Which type of access control model uses predefined rules that makes it flexible?

Authentication Approaches

There are two types of authentication approaches that applications running on the SAP J2EE Engine can use.

Declarative authentication is also referred to as container-based authentication. As the name suggests, the authentication and all access control decisions occur within the Web container (that is, J2EE Engine). The application deployment descriptor (for example, web.xml) defines how the application should be deployed with specific configuration requirements such as which login module stack to use and role mappings to the security roles that are defined on the target J2EE Engine. The authentication process is triggered when a protected resource is accessed. There are benefits with using declarative authentication as it requires minimal programming and changes can be made without any recoding efforts.

Programmatic authentication is also known as UME authentication. Applications running on the J2EE Engine authenticate directly against the User Management Engine (UME) using the UME API. The application explicitly triggers authentication and the whole process is controlled by the authentication framework. Applications that use Programmatic authentication are associated with an authentication scheme file (authschemes.xml) that contains settings for login module stack (by standard, this is set to default) and user interfaces.

J2EE Web applications can use either Declarative or Programmatic authentication depending on which the developer decides to use. Web applications in Enterprise Portal, for example, Web Dynpro applications and Portal iViews, use the Programmatic authentication.

Benefits of ABAC

Attribute-based access control (ABAC) can provide fine-grained and contextual access control, which allows for a higher number of discrete inputs into an access control decision, providing a bigger set of possible combinations of those variables to reflect a larger and more definitive set of possible rules, policies, or restrictions on access.

ABAC enables administrators to apply access control policy without complete prior knowledge of the specific subject, using other data points that might be strong indicator identity. When combined with other attributes, indicators can form the basis for sufficient trust in the device’s identity and ownership to authorization access to service and transactions. The access control policies that can be implemented in ABAC are limited only by the computational language and the richness of the available attributes.

ABAC can also provide more dynamic access control capability and limit long-term maintenance requirements of object protections because access decisions can change between requests when attribute values change.

Risk-Based Access Control

As ABAC relies on attributes about subjects and protected objects, it is critical that the access control mechanism be able to deal with the case in which these attributes are not available when access control decisions are being made or cannot be verified. An approach by which access is always denied when the required attributes are not available is not always viable, for example, in emergency situations in which access to data is crucial. Also, even if the attributes are available, they may be incorrect. It is thus crucial that the access control system be able to estimate the risks resulting from accesses granted to the data when some attributes are missing or their correctness is uncertain. The notion of risk-based access control has been proposed to address such requirement.

Risk-based access control is quite complex as it requires an approach to encode subjective knowledge that experts and security administrators have. One such approach based on fuzzy inferences has been proposed by Ni et al. [23]. As discussed by Ni et al., a fuzzy system is a mathematically sound approach for inferring an unambiguous consequence from vague evidences and subjective if-then rules. Its use has several advantages. It directly supports the representation of subjective knowledge into its rule base. Also, as often subjective knowledge can be expressed in vague terms – for example, the possibility of a cyber attack is very low, these terms can be described by carefully designed membership functions. Other advantages are that fuzzy inference systems have a well-studied semantics and are able to represent both subjective knowledge and objective knowledge. The application of fuzzy inference systems to risk-based access control poses however several challenges, including scalability and the operators to use for aggregating decisions from multiple access control rules and policies. We refer the readers to [23] for a detailed analysis of these issues and approaches.

Chapter Summary

1.

The constant themes of security system development have been and continue to be

More functions

Easier to use

Lower cost

Fourth generation access control systems were the first to “farm out” the access control decisions and operation of remote field devices (locks, etc.) to access control panels instead of connecting all those devices centrally to a single computer that made all decisions centrally.

