Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA Environments

2011 ◽  
Vol 2 (2) ◽  
pp. 37-59 ◽  
Author(s):  
Michel Embe Jiague ◽  
Marc Frappier ◽  
Frédéric Gervais ◽  
Régine Laleau ◽  
Richard St-Denis
Keyword(s):  
Policy Decision ◽  
Policy Enforcement ◽  
Decision Point ◽  
Public Agencies ◽  
Web Based ◽  
Access Control Policies ◽  
Policy Decision Point ◽  
Security Rule ◽  
Private Corporations ◽  
Bpel Processes

Controlling access to the Web services of public agencies and private corporations depends primarily on specifying and deploying functional security rules to satisfy strict regulations imposed by governments, particularly in the financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to the security of Web-based information systems, namely, the automatic transformation of security rules into WS-BPEL (or BPEL, for short) processes. The former are instantiated from security-rule patterns written in a graphical notation, called ASTD that is close to statecharts. The latter are executed by a BPEL engine integrated into a policy decision point, which is a component of a policy enforcement manager similar to that proposed in the XACML standard.

Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA Environments

2013 ◽  
pp. 252-273
Author(s):  
Michel Embe Jiague ◽  
Marc Frappier ◽  
Frédéric Gervais ◽  
Régine Laleau ◽  
Richard St-Denis
Keyword(s):  
Policy Decision ◽  
Policy Enforcement ◽  
Public Agencies ◽  
Web Based ◽  
Access Control Policies ◽  
Policy Decision Point ◽  
Security Rule ◽  
Private Corporations ◽  
Bpel Processes ◽  
The Web

Controlling access to the Web services of public agencies and private corporations depends primarily on specifying and deploying functional security rules to satisfy strict regulations imposed by governments, particularly in the financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to the security of Web-based information systems, namely, the automatic transformation of security rules into WS-BPEL (or BPEL, for short) processes. The former are instantiated from security-rule patterns written in a graphical notation, called ASTD that is close to statecharts. The latter are executed by a BPEL engine integrated into a policy decision point, which is a component of a policy enforcement manager similar to that proposed in the XACML standard.

A Graph and Clustering-Based Framework for Efficient XACML Policy Evaluation

2020 ◽  
Vol 29 (01n02) ◽  
pp. 2040001
Author(s):  
Yanfei Li ◽  
Fan Deng
Keyword(s):  
Access Control ◽  
Policy Decision ◽  
Experimental Results ◽  
The Sun ◽  
Evaluation Performance ◽  
Évaluation Performance ◽  
Aggregate Function ◽  
Access Control Policies ◽  
Policy Decision Point ◽  
Rule Set

EXtensible Access Control Markup Language (XACML) is one of the standardized languages for specifying access control policies. Policies described by the XACML are used to express the security requirement in the network and information system when we study authorization access control. With the aim to improve the Policy Decision Point (PDP) evaluation performance, we put forward a Graph and Clustering-Based Framework, employing the aggregate function. First, we partition the rule set into subsets. For the single value, we select the best partition quantity based on the aggregate function. As for the interval value, we handle with the start point and the finish point, respectively, in the same way as single value. Second, the policy set is split according to the partition of rule set. In this way, not only single values, but also interval values are taken into consideration. After that, we explore the searching tree to obtain the possibly matched rules. Finally, we construct the combining tree and output the policy decision on the basis of it. The experimental results show that our approach is orders of magnitude better than the Sun PDP. A comparison in evaluation performance between the redundancy detecting and eliminating engine and the Sun PDP, as well as XEngine and SBA-XACML, is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating redundancies.

scholarly journals Policy Decomposition for Evaluation Performance Improvement of PDP

2014 ◽  
Vol 2014 ◽  
pp. 1-14 ◽  
Author(s):  
Fan Deng ◽  
Ping Chen ◽  
Li-Yong Zhang ◽  
Xian-Qing Wang ◽  
Sun-De Li ◽  
...  
Keyword(s):  
Performance Improvement ◽  
Greedy Algorithm ◽  
Policy Decision ◽  
Decision Point ◽  
Evaluation Performance ◽  
Évaluation Performance ◽  
Policy Decision Point ◽  
Evaluation Time ◽  
The Cost ◽  
The Greedy Algorithm

In conventional centralized authorization models, the evaluation performance of policy decision point (PDP) decreases obviously with the growing numbers of rules embodied in a policy. Aiming to improve the evaluation performance of PDP, a distributed policy evaluation engine called XDPEE is presented. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple subpolicies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of subpolicies deployed to each PDP. Policy decomposition is the key problem of the evaluation performance improvement of PDPs. A greedy algorithm withO(nlgn)time complexity for policy decomposition is constructed. In experiments, the policy of the LMS, VMS, and ASMS in real applications is decomposed separately into multiple subpolicies based on the greedy algorithm. Policy decomposition guarantees that the cost of subpolicies deployed to each PDP is equal or approximately equal. Experimental results show that (1) the method of policy decomposition improves the evaluation performance of PDPs effectively and that (2) the evaluation time of PDPs reduces with the growing numbers of PDPs.

