Policy Enforcement Point Research Articles

Endpoint security reinforcement via integrated zero-trust systems: A collaborative approach

In the rapidly evolving field of information technology, network security, especially enterprise endpoint security, has emerged as a major challenge. This paper presents a comprehensive and interactive method for network access and user authentication utilizing a zero-trust framework. This method integrates key elements, including the Network Access (NA) Agent, Identity and Access Management (IAM) Agent, Policy Enforcement Point (PEP) Agent, and Situational Awareness (SA) Agent, to mitigate security risks associated with critical business information exposure and unauthorized network access. Leveraging a zero-trust approach, the method dynamically controls user permissions, thereby enhancing endpoint security. It also introduces an efficient solution that coexists with legacy infrastructures, balancing security necessities with user accessibility, and offering a unified solution for both internal corporate networks and the Internet. We present a thorough analysis of potential risks associated with this method and propose preventative measures to minimize these threats. We conclude that our method provides a more secure and efficient approach to enterprise network security compared to traditional static rule-based systems, offering a promising direction for future research and implementation.

Authorization Recycling in Attribute-Based Access Control

In most access control scenarios, the communication between the PDP (policy decision point) and the PEP (policy enforcement point) can cause high authorization overhead. Authorization recycling enables PEP to use the previous access control decisions fetched from the PDP to handle some upcoming access control requests, reduce authorization costs, and increase the efficiency of access control decision-making. Inspired by the RBAC (role-based access control) authorization recycling mechanism, this article first presents an ABAC (attribute-based access control) model based on Boolean expressions of subject and object attributes. It then proposes an authorization recycling approach for this model. In this approach, we provide construction and update methods for authorization data caches and access control decision-making rules for SDP (secondary decision point) by using the caches. The proposed approach can deduce precise and approximate access control decisions from the cache of authorization data, reducing communication between the PEP and the PDP. Finally, the feasibility of the proposed method is verified by conducting a small-scale test. ABAC, SDP, authorization recycling, and authorization caching.

XACML for Mobility (XACML4M)-An Access Control Framework for Connected Vehicles.

The automotive industry is experiencing a transformation with the rapid integration of software-based systems inside vehicles, which are complex systems with multiple sensors. The use of vehicle sensor data has enabled vehicles to communicate with other entities in the connected vehicle ecosystem, such as the cloud, road infrastructure, other vehicles, pedestrians, and smart grids, using either cellular or wireless networks. This vehicle data are distributed, private, and vulnerable, which can compromise the safety and security of vehicles and their passengers. It is therefore necessary to design an access control mechanism around the vehicle data's unique attributes and distributed nature. Since connected vehicles operate in a highly dynamic environment, it is important to consider context information such as location, time, and frequency when designing a fine-grained access control mechanism. This leads to our research question: How can Attribute-Based Access Control (ABAC) fulfill connected vehicle requirements of Signal Access Control (SAC), Time-Based Access Control (TBAC), Location-Based Access Control (LBAC), and Frequency-Based Access Control (FBAC)? To address the issue, we propose a data flow model based on Attribute-Based Access Control (ABAC) called eXtensible Access Control Markup Language for Mobility (XACML4M). XACML4M adds additional components to the standard eXtensible Access Control Markup Language (XACML) to satisfy the identified requirements of SAC, TBAC, LBAC, and FBAC in connected vehicles. Specifically, these are: Vehicle Data Environment (VDE) integrated with Policy Enforcement Point (PEP), Time Extensions, GeoLocation Provider, Polling Frequency Provider, and Access Log Service. We implement a prototype based on these four requirements on a Raspberry Pi 4 and present a proof-of-concept for a real-world use case. We then perform a functional evaluation based on the authorization policies to validate the XACML4M data flow model. Finally, we conclude that our proposed XACML4M data flow model can fulfill all four of our identified requirements for connected vehicles.