Access control panel is a generic phrase that can include:

An electronics panel that can both interface with and control access control system field devices (credential reader, electrified lock, door position switch, and request-to-exit devices)

An electronics panel that can interface with alarm devices (alarm input board)

An electronics panel that can control electrical devices (output control panel)

Basic access control panel components include:

A communications board

A power supply and battery

A central processing unit (CPU)

An EPROM

Random access memory (RAM)

Input/output interfaces

Access control panel form factors include:

2, 4, 8, or 16 door connections

Additional inputs and outputs on the main access control panel

Input and output boards moved off the main access control panel board as separate boards attaching to the access control panel or directly on the communications path

Access control panel functions include:

Receiving downloaded data from the server(s)

Making access control decisions

Receiving alarm status information from the alarm inputs

Directing the output control to activate a relay

Communicating all event data to the on-board memory (first in-first out)

Communicating all event data to the server(s)

Many access control panels also do the following:

Communicate with other access control panels

Communicate with outboard alarm input boards

Communicate with outboard output relay boards

Interlink with other access control panels to create a global antipassback function

Fifth generation access control panels can also:

Allow access to all system functions and attributes through SQL or similar language

Access control panel location selection has a very big effect on cabling costs

Common local and network connection communication protocols for access control systems include:

RS-232

RS-485 (2- or 4-Wire)

RS-422

TCP/IP

Multicast protocol should not be used on a switch port serving TCP/IP devices as it will cause communications problems.

A typical VLAN configuration is as follows:

VLAN 0—Not used

VLAN 1—Administrative VLAN for digital switches

VLAN 2—digital video VLAN

VLAN 3—Alarm/access control system VLAN

VLAN 4—Digital intercom VLAN

The key to reliability is good design, good installation, good wiring, good power, and a good data infrastructure.

Good wiring practices do more than look good; they help ensure reliable system operation.

A good design is one that ensures that the system will be reliable, expandable, and flexible.

Reliable design includes enclosing all exposed system cables in conduit and ensuring that power is reliable.

After poor wiring, power quality and reliability are probably the biggest problems with unreliable alarm/access control systems.

Reliable digital communications requires quality digital switches.

Everything fails. Redundancy helps ensure reliability when things fail.

Q&A

The purpose of wiring all access control devices centrally was to:

Achieve both centralized control and reporting

Achieve both centralized command and control

Achieve both centralized management and distribution

Achieve both centralized delivery and maintenance

The constant theme of security system development has been and continues to be:

More functions

Easier to use

Lower cost

All of the above

An alarm/access control system comprises:

Field elements and system panels

Servers and workstations

Communications infrastructure and software

All of the above

An Access Control Panel must communicate with the:

Digital video system

Access control system

Security intercom system

Building automation system

The access control panel must make:

Access control decisions

Alarm decisions

Employee plan decisions

Visitor plan decisions

Access control panels include:

A communications board and EPROM

A power supply and random access memory (RAM)

A central processing unit and input/output interfaces

All of the above

Access control panel functions must:

Receive downloaded data from servers

Make access control decisions

Receive alarm status information from alarm inputs

All of the above

Access control panel functions must:

Direct the output control to activate a relay

Communicate all event data to the on-board memory

Communicate all event data to the server(s)

All of the above

Access control panel functions must:

Direct the output control to turn on the workstation

Communicate all event data to the building automation system

Both a and b

Neither a nor b

Access control panel functions may:

Communicate with other access control panels

Communicate with outboard alarm input panels

Both a and b

Neither a nor b

Access control panel functions may:

Interlink with other access control panels to create a global antipassback function

Communicate with outboard output relay panels

Both a and b

Neither a nor b

Access control panel functions may:

Interlink with the CCTV system to monitor intercoms

Interlink with the Intercom system to monitor fire alarms

Both a and b

Neither a nor b

Fifth generation access control panels can also:

Allow access to all system functions and attributes through SQL or similar language

Allow access to all system functions and attributes through Pascal, Fortran, or similar language

Allow access to all CCTV system functions and attributes through dry contact interfaces

None of the above

Fully developed fifth generation systems:

Blur the line between physical and logical worlds

Blur the line between Alarm and CCTV Systems

Blur the line between operators and guards

None of the above

TCP/IP Ethernet communication

Has made alarm/access control systems more costly

Has opened up new opportunities for cost savings

Has allowed PC computers to operate card readers through USB connections

None of the above

The most common communications protocols for access control systems included:

RS-232, RS485, RS-422, and TCP/IP

RS-232 and RS485

RS-422 and TCP/IP

None of the above

Because of ___________ it is important to establish a VLAN on the digital switch network to isolate devices’ access control panels from digital video or intercom systems.

