1
Dynamic Access Control Policy Management
for Web Applications
Misbah Irum
NUST-MS-CCS-21
Supervisor:
Dr.Abdul Ghafoor Abbasi
2
Agenda
•
•
•
•
•
•
•
•
Overview
Introduction
Existing work
Problem statement
Abstract Architecture
Workflow
Roadmap
References
3
Overview
• The
rapidly
developing
web
environment provides users with a
wide set of rich services as varied and
complex as desktop applications.
• This allow users to create, manage and
share their content online.
• It is the user who creates this data,
who disseminates it and who shares it
with other users and services.
• Storing and sharing resources on the
Web poses new security challenges.
Access control in particular, is
currently poorly addressed in such an
environment
4
Introduction
• Access control (authorization) protects resources against
unauthorized disclosure and unauthorized or improper
modifications.
• It ensures that any access to resources or data is according
to access control policies of the system.
5
Introduction
• As the web evolved user is storing and sharing more and more resources on the web.
• Access control provided by the web application is tightly bound to the functionality of
the application and is not flexible and according to the security requirements of the
user.
• User control the resources according to the limited access control options provided
by these web applications which can result in loss of privacy and may raise other
security concerns like theft, fraud etc.
6
Introduction
• As the Web has evolved it has become exceedingly user-centric and user-driven.
• It has recently adopted a user centric identity model where authentication is
delegated to third party Identity Providers (IdP) using such protocols as OpenID or
Shibboleth .
• However, the Web still lacks a comparable access control solution based on concepts
analogous to OpenID. Such a mechanism would allow users to choose their preferred
access control components and use their functionality for various Web applications
7
Literature Survey
• For the purposed work literature survey is to be
carried out in two parts:
▫ Research been done on user-centric access control
▫ Access control in traditional web applications
8
xAccess: A Unified User-Centric Access Control
Framework for Web Applications
•
In this research Kapil Singh provides a user centric access control framework. It allows the user
to set access control on their content which they upload on web applications.
Analysis:
• Can only be used with the applications which has installed the xAccess server
component.
• Not generic and can not meet all the access requirements of the user. E.g. section
level access control etc.
Singh, K.“ xAccess: A unified user-centric access control framework for web applications," Network Operations and
Management Symposium (NOMS),, pp.530-533, 16-20 April 2012
9
Architecture and Protocol for User-Controlled
Access Management in Web 2.0 Applications
•
Machulak and Moorsel presented this paper in the 2010 IEEE 30th International
Conference on Distributed Computing Systems.
Analysis:
•
•
•
No authentication, only deals with authorization.
Working of authorization Manager is not explained.
Too many steps involved which increases the complexity .
Machulak, M.P., van Moorsel, A., "Architecture and Protocol for User-Controlled Access Management in Web 2.0
Applications" . 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp.62-71,
21-25 June 2010.
10
Policy Management as a Service: An Approach to Manage Policy
Heterogeneity in Cloud Computing Environment
• This paper was presented in 2012 45th Hawaii International conference on
system sciences. In this research Takabi and Joshi provides policy management
as a service in cloud computing environment.
Analysis:
• Only policy specification service is provided.
• Exporting policies into CSP is a complex task and interoperability is a big issue.
• If user removes the content from one application and move to another application
the removal and exportation of policies have to be done.
Takabi, H., Joshi, J.B.D., "Policy Management as a Service: An Approach to Manage Policy Heterogeneity in Cloud
Computing Environment”. 45th Hawaii International Conference on System Science (HICSS) , pp.5500-5508, 4-7
Jan, 2012.
11
Oauth 2.0 protocol
• Oath is an open standard for authorization. It is an authorization delegation protocol.
• users delegate limited access of their content to other third party applications
• .
1.Authorization request
2. Authorization grant
Resource Owner
3.Authorization grant
Client
4.Access Token
Authorization
Server
5.Access Token
Resource Server
6.Protected Resource
•
•
Only provide access delegation services.
User cannot write access policies and protect their resources according to their access
requirements.
12
Access Control in Traditional Web Applications
• Access control provided by web application resides within the web
application.
• User is provided with certain Access control options.
• User sets access control on its own resource from these options.
13
Problems
• Some of the problems found in the access control provided by web
services are as follows:
▫ Access control lacks sophistication since it is a side issue for typical
cloud-based Web 2.0 applications.
▫ User needs to use many diverse and possibly incompatible policy
languages.
▫ User needs to use many diverse and bespoke policy management tools
with diversified User Experience.
▫ User lacks a consolidated view of the applied access control policies
across multiple Web applications.
