Dynamic Access Control Policy Management for Web Applications - PowerPoint PPT Presentation

Loading...

PPT – Dynamic Access Control Policy Management for Web Applications PowerPoint presentation | free to download - id: 6170c6-MGQxN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Dynamic Access Control Policy Management for Web Applications

Description:

Title: User-Centric Identity and Access Management In Cloud Computing Environment Author: mishi Last modified by: AIS LAB PC14 Created Date: 11/3/2012 10:16:41 AM – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 23
Provided by: mish59
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Dynamic Access Control Policy Management for Web Applications


1
Dynamic Access Control Policy Management for Web
Applications
  • Misbah Irum
  • NUST-MS-CCS-21
  • Supervisor
  • Dr.Abdul Ghafoor Abbasi

2
Agenda
  • Overview
  • Introduction
  • Existing work
  • Problem statement
  • Abstract Architecture
  • Workflow
  • Roadmap
  • References

3
Overview
  • The rapidly developing web environment provides
    users with a wide set of rich services as varied
    and complex as desktop applications.
  • This allow users to create, manage and share
    their content online.
  • It is the user who creates this data, who
    disseminates it and who shares it with other
    users and services.
  • Storing and sharing resources on the Web poses
    new security challenges. Access control in
    particular, is currently poorly addressed in such
    an environment

4
Introduction
  • Access control (authorization) protects resources
    against unauthorized disclosure and unauthorized
    or improper modifications.
  • It ensures that any access to resources or data
    is according to access control policies of the
    system.

5
Introduction
  • As the web evolved user is storing and sharing
    more and more resources on the web.
  • Access control provided by the web application is
    tightly bound to the functionality of the
    application and is not flexible and according to
    the security requirements of the user.
  • User control the resources according to the
    limited access control options provided by these
    web applications which can result in loss of
    privacy and may raise other security concerns
    like theft, fraud etc.

6
Introduction
  • As the Web has evolved it has become exceedingly
    user-centric and user-driven.
  • It has recently adopted a user centric identity
    model where authentication is delegated to third
    party Identity Providers (IdP) using such
    protocols as OpenID or Shibboleth .
  • However, the Web still lacks a comparable access
    control solution based on concepts analogous to
    OpenID. Such a mechanism would allow users to
    choose their preferred access control components
    and use their functionality for various Web
    applications

7
Literature Survey
  • For the purposed work literature survey is to be
    carried out in two parts
  • Research been done on user-centric access control
  • Access control in traditional web applications

8
xAccess A Unified User-Centric Access
ControlFramework for Web Applications
  • In this research Kapil Singh provides a user
    centric access control framework. It allows the
    user to set access control on their content which
    they upload on web applications.
  • Analysis
  • Can only be used with the applications which has
    installed the xAccess server component.
  • Not generic and can not meet all the access
    requirements of the user. E.g. section level
    access control etc.
  • Singh, K. xAccess A unified user-centric access
    control framework for web applications," Network
    Operations and Management Symposium (NOMS),,
    pp.530-533, 16-20 April 2012

9
Architecture and Protocol for User-ControlledAcce
ss Management in Web 2.0 Applications
  • Machulak and Moorsel presented this paper in the
    2010 IEEE 30th International Conference on
    Distributed Computing Systems.
  • Analysis
  • No authentication, only deals with authorization.
  • Working of authorization Manager is not
    explained.
  • Too many steps involved which increases the
    complexity .
  • Machulak, M.P., van Moorsel, A., "Architecture
    and Protocol for User-Controlled Access
    Management in Web 2.0 Applications" . 30th
    International Conference on Distributed
    Computing Systems Workshops (ICDCSW), pp.62-71,
    21-25 June 2010.

10
Policy Management as a Service An Approach to
Manage Policy Heterogeneity in Cloud Computing
Environment
  • This paper was presented in 2012 45th Hawaii
    International conference on system sciences. In
    this research Takabi and Joshi provides policy
    management as a service in cloud computing
    environment.
  • Analysis
  • Only policy specification service is provided.
  • Exporting policies into CSP is a complex task and
    interoperability is a big issue.
  • If user removes the content from one application
    and move to another application the removal and
    exportation of policies have to be done.

11
Oauth 2.0 protocol
  • Oath is an open standard for authorization. It is
    an authorization delegation protocol.
  • users delegate limited access of their content
    to other third party applications
  • .
  • Only provide access delegation services.
  • User cannot write access policies and protect
    their resources according to their access
    requirements.

1.Authorization request
Client
Resource Owner
2. Authorization grant
3.Authorization grant
Authorization Server
4.Access Token
5.Access Token
Resource Server
6.Protected Resource
12
Access Control in Traditional Web Applications
  • Access control provided by web application
    resides within the web application.
  • User is provided with certain Access control
    options.
  • User sets access control on its own resource from
    these options.