Unicast Protocol

Multicast Protocol

UUNet Protocol

International Protocol

Redundancy helps assure reliability when:

Earthquakes strike

Tsunamis strike

Employees strike

Things fail

Answers: (1) a; (2) d; (3) d; (4) b; (5) a; (6) d; (7) d; (8) d; (9) d; (10) c; (11) c; (12) d; (13) a; (14) a; (15) b; (16) a; (17) b; (18) d.

Background

Since web services are intended to implement a distributed architecture, it becomes very important to manage the identities of the participating actors: different systems implementing the services or the clients need to fully understand who they are interacting with in order to make access control decisions that are consistent with the security policies for the systems. While this has been always the case for complex systems, the loosely couple design of web services exacerbates this problem and requires a number of new patterns to address this in a reliable way. The identity management community created a number of patterns that allow not only simple authentication, but also advanced patterns including:

Single Sign On (SSO) using mutually trusted identity servers. This idea is based on the SSO mechanisms used for web applications: a user (or machine entity) authenticates once to a trusted identity server, which issues security tokens that can be used to sign into relying parties (sometimes also called service providers). This pattern decouples the process of identification and authentication itself from the use of the authentication and authorization.

Federations of identity providers. In order to allow cross-organizational access to web services, the concept of an identity federation was introduced. In this pattern the operators of two separate identity servers (such as in Company A and Company B) decide to trust each other's authentication process. This is realized by allowing a client to exchange a security token from the identity server of Company A with a security token from Company B. This allows the client to access services that trust Company B's identity server.

Complex, distributed authorization. By fully decoupling the authentication process from the authorization to access a resource, web services can allow very flexible authorization mechanisms such as Attribute-Based Access Control (ABAC).

Other patterns, such as privacy preserving authentication and authorization have also been demonstrated and implemented using web services-based identity management technologies. While many of these patterns were pioneered for the SOAP stack, recent developments have brought most them to REST-styled HTTP services. Due to its expressiveness and top-down design, SOAP-based identity management is quite achievable. In real-world implementations, some of the performance issues of XML processing have limited the broad adoption of SOAP-based identity management technologies. The initially less feature-rich REST designs have always leveraged the efficiency of the underlying transport protocols, resulting in a much slower availability of useful patterns, but providing a much better price/performance ratio.

2.2 The state of current access control architectures in IoT and related challenges

The integration of physical objects in the internet infrastructure requires the application of lightweight security mechanisms to be used even in constrained environments. However, current security standards and access control solutions were not designed with such aspects in mind. They are not sufficient to meet the needs of these nascent ecosystems regarding scalability, interoperability, lightness and end-to-end security [27]. These challenges have attracted more and more attention from research community and recently several efforts are starting to emerge in this direction. However, those solutions could be categorized within three approaches as follow (see Fig. 3):

The Centralized architecture

This approach consists in outsourcing IoT device's access control related operations to a trusted third entity. This entity, also known as a Policy Decision Point (PDP), could be instantiated by a back-end server or gateway directly connected to the device that it manages. It is responsible for analyzing access requests based on the stored access control policies. Therefore, requesters wishing to get access to the data provided by end devices are asked to pass by those trusted third parties. The bright side of this architecture consists in relieving constrained devices (i.e., sensors, actuators) from the burden of processing heavy access control functionalities, which enables the use of standard access control technologies such as SAML and HTTPS (to transport in a secure way authentication information), XACML (to define complex access control policies) among many others. However, this architecture presents major disadvantages, in the context of IoT, listed as follow: First, end to end security is dropped by the introduction of a trusted third party. Second, the role of IoT devices is strictly limited, within this architecture, in the decision making process. As a result, the elaboration of smart authorization policies, where access control decision are based on contextual information instantaneously collected from the environment of IoT end devices, is hardly challenging. Third, the Resource Owner (RO) access control policies as well as the users' authorization requests are revealed to the trusted party. As a result, the privacy of either the resource owner or the requester is corrupted. Fourth, the PDP remains a bottleneck and point of failure that can disrupt the entire network. This is particularly important when it is directly tied to critical IoT services.