SysFlow: Toward a Programmable Zero Trust Framework for System Security

Zero Trust, as an emerging trend of cybersecurity paradigms in modern infrastructure (e.g., enterprise, cloud, edge, IoT, and 5G), is moving security defenses from static and perimeter-based control systems to focus on users and resources with no assumption of implicit trust. However, the current Zero Trust Architecture (ZTA) mainly focuses on the network security and lacks in-depth considerations on system-level security policies and abstractions, which leaves the realization of the principle incomplete. To bridge the gap, we propose an innovative <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">programmable</i> system security framework called SYSFLOW to enable unified, dynamic, and fine-grained Zero Trust security control for system resources. SYSFLOW introduces a novel <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">system flow</i> abstraction to model <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">system activities</i> across the entire infrastructure, and provides a system-level data plane and control plane separation and abstraction. The new logically centralized controller accommodates a unified <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">programmable</i> Policy Decision Point (PDP) that acquires a holistic view of system behaviors for controlling system resource accesses by translated programmable security policies into system flow rules. The SYSFLOW data plane, acting as Policy Enforcement Point (PEP), enforces translated system flow rules, which can be updated dynamically and facilitate fine-grained responsive actions. Our extensive evaluations demonstrate the effectiveness and scalability of SYSFLOW, which addresses the security issues in various scenarios with a minor performance overhead.

Research on Distributed Dynamic Trusted Access Control Based on Security Subsystem

The flow of data across nodes has become the dominant feature of data sharing in distributed environments with increasingly blurred boundaries, where it is crucial to maintain data access dynamic, trusted, and efficient. However, traditional centralized access control models are not only difficult to apply in distributed environments but also ignore trusted verification of authorized entities. What’s worse, existing access control models rarely consider themselves security, lack independence, at a high risk of being bypassed or tampered with. Thus, we propose in this paper a distributed, dynamic, and trusted access control model, DDTAC-BSS, where the standard Attribute-Based Access Control (ABAC) architecture is modified and extended. To reduce the attack surface, we separate policy enforcement point (PEP) from other core components, they are located in the node system and access control system, respectively. Then, the access control entry point (ACEP) is added as the only interface for the node system to interact with the access control system. Subsequently, the model introduces the entity trusted assessment mechanism to improve the trustworthiness of access control services. Driven by the dynamic attributes, our model can achieve dynamic trusted authorization and fine-grained access control. Moreover, we implement a lightweight, independent, and distributed security subsystem to achieve unified management of policies and decision-making autonomy by message-driven. By considering the independence of the security subsystem, a trusted operating environment is built based on Trusted Execution Environment (TEE) to ensure the security of the access control mechanism itself. The security of our model is proved rigorously based on the non-interference theory. Comprehensive experiments and comparisons have demonstrated the superior functionality, comparable performance, and strong security of our model.

Attribute-Based Access Control Using Smart Contracts for the Internet of Things

Abstract Access control is one of the most important security concerns, which is critical in resource and information protection over IoT devices. This paper proposes a new scheme that combines attribute-based access control (ABAC) model with blockchain technology and uses smart contracts for access control judgment. This scheme can realize dynamic, distributed and reliable access control in the open IoT environment. The IoT access control system based on this scheme consists of five functional modules. The information registration point registers information for each device that joins the system. Policy enforcement point (PEP) is responsible for managing agent-devices in the system and processing original access requests from access subjects. Policy decision point (PDP) makes access control right decision through smart contracts. Policy administration point (PAP) is used to manage smart contract information. Policy information point (PIP) is used to manage key attribute information of devices used for access control judgment. The scheme also includes three types of smart contracts, one management contract (MC) is used to manage other contracts in the system, one policy decision contract (PDC) is responsible for obtaining attribute information from PIP and making final access control right decision, and a large number of policy contracts (PCs) which composed of a public policy contract (PPC) and a large number of exclusive policy contracts (EPCs). These PCs are used to implement specific attribute-based access control policies. To demonstrate the application of the scheme, we simulated a scenario of access control in a home IoT environment and verified the feasibility of access control decisions using our proposed scheme through three experiments.

