture, revocation mode, revocation method, revocation issue, and revocation controller. The paper reviews the state-of-the-art ABE methods and categorizes them into three main classes, such as centralized, decentralized, and hierarchal, based on their architectures. We also analyzed the different ABE techniques to ascertain the advantages and disadvantages, the significance and requirements, and identifies the research gaps. Finally, the paper presents open issues and challenges for further investigations.

Unified Medium Access Control Architecture for Resource-Constrained Machine-to-Machine Devices

In capillary machine-to-machine (M2M) communications, which is being considered as a feasible network solution for M2M applications, because of physical resource constraints and deployment conditions, an energy-efficient and scalable medium access control (MAC) protocol is crucial for numerous M2M devices to concurrently access wireless channels. Therefore, this paper presents a unified MAC layer architecture for resource-constrained M2M devices in capillary M2M networks [named as resource-constrained MAC architecture (RCMA)], which has a unified (monolithic) framework consisting of essential functional components to support MAC-related operations of M2M devices: multi-channel hybrid MAC (McHM), logical link control (LLC), time synchronizer (TS), and device on--off scheduler (DO2S). McHM provides a baseline MAC protocol for an entire capillary M2M system that combines the benefit of both contention-based carrier sense multiple access and schedule-based time division multiple access schemes, whereas the other three components help in the McHM operations. To demonstrate the effectiveness of the RCMA, we implement the whole stack using the QualNet simulator. Experimental results show that the RCMA outperforms the conventional ZigBee stack in terms of energy efficiency and scalability, even under heavy traffic conditions.

Some new research trends in wirelessly powered communications

The vision of seamlessly integrating information transfer (IT) and microwave based power transfer (PT) in the same system has led to the emergence of a new research area, called wirelessly power communications (WPC). Extensive research has been conducted on developing WPC theory and techniques, building on the extremely rich wireless communications litera- ture covering diversified topics such as transmissions, resource allocations, medium access control and network protocols and architectures. Despite these research efforts, transforming WPC from theory to practice still faces many unsolved prob- lems concerning issues such as mobile complexity, power transfer efficiency, and safety. Furthermore, the fundamental limits of WPC remain largely unknown. Recent attempts to address these open issues has resulted in the emergence of numerous new research trends in the WPC area. A few promising trends are introduced in this article. From the practical perspective, the use of backscatter antennas can support WPC for low-complexity passive devices, the design of spiky waveforms can improve the PT efficiency, and analog spatial decoupling is proposed for solving the PT-IT near-far problem in WPC. From the theoretic perspective, the fundamental limits of WPC can be quantified by leveraging recent results on super-directivity and the limit can be improved by the deployment of large-scale distributed antenna arrays. Specific research problems along these trends are discussed, whose solutions can lead to significant advancements in WPC.

The RBAC model and implementation architecture in multi-domain environment

Nowadays in the IT convergence environment, the Service Oriented Architecture has its unique significance. The RBAC model has a variety of advantages in protecting the security of services. When the network is extended to a certain scale, it must be divided into multi domains for convenient management. However, the study to the RBAC model can be applied in multi-domain environment is still lacked. Corresponding feasible implementation architectures for the individual and composite services are also in weak. In this paper, we proposed a domain model and a domain based RBAC model can better adapt to the multi-domain security requirements. Then based on the model we designed feasible and efficient access control architectures respectively focusing on the individual services and different type of composite services. The evaluation cases showed the proposed model and implementation architectures achieved desired effects and the performances are in promising.

CloudAC: a cloud‐oriented multilayer access control system for logic virtual domain

The security issue has been a challenging concern for cloud computing because of the multitenant usage model. In cloud, each application normally runs on a dynamic coalition that is composed by multiple virtual machines (VMs) running on different virtualised service nodes, which the authors called logic virtual domain (LVD). Moreover, the owners of cloud applications, who are also the tenants of cloud, would specify some security policies to control the access to those resources that they have paid for. Therefore the owners of cloud infrastructures have to provide the tenants with the mechanism to correctly configure and enforce the access control policies on resources that are from multiple service nodes, to meet the security requirements from cloud applications. To address the above challenge, this study presents the design and implementation about a multilayer access control architecture for LVD, named CloudAC, aiming to provide isolation control, information flow control and resource-sharing control among multiple VMs on Xen virtualisation platforms in cloud computing environment. The theory and technology this research formed will provide reliable security guarantee for resource configuration and application deployment on LVDs.