The Decentralized architecture with trustful entity

In this approach, the device participates partially in the elaboration of the access control decision. Its main role consists in gathering the contextual information from its surrounding environment (location, temperature, humidity, power level, etc.) and send it to a trusted third party. This trusted third party receives the access control requests and makes the decision based on a pre-defined policies and the contextual information received from the smart object. Like the centralized approach, this architecture enables the use of already existing authorization technologies with the need to elaborate a connection between the trusted third party and the connected device to transfer the contextual information. However, in this scenario, additional security measures have to be taken to secure the communication channel between the trusted third party and the end-device to protect the transferred information. In addition, end-device has to be configured to providing or not its collected data. Moreover, the transfer of contextual information to the trusted party could not be achieved in instantaneous way, meaning that this architecture is not recommended in use cases where real time decisions access is required such as health-care scenario, or with SCADA systems. Finally, the privacy of the resource owner and the requester is not considered.

The Distributed architecture

The distributed approach consists in locating and embedding the intelligence of processing an access control decision in the device side. This approach matches perfectly with the real essence of IoT where intelligence is located in the edge of the network. It presents many impressive and promising advantages regarding the privacy of the resource owner and the requester as no trusted third party is involved. With the edge-intelligence principal, end-users are more empowered to control access over their own devices by defining their own policies. Furthermore, the possibility of making a smart access control decision in a real time is given. Moreover, the cost management of data generated by IoT devices is less expensive than the one in the two precedent approaches where providing a cloud back end for each connected smart object is required. In the distributed approach, devices are authorized to send information just when it is necessary. Finally end-to-end security could be achieved.

However, the most challenging hurdle in this approach arises from the inherent features of existing access control technologies such as RBAC [28] and ABAC [29] and OAUTH [30] that make their implementation unfeasible in resource-constrained devices [31].

Consequently, much effort has to be conducted to deeply analyze the viability of adapting existing access control models or defining new proposals that meet the requirements of a distributed access control approach.

Introduction

Any security violation and breach certainly includes illicit access to some resources, being systems, data, or operations. In this context, the evolution of security policies has brought access control at the core of security, but also privacy protection. Therefore, beyond legacy access control models, such as the Discretionary Access Control (DAC), the Mandatory Access Control (MAC) [1], and the well-adopted Role-Based Access Control (RBAC) [2], a variety of systems have been proposed, introducing a manifold of additional features. Most of the prominent approaches typically propose enhancements to RBAC models in order to incorporate different criteria in access control decisions, rather than just which user holding which role is performing which action on which object. In that respect, access control models have adopted concepts such as organization [3], context [4], attributes [5], and Separation and Binding of Duty (SoD/BoD) [6], among others, whereas Privacy-Aware Access Control [7] has emerged as a research field fostering personal data protection leveraging access control. The advent of the Semantic Web and the technologies it brings, such as semantic ontologies and reasoning mechanisms, have provided access control with new potentials. Therefore, several approaches have leveraged Semantic Web technologies in various ways, seeking expressiveness, formal semantics, and reasoning capabilities; as a starting point, the Web Ontology Language (OWL) [8] was used to develop policy languages for the Web, such as Rei and KAoS [9], as well as to provide interoperability while accessing heterogeneous databases, as in [10–12].