Cloud-Based Access Control Framework for Effective Role Provisioning in Business Application

In the evolution of social networks and big data, secure information sharing is a crucial task. When information is shared between the user and the organization admin, security plays a key role in any business organization in terms of privacy. Though many fruitful solutions prevail to protect the data integrity and privacy, there is a huge space for novel data protection schemes where a large set of data are involved. In this article, the Cloud-Based Access Control (C-BAC) framework is proposed which can fit in any business organization application. In this C-BAC, Policy Enforcement Point (PEP) is used to avoid unwanted information sharing with the neighboring employee. C-BAC framework with RSA provides security, based on the number of employees with the data handled by the particular employee, better than the existing access control framework with asymmetric encryption standard (AES) and Rivest–Shamir–Adleman (RSA) in terms of individual information handling.

Camflow: Managed Data-Sharing for Cloud Services

A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things' architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner's control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners' dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. [...]

An insider threat aware access control for cloud relational databases

The request-response paradigm that consists of policy decision points (PDPs) and policy enforcement points (PEPs) is used for access control in Cloud computing. The model uses PEP-side caching to increase the availability and reduce the processing overhead on PDP. This paper shows that using PEP-side caching can be exploited by insiders to bypass cloud access control mechanisms, which increases insider threat in cloud computing. To overcome this problem, the paper proposes a manageable model that detects and prevents insider threat at PEP side with minimum overhead on the performance of PEP and PDP. The model has been extensively tested and the results show its effectiveness in mitigating insider threat. Moreover, the experiments demonstrate that the overhead posed by the model on PEP and PDP is low. Lemmas, theorems and algorithm have been provided to show the correctness and the applicability of the proposed approach.

XACML Policy Evaluation with Dynamic Context Handling

Some fairly recent research has focused on providing XACML-based solutions for dynamic privacy policy management. In this regard, a number of works have provided enhancements to the performance of XACML policy enforcement point (PEP) component, but very few have focused on enhancing the accuracy of that component. This paper improves the accuracy of an XACML PEP by filling some gaps in the existing works. In particular, dynamically incorporating user access context into the privacy policy decision, and its enforcement. We provide an XACML-based implementation of a dynamic privacy policy management framework and an evaluation of the applicability of our system in comparison to some of the existing approaches.

Business process management enabled compliance-aware medical record sharing

Data sharing about electronic health records (EHRs) across healthcare organisations is still a challenging task due to compliance requirements with regulatory policies that can vary across states and countries, and organisations’ internal business requirements. Even when adopting the same regulatory policies, each organisation can interpret and implement these policies and requirements differently in its internal IT environments. This paper proposes a compliance-aware data management solution for EHR systems. It allows healthcare organisations to define their own security and regulatory compliance requirements for accessing and sharing healthcare data, and enables policy enforcement while sharing data with other organisations. The policy requirements are expressed in the form of business processes that govern the access and sharing of data between people and systems. The business process operations are mapped into low-level operations on internal and remote record stores and policy enforcement points. We have implemented a prototype system that supports the proposed approach and integrated it with OpenMRS, an open source electronic medical record system, using which we have defined and enforced some real-world regulations and organisations’ policies for data sharing.

Evaluation by Implementation of the Policy-based Network Management System Called DACS System

As the work for managing a whole LAN effectively withoutlimited purposes, there are works of Policy-based networkmanagement (PBNM). The existing PBNM is defined in someorganizations including the Internet Engineering Task Force(IETF). However, it has structural problems. For example,communications sent from many clients concentrate on acommunication control mechanism called PEP (PolicyEnforcement Point). To improve the problems, we have beenstudying next generation PBNM called Destination AddressingControl System (DACS) Scheme. The DACS Scheme controlsthe whole LAN through communication control by the clientsoftware as PEP which locates on a client computer. We havebeen studied on the aspect of principle until now. In thisresearch, we implement a DACS system to realize a concept ofthe DACS Scheme, and show implement method and results offunctional experiments.