A User Profile Based Access Control Model and Architecture

Personalization and adaptation to the user profile capability are the hottest issues to ensure ambient assisted living and context awareness in nowadays environments. With the growing healthcare and wellbeing context aware applications, modeling security policies becomes an important issue in the design of future access control models. This requires rich semantics using ontology modeling for the management of services provided to dependant people. However, current access control models remain unsuitable due to lack of personalization, adaptability and smartness to the handicap situation. In this paper, we propose a novel adaptable access control model and its related architecture in which the security policy is based on the handicap situation analyzed from the monitoring of userss behavior in order to grant a service using any assistive device within intelligent environment. the design of our model is an ontology-learning and evolving security policy for predicting the future actions of dependent people. This is reached by reasoning about historical data, contextual data and user behavior according to the access rules that are used in the inference engine to provide the right service according to the users needs.

A Multiple-Policy supported Attribute-Based Access Control Architecture within Large-scale Device Collaboration Systems

In order to collaborate large numbers of heterogeneous distributed devices over multiple domains within a modern large-scale device collaboration system, a fine-grained, flexible and secure approach is required for device authentication and authorization. This paper proposed a Multiple-Policy supported Attribute-Based Access Control model and its architecture to address these demands. With eXtensible Access Control Markup Language standard, this model exceeds the traditional Attribute-Based Access Control Model by providing cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show the performance of this architecture is acceptable within production environment.

A Distributed Access Control Architecture for Cloud Computing

The large-scale, dynamic, and heterogeneous nature of cloud computing poses numerous security challenges. But the cloud's main challenge is to provide a robust authorization mechanism that incorporates multitenancy and virtualization aspects of resources. The authors present a distributed architecture that incorporates principles from security management and software engineering and propose key requirements and a design model for the architecture.

Secure Access Mechanism for Cloud Storage

Emerging storage cloud systems provide continuously available and highly scalable storage services to millions of geographically distributed clients. A secure access control mechanism is a crucial prerequisite for allowing clients to entrust their data to such cloud services. The seamlessly unlimited scale of the cloud and the new usage scenarios that accompany it pose new challenges in the design of such access control systems. In this paper we present a capability-based access control model and architecture appropriate for cloud storage systems that is secure, flexible, and scalable. We introduce new functionalities such as a flexible and dynamic description of resources; an advanced delegation mechanism and support for auditability, accountability and access confinement. The paper details the secure access model, shows how it fits in a scalable storage cloud architecture, and analyzes its security and performance.

An abstract dynamic access control architecture

This paper presents an abstract architecture capturing the most essential characteristics of security architectures for the kind of access control required in multi-agent systems. A security architecture is usually component based; it is dynamically extensible, reflective, and should be able to support a variety of policy strategies and enforcement mechanisms. Therefore, in designing and implementing such an architecture, it is important to accurately describe its structure, components, and their interactions; and we should also provide support for verifying properties that the architecture must satisfy. The abstract Dynamic Access Control Architecture, or DACA, we propose provides the flexibility to express several complex characteristics abstractly, ultimately resulting in a more structured foundation for implementing security architectures for access control.

Access Control in JavaScript

ZAC is a practical lightweight library for access control in JavaScript based on aspect orientation. Its access control architecture is stack based, similar to those of Java and C#. However, ZAC integrates other features for more expressive access control. First, access control policies can be enforced at the level of objects, which permits more fine-grained control over resource access. Second, policies in ZAC can base their decisions on scripts' execution history. This lets developers express policies that are impossible to define using other models, such as bounded-time execution.

Credential Based Mediator Architecture for Access Control and Data Integration in Multiple Data Sources Environment

In multiple data sources environment where open access is to be provided to the users not known to the system, the credential based access control has emerged as a suitable approach for achieving security on shared data [22,23,28,29,31]. Mediation techniques have been developed for data integration that provide a single unified view of the multiple data sources to the user[1,2,3,4,5,6,7,18]. For enforcing common access policy across the available data sources and enabling controlled access on data at local levels, appropriate multilevel access control policy is also required. In this paper, we propose a credential based mediator architecture to achieve multilevel access control and data integration in open access environment. To realize the multilevel access policy a credential transfer protocol has been proposed to accomplish the transfer of credentials and extracting attribute values associated with them.

Semantics-based Access Control Approach for Web Service

Due to the open and distributed characteristics of web service, its access control becomes a challenging problem which has not been addressed properly. In this paper, we show how semantic web technologies can be used to build a flexible access control system for web service. We follow the Role-based Access Control model and extend it with credential attributes. The access control model is represented by a semantic ontology, and specific semantic rules are constructed to implement such as dynamic roles assignment, separation of duty constraints and roles hierarchy reasoning, etc. These semantic rules can be verified and executed automatically by the reasoning engine, which can simplify the definition and enhance the interoperability of the access control policies. The basic access control architecture based on the semantic proposal for web service is presented. Finally, a prototype of the system is implemented to validate the proposal.