This chapter provides an overview of the most characteristic access control approaches that make use of Semantic Web technologies. The motivation, application domain, and usage patterns followed by the studied approaches vary significantly. Therefore, the following sections adopt a categorization that is by no means unique, but that highlights important differentiations among the approaches. Since currently RBAC constitutes the baseline for access control, “Implementing RBAC with Ontologies” investigates approaches targeting its ontological implementation, whereas the next three sections outline systems with more specific focus. In particular, “Semantically Extending the XACML Attribute Model” overviews approaches providing semantic extensions to the XACML attribute model, “Ontology-Based Context Awareness” investigates the use of Semantic Web technologies fostering context-awareness in access control, and “Ontological Specification of User Preferences” describes mechanisms for ontologically specifying access and usage control user preferences. The advent of online social networks fed access control with new challenges, so “Semantic Access Control in Online Social Networks” deals with the corresponding semantic approaches. In “DEMONS Ontological Access Control Model,” the DEMONS model, developed by the authors, is outlined; it is a fully ontological approach, combining various features and providing several advantages. Finally, “Discussion” concludes the chapter with a comparative discussion on the basis of important trends and features of the studied access control approaches.

Kernel Defense Mechanisms

Now that we know what kind of information we want to protect in the kernel and who our opponents are, we must devise methods that will allow us to achieve some level of protection. The first step in this regard is to add a mechanism to the kernel to identify actors in the system whose various accesses we will control. Since the primary users of computers are (still) humans, we most often find some form of user account management in the kernel. Such accounts describe identity information associated with the given user, as well as the user's credentials, which the kernel will use to make access control decisions (UNIX UIDs, Linux capabilities, Solaris privileges, Windows SIDs, etc.).

Although these mechanisms are well known and have served us for decades, they also show their age when you consider contemporary computer usage and threats. On the one hand, the world has become networked, which means the data that users care about should be part of the network, so one traditional user account per machine model is no longer flexible enough. On the other hand, a given user uses her computer for many different tasks simultaneously, while expecting to both share and isolate data between these tasks. Therefore, the current way to assign credentials to a user (instead of applications, etc.) is often too coarse-grained for practical use.

How have we handled these issues so far, and what are the future trends?

For storing data in the network, we have all kinds of service providers (think of all the social networking sites, Gmail, etc.), where the access methods are usually far removed from the low level of the kernel, so there is not much one can do beyond what we have today (e.g., process isolation, filesystem access controls, etc.). Instead, the actual defense must be established in the various user-land pieces.

The situation becomes more interesting for the other case, however. Since the current way to partition “code that does something useful for the user” is to run processes in isolated address spaces (and with other resources, of course), and this isolation is under the kernel's control, it makes sense to extend this mechanism to provide further control over these processes, either to add further isolation or to allow more sharing.

Existing approaches are based on some kind of formal model for access control (Common Criteria Protection Profiles), or simple “common sense” methods (hardened chroot, FreeBSD jail, Solaris Zones, Linux namespaces, etc.). Although these methods solve some problems, especially in multiuser environments, there is a lot of room for improvement in terms of usability and management for single-user environments, where these methods have seen little penetration so far (e.g., Internet Explorer 8/Chrome processes, Windows 7 integrity levels, SE Linux sandboxes, etc.).

Let's not forget as well that all these access control mechanisms rely on the integrity of the kernel. Therefore, we will need a high level of assurance of kernel correctness, which is challenging to achieve, as we will see in the next section.

3.5 Access-control constraints for EHRs

The members of the EHR systems need to fulfill the accompanying requirements. The access-control criteria of attendants include things the medical caretakers need to figure out, who needs to be allowed to access their Electronic Health Records, who determines what fragile information is in their EHRs, and who is allowed to access it. This case does not require any sort of constraints [30]. Access-control decision-making is possible in an ordinary way. The independent user accesses some portion of the consents or all authorizations from a delicate blend of consents: This is a solitary-free client who progressively accesses some portion of the permissions or all permissions from a touchy mix of permissions. These requirements are met by using DAC, MAC, and RBAC interfaces in the following steps:

RBAC tries to reduce the gap by combining the forced organizational constraints with the flexibility of explicit authorization.

In RBAC, the roles for users are assigned statically and cannot be used in a dynamic environment. It is more difficult to change the access rights of the user without changing the specified roles of the user.