Data Confidentiality in Mobile Ad hoc Networks

Mobile ad hoc networks (MANETs) are self-configuring infrastructure-less networks comprised of mobile nodes that communicate over wireless links without any central control on a peer-to-peer basis. These individual nodes act as routers to forward both their own data and also their neighbours' data by sending and receiving packets to and from other nodes in the network. The relatively easy configuration and the quick deployment make ad hoc networks suitable the emergency situations (such as human or natural disasters) and for military units in enemy territory. Securing data dissemination between these nodes in such networks, however, is a very challenging task. Exposing such information to anyone else other than the intended nodes could cause a privacy and confidentiality breach, particularly in military scenarios. In this paper we present a novel framework to enhance the privacy and data confidentiality in mobile ad hoc networks by attaching the originator policies to the messages as they are sent between nodes. We evaluate our framework using the Network Simulator (NS-2) to check whether the privacy and confidentiality of the originator are met. For this we implemented the Policy Enforcement Points (PEPs), as NS-2 agents that manage and enforce the policies attached to packets at every node in the MANET.

Decision-cache based XACML authorisation and anonymisation for XML documents

This paper describes a decision cache for the eXtensible Access Control Markup Language (XACML) that supports fine-grained authorisation and anonymisation of XML based messages and documents down to XML attribute and element level. The decision cache is implemented as an XACML obligation service, where a specification of the XML elements to be authorised and anonymised is sent to the Policy Enforcement Point (PEP) during initial authorisation. Further authorisation of individual XML elements according to the authorisation specification is then performed on all matching XML resources, and decisions are stored in the decision cache. This makes it possible to cache fine-grained XACML authorisation and anonymisation decisions, which reduces the authorisation load on the Policy Decision Point (PDP). The theoretical solution is related to a practical case study consisting of a privacy-enhanced intrusion detection system that needs to perform anonymisation of Intrusion Detection Message Exchange Format (IDMEF) XML messages before they are sent to a security operations centre that operates in privacy-preserving mode. The solution increases the scalability of XACML based authorisation significantly, and may be instrumental in implementing federated authorisation and anonymisation based on XACML in several areas, including intrusion detection systems, web services, content management systems and GRID based authentication and authorisation.

Architecture of a consent management suite and integration into IHE-based regional health information networks

BackgroundThe University Hospital Heidelberg is implementing a Regional Health Information Network (RHIN) in the Rhine-Neckar-Region in order to establish a shared-care environment, which is based on established Health IT standards and in particular Integrating the Healthcare Enterprise (IHE). Similar to all other Electronic Health Record (EHR) and Personal Health Record (PHR) approaches the chosen Personal Electronic Health Record (PEHR) architecture relies on the patient's consent in order to share documents and medical data with other care delivery organizations, with the additional requirement that the German legislation explicitly demands a patients' opt-in and does not allow opt-out solutions. This creates two issues: firstly the current IHE consent profile does not address this approach properly and secondly none of the employed intra- and inter-institutional information systems, like almost all systems on the market, offers consent management solutions at all. Hence, the objective of our work is to develop and introduce an extensible architecture for creating, managing and querying patient consents in an IHE-based environment.MethodsBased on the features offered by the IHE profile Basic Patient Privacy Consent (BPPC) and literature, the functionalities and components to meet the requirements of a centralized opt-in consent management solution compliant with German legislation have been analyzed. Two services have been developed and integrated into the Heidelberg PEHR.ResultsThe standard-based Consent Management Suite consists of two services. The Consent Management Service is able to receive and store consent documents. It can receive queries concerning a dedicated patient consent, process it and return an answer. It represents a centralized policy enforcement point. The Consent Creator Service allows patients to create their consents electronically. Interfaces to a Master Patient Index (MPI) and a provider index allow to dynamically generate XACML-based policies which are stored in a CDA document to be transferred to the first service. Three workflows have to be considered to integrate the suite into the PEHR: recording the consent, publishing documents and viewing documents.ConclusionsOur approach solves the consent issue when using IHE profiles for regional health information networks. It is highly interoperable due to the use of international standards and can hence be used in any other region to leverage consent issues and substantially promote the use of IHE for regional health information networks in general.