14
Problem Statement
Design a secure and generic User Control Access
Management protocol which facilitates the user to
dynamically define access control policies on their
self generated resources and their sharing to
authorized users through web services.
15
Abstract Architecture
Authentication
Server
IDMS
Authorization Server
Policy
Database
User
Access
Control
Policy
Policy
Engine
Web Server
Protected
Resources
Requestor
16
Work Flow
Authentication
Server
3.2. Identity info
3.1. ticket
Authorization Server
IDMS
Policy
Database
1.1. Identity info
1.2. ticket
4.4 query for decision
Access
Control
Policy
2.3. create policy
4.5. Access control decision
User
Policy
Engine
Requestor
2.1. ticket
Web Server
2.2 Application access
2.5. upload resource
4.3 Access request
Protected
Resources
4.6. Resource
17
Standard and Technologies
• Security Assertion Markup Language (SAML) –
web services security standard
• Extensible Access Control Markup Language
(XACML 3.0)- policy specification
• FIPS 196- authentication
• Google docs- web service
18
Thesis Road Map
Milestones
Duration
Preliminary Study and Research
Done
Detailed Design
2 weeks
Implementation
1.1implementing authentication protocol
1 month
1.2 Creating Access control Policy module
1 month
1.3 implementing authorization server
1 month
1.4 implementation of final framework
incorporating user-centric
authorization model
1 month
Testing and evaluation
1 month
Thesis writing
1 month
19
References
• Fugkeaw, S. Manpanpanich, P., Juntapremjitt, S., "A development of multi-SSO authentication and
RBAC model in the distributed systems”. 2nd International Conference on Digital Information
Management , pp.297-302, 28-31 Oct, 2007.
• Sunan Shen, Shaohua Tang , "Cross-Domain Grid Authentication and Authorization Scheme Based on
Trust Management and Delegation”. International Conference on Computational Intelligence and
Security, vol.1, pp.399-404, 13-17 Dec, 2008.
• Osio, G., "A User Perspective on Cloud Computing“. Third International Conference on Advances in
Human-Oriented and Personalized Mechanisms, Technologies and Services, pp.1-4, 22-27 Aug, 2010.
• Ting Zhang, WenAn Tan, "Role-based dynamic access control for Web services ", International
Conference on Computer Application and System Modeling (ICCASM), vol.4, pp.V4-507-V4-510, 22-24
Oct, 2010.
• Laborde, R., Cheaito, M., Barrere, F., Benzekri, A., "An Extensible XACML Authorization Web Service:
Application to Dynamic Web Sites Access Control”. Fifth International Conference on Signal-Image
Technology & Internet-Based Systems (SITIS), pp.499-505, Nov. 29 2009-Dec. 4 2009.
20
References
• Jing Gao, Bin Zhang, Zhiyu Ren , "A dynamic authorization model based on security label and role”.
IEEE International Conference on Information Theory and Information Security (ICITIS), pp.650-653,
17-19 Dec, 2010.
• Fei Xu, Jingsha He, Xu Wu, Jing Xu , "A User-Centric Privacy Access Control Model”. 2nd International
Symposium on Information Engineering and Electronic Commerce (IEEC), pp.1-4, 23-25 July, 2010.
• Gail-Joon Ahn, Moonam Ko, Shehab, M., "Privacy-Enhanced User-Centric Identity Management”. IEEE
International Conference on Communications, pp.1-5, 14-18 June, 2009.
• Becker, M.Y., "Specification and Analysis of Dynamic Authorization Policies”. 22nd IEEE Computer
Security Foundations Symposium, pp.203-217, 8-10 July, 2009.
• Xiangrong Zu, Lianzhong Liu, Yan Bai, "A Role and Task-Based Workflow Dynamic Authorization
Modeling and Enforcement Mechanism" .1st International Conference on Information Science and
Engineering (ICISE), pp.1593-1596, 26-28 Dec, 2009.
• Procha´zka, M., Kouril, D.,Matyska, L., "User centric authentication for web applications” . International
Symposium on Collaborative Technologies and Systems (CTS), , pp.67-74, 17-21 May, 2010.
21
References
•
•
•
•
http:// www.oauth.net
http:// www.wikipedia.org/wiki/OAuth
http:// www.tools.ietf.org/html/draft-ietf-oauth-v2-31
http://www.security.setecs.com/Documents/4_SETECS_Cloud_Portal_Se
curity_System.pdf
• http://www.security.setecs.com/Documents/5_SETECS_Cloud_Security_
Architecture.pdf
22
Questions
&
Suggestions