The role is nothing but the simplified version of the user behavior and their assigned duties. These are used to assign system resources to the departments and their respective members.

Roles define the specification, whereas enforcement is required for protection while the real-world policies may need to be defined.

Constraint specification in ABAC cannot be predicted as in the case of RBAC since there are different traits. Imperatives may exist among various values of a set-esteemed quality and also on values crosswise over various attributes.

Patients nominate the names of particular professionals they trust, and this is achieved via the DAC interface after which the Access Control List (ACL) is created.

With the help of security labels, data can be classified into sensitive/protected information. This can be achieved by MAC interfaces to update EHR data.

Practically, we do not recommend utilizing the “no-read-up” and “no-record” rules that are actualized in MAC. This is because, for most of the patients, keeping track of the transitive connections, executed by a total chain of command of security levels, would be too convoluted for an assignment. Alternatively, simple access/no-access settings must be given to patients.

4.2.2 Public clouds

Due to the fact that cloud service providers may have different users, access control and user identity privacy protection is extremely complicated in the multi-tenant environment. Therefore, in [XIO 13], the authors proposed an approach called privacy preserving access management (PRAM) to address identity privacy and access control concerns in cloud services by: (1) using both blind signature and hash chains which are used to protect identity privacy and secure authentication; (2) integrating on-demand access control with a service level agreement (SLA) to provide flexible fine-grained access management. As shown in Figure 4.2, the PRAM consists of five components: users, cloud service provider, registration servers, authentication and policy decision point (PDP).

Users: the first time, a user U must register at a registration server RS, which issues authorized credential SID to U. This SID will be used for further authentication with the PDP when a user attempts to access a cloud service.

Cloud service provider (CSP): which is in charge of providing the cloud service data to authorized users.

Registration server (RS): which is responsible for the registration of all the users and all the kinds of cloud services.

Authentication: which refers to the process of determining whether U is who they claim to be. In order to evaluate the access control decision, PRAM adopts the attribute-based access control mechanism [JIN 12] and the access control policies stored in the policy repository of PDP. If the authentication is successful, PDP allows U to access the requested service and relays this decision message back to PEP.

Policy decision point (PDP): which is connected with the access control policy repository and policy enforcement point (PEP). In particular, the PEP is responsible for receiving message requests from U, forwarding this message to PDP for taking decision, and finally returning the decision result back to U. When PDP receives the requested message from U, it then first authenticates U to access the requested service in the cloud. The evaluation is done based on the description of the user’s attributes and SLA. The PDP finally issues the decision result to PEP, which then uses it to inform U (access or reject).

Although a lot of IAM schemes for public clouds [IRW 09, XIO 13, GHA 13] have been designed, there are no standards available. Basically, the designs need to meet the following requirements, as suggested by the authors of [YAN 14]:

Strong and flexible authentication: one-time password (OTP) and multi-factor authentication should be available as alternative options.

Data loss prevention: it should be able to monitor, protect and verify the security of data during processing as well as stored in the cloud.

To meet the requirements, the authors proposed an IAM architecture, as shown in Figure 4.3, which consists of four components: cloud resource provider, identity management (IdM), policy management (PM) and resource engine and policy decision-making (REPD). Their specific roles are explained as follows:

Cloud resource provider is responsible for providing access to resources based on a user’s asserted identity and privilege.

Identity management (IdM) is used to manage users and their identities, issue credentials, and authenticate and assert the user’s identity.

Policy management (PM) enforces access rules that associates users with resources. In particular, it ensures that provisioning requests conform to the policies that are defined through four functions: attribute management, user authorization, resource management and access policy management.

Resource engine and policy decision-making (REPD), which has two functions: (i) determining whether to allow users to access the requested resources and (ii) finding resources that meet user request. After REPD receives user requests, the REPD submits the authentication request to the IdM. If authenticated, the REPD then submits a query to PM. Once authorized, the user can gain access to the requested resources, otherwise they are denied.