13
Problems
  • Some of the problems found in the access control
    provided by web services are as follows
  • Access control lacks sophistication since it is a
    side issue for typical cloud-based Web 2.0
    applications.
  • User needs to use many diverse and possibly
    incompatible policy languages.
  • User needs to use many diverse and bespoke policy
    management tools with diversified User
    Experience.
  • User lacks a consolidated view of the applied
    access control policies across multiple Web
    applications.

14
Problem Statement
  • Design a secure and generic User Control Access
    Management protocol which facilitates the user to
    dynamically define access control policies on
    their self generated resources and their sharing
    to authorized users through web services.

15
Abstract Architecture
Authentication Server
IDMS
Authorization Server
Policy Database
Policy Engine
Web Server
User
Access Control Policy
Protected Resources
Requestor
16
Work Flow
Authentication Server
3.2. Identity info
3.1. ticket
Authorization Server
IDMS
Policy Database
Policy Engine
1.1. Identity info
1.2. ticket
Requestor
2.4. upload policies
User
Access Control Policy
4.5. Access control decision
4.4 query for decision
4.1. ticket
2.3. create policy
4.2 Application access
2.1. ticket
Web Server
4.3 Access request
Protected Resources
2.2 Application access
4.6. Resource
2.5. upload resource
17
Standard and Technologies
  • Security Assertion Markup Language (SAML) web
    services security standard
  • Extensible Access Control Markup Language (XACML
    3.0)- policy specification
  • FIPS 196- authentication
  • Google docs- web service

18
Thesis Road Map
Milestones Duration
Preliminary Study and Research Done
Detailed Design 2 weeks
Implementation
1.1implementing authentication protocol 1 month
1.2 Creating Access control Policy module 1 month
1.3 implementing authorization server 1 month
1.4 implementation of final framework incorporating user-centric authorization model 1 month
Testing and evaluation 1 month
Thesis writing 1 month
19
References
  • Fugkeaw, S. Manpanpanich, P., Juntapremjitt, S.,
    "A development of multi-SSO authentication and
    RBAC model in the distributed systems. 2nd
    International Conference on Digital Information
    Management , pp.297-302, 28-31 Oct, 2007.
  • Sunan Shen, Shaohua Tang , "Cross-Domain Grid
    Authentication and Authorization Scheme Based on
    Trust Management and Delegation. International
    Conference on Computational Intelligence and
    Security, vol.1, pp.399-404, 13-17 Dec, 2008.
  • Osio, G., "A User Perspective on Cloud
    Computing. Third International Conference on
    Advances in Human-Oriented and Personalized
    Mechanisms, Technologies and Services, pp.1-4,
    22-27 Aug, 2010.
  • Ting Zhang, WenAn Tan, "Role-based dynamic access
    control for Web services ", International
    Conference on Computer Application and System
    Modeling (ICCASM), vol.4, pp.V4-507-V4-510,
    22-24 Oct, 2010.
  • Laborde, R., Cheaito, M., Barrere, F., Benzekri,
    A., "An Extensible XACML Authorization Web
    Service Application to Dynamic Web Sites Access
    Control. Fifth International Conference on
    Signal-Image Technology Internet-Based Systems
    (SITIS), pp.499-505, Nov. 29 2009-Dec. 4 2009.

20
References
  • Jing Gao, Bin Zhang, Zhiyu Ren , "A dynamic
    authorization model based on security label and
    role. IEEE International Conference on
    Information Theory and Information Security
    (ICITIS), pp.650-653, 17-19 Dec, 2010.
  • Fei Xu, Jingsha He, Xu Wu, Jing Xu , "A
    User-Centric Privacy Access Control Model. 2nd
    International Symposium on Information
    Engineering and Electronic Commerce (IEEC),
    pp.1-4, 23-25 July, 2010.
  • Gail-Joon Ahn, Moonam Ko, Shehab, M.,
    "Privacy-Enhanced User-Centric Identity
    Management. IEEE International Conference on
    Communications, pp.1-5, 14-18 June, 2009.
  • Becker, M.Y., "Specification and Analysis of
    Dynamic Authorization Policies. 22nd IEEE
    Computer Security Foundations Symposium,
    pp.203-217, 8-10 July, 2009.
  • Xiangrong Zu, Lianzhong Liu, Yan Bai, "A Role and
    Task-Based Workflow Dynamic Authorization
    Modeling and Enforcement Mechanism" .1st
    International Conference on Information Science
    and Engineering (ICISE), pp.1593-1596, 26-28 Dec,
    2009.
  • Prochazka, M., Kouril, D.,Matyska, L., "User
    centric authentication for web applications .
    International Symposium on Collaborative
    Technologies and Systems (CTS), , pp.67-74, 17-21
    May, 2010.

21
References
  • http// www.oauth.net
  • http// www.wikipedia.org/wiki/OAuth
  • http// www.tools.ietf.org/html/draft-ietf-oauth-v
    2-31
  • http//www.security.setecs.com/Documents/4_SETECS_
    Cloud_Portal_Security_System.pdf
  • http//www.security.setecs.com/Documents/5_SETECS_
    Cloud_Security_Architecture.pdf

22
  • Questions
  • Suggestions
About PowerShow.com