A Composite Privacy Leakage Indicator

This paper proposes a Subjective Logic based composite privacy leakage metric that both takes into account the amount of information leakage and also that information with high entropy in some cases may be considered encrypted. It is furthermore shown both analytically and experimentally that Min-entropy is considered better than Shannon, Renyi or Max entropy for identifying encrypted content for the composite metric. This is in particular useful for implementing privacy-enhanced Intrusion Detection Systems (IDS), where sampled encrypted traffic can be considered to have low risk of revealing sensitive information. The combined metric can be used in a Policy Enforcement Point that acts as a proxy/anonymiser in order to to reduce the leakage of private or sensitive information from the IDS sensors to an outsourced Managed Security Service provider. Although the composite privacy indicator is IDS specific, the authorisation architecture is general, and may also be useful for anonymising or pseusonymising sensitive information from or to other types of sensors that need to be exposed to the Internet. The solution is based on the eXtensible Access Control Markup Language policy language extended with support for Subjective Logic, in order to provide a method for expressing fine-grained access control policies that are based on uncertain evidences.

Bandwidth Broker

Research community has been showing an immense interest for more than a decade in issues related to providing better than best effort service guarantees on the Internet. A number of options have been explored in this regard. Differentiated Services architecture is one of the proposed solutions that treat traffic flows based on their pre-assigned classes to eliminate scalability issue, otherwise a difficult and non trivial problem to solve. Bandwidth Broker is a logical resource management entity in Differentiated Services domain that performs a number of important functions at inter and intra-domain level to optimize resource utilization. Optimal resource management is not only complex but is tricky in this scenario, as the networks service providing ability is greatly affected by the optimality of domain management. Hence, Bandwidth Broker has been a focus of a lot of research efforts. This paper: a) provides a brief but concise discussion on different functions and modules of Bandwidth Broker, b) points out some advance features proposed for BBs performance enhancements and, c) reviews recent patents directly and indirectly related to Bandwidth Broker. Keywords: Bandwidth broker, DiffServ, QoS, Resource management, Integrated Services (IntServ), Differentiated Services (DiffServ), DiffServ domain, Service Level Agreements (SLA)s, Policy Enforcement Points (PEP)s, Information Acquisition

Towards automating overlay network management

Overlay networks are becoming widely used for content delivery because they provide effective and reliable services that are not otherwise available. However, they can negatively affect each other as well as the underlying network. A management system that controls and adapts their behavior is therefore needed. This will meet not only the specific demands of the users but also those of the network and service providers. This paper presents a novel approach to the issue of automating overlay network management. In contrast to existing management approaches which require static a priori policy configurations, policies are created dynamically. A policy layer consists of a set of policy enforcement points and policy decision points. This is used to capture the goals of users, services, and networks into network-level objectives. The behavior of the overlay network is adapted to the changing conditions in its environment. The creation, adaptation, and termination of overlays are achieved through policies. Policies are generated and enforced on the fly from the context information of the user, the network and the service provider. The new approach provides users and applications with more flexibility to dynamically change their quality-of-service requirements while maintaining smooth quality-of-service delivery. We show the advantages of our architecture and provide simulation results to verify its effectiveness.

Generic policy decision function framework

This paper proposes an abstracted interface between the policy decision function (PDF) and the policy enforcement point (PEP), and a generic, scalable PDF framework with a generic PDF state machine. This PDF framework is compatible with all related standards and offers the potential for rapid prototyping and accelerated product development in next-generation networks. © 2007 Alcatel-Lucent.

Virtual Private Services: Coordinated Policy Enforcement for Distributed Applications

Large scale distributed applications combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security issues, caused by the complexity of the operating environment. In particular, policies at multiple layers and locations force conventional mechanisms such as firewalls and compartmented file storage into roles where they are clumsy and failure-prone. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points.