scholarly journals Elimination of the Redundancy Related to Combining Algorithms to Improve the PDP Evaluation Performance

2016 ◽  
Vol 2016 ◽  
pp. 1-18
Author(s):  
Fan Deng ◽  
Li-Yong Zhang ◽  
Bo-Yu Zhou ◽  
Jia-Wei Zhang ◽  
Hong-Yang Cao
Keyword(s):  
Policy Decision ◽  
Brick Wall ◽  
Decision Point ◽  
Evaluation Performance ◽  
Policy Rule ◽  
Évaluation Performance ◽  
Policy Decision Point ◽  
Evaluation Time ◽  
And Storage ◽  
Target Attributes

If there are lots of redundancies in the policies loaded on the policy decision point (PDP) in the authorization access control model, the system will occupy more resources in operation and consumes plenty of evaluation time and storage space. In order to detect and eliminate policy redundancies and then improve evaluation performance of the PDP, aredundancy related to combining algorithmsdetecting and eliminating engine is proposed in this paper. This engine cannot only detect and eliminate theredundancy related to combining algorithms, but also evaluate access requests. AResource Brick Wallis constructed by the engine according to the resource attribute of a policy’s target attributes. By theResource Brick Walland the policy/rule combining algorithms, three theorems for detectingredundancies related to combining algorithmsare proposed. A comparison of the evaluation performance of theredundancy related to combining algorithmsdetecting and eliminating engine with that of Sun PDP is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating theredundancy related to combining algorithms.

Exploring Type-and-Identity-Based Proxy Re-Encryption Scheme to Securely Manage Personal Health Records

2010 ◽  
Vol 1 (2) ◽  
pp. 1-21
Author(s):  
Luan Ibraimi ◽  
Qiang Tang ◽  
Pieter Hartel ◽  
Willem Jonker
Keyword(s):  
Access Control ◽  
Health Data ◽  
Third Party ◽  
Personal Health ◽  
Encryption Scheme ◽  
Health Records ◽  
Web Based ◽  
The Third ◽  
Access Control Policies ◽  
Identity Based

Commercial Web-based Personal-Health Record (PHR) systems can help patients to share their personal health records (PHRs) anytime from anywhere. PHRs are very sensitive data and an inappropriate disclosure may cause serious problems to an individual. Therefore commercial Web-based PHR systems have to ensure that the patient health data is secured using state-of-the-art mechanisms. In current commercial PHR systems, even though patients have the power to define the access control policy on who can access their data, patients have to trust entirely the access-control manager of the commercial PHR system to properly enforce these policies. Therefore patients hesitate to upload their health data to these systems as the data is processed unencrypted on untrusted platforms. Recent proposals on enforcing access control policies exploit the use of encryption techniques to enforce access control policies. In such systems, information is stored in an encrypted form by the third party and there is no need for an access control manager. This implies that data remains confidential even if the database maintained by the third party is compromised. In this paper we propose a new encryption technique called a type-and-identity-based proxy re-encryption scheme which is suitable to be used in the healthcare setting. The proposed scheme allows users (patients) to securely store their PHRs on commercial Web-based PHRs, and securely share their PHRs with other users (doctors).

scholarly journals A Server-Side JavaScript Security Architecture for Secure Integration of Third-Party Libraries

2019 ◽  
Vol 2019 ◽  
pp. 1-21 ◽  
Author(s):  
Neline van Ginkel ◽  
Willem De Groef ◽  
Fabio Massacci ◽  
Frank Piessens
Keyword(s):  
Programming Language ◽  
Third Party ◽  
Security Evaluation ◽  
Security Architecture ◽  
Policy Enforcement ◽  
Security Threats ◽  
Server Side ◽  
Design And Implementation ◽  
The Past ◽  
Access Control Policies

The popularity of the JavaScript programming language for server-side programming has increased tremendously over the past decade. The Node.js framework is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. One of its strengths is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise an entire server. In order to support the secure integration of libraries, we developed NODESENTRY, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library. We discuss the design and implementation of NODESENTRY and present its performance and security evaluation.

Public Agencies and Private Agencies

1924 ◽  
Vol 18 (1) ◽  
pp. 34-48
Author(s):  
James D. Barnett
Keyword(s):  
Public Agencies ◽  
Public And Private ◽  
The Public ◽  
Public Corporations ◽  
Public Corporation ◽  
Fundamental Distinction ◽  
Private Corporations ◽  
Legal Entities

Is there any fundamental distinction between so-called “public” and “private” agencies, officers, institutions, corporations, associations, persons—legal entities and quasi-entities of all sorts? It is the theory of the courts that such a distinction exists, but their attempts through a maze of decisions logically to establish a principle of distinction have been futile.Several bases of distinction have been adopted by the courts, including, first, the purpose or interest involved. “An office … seems to comprehend every charge or employment in which the public is interested.” Thus “private corporations are those which are created for the immediate benefit and advantage of individuals…. Public corporations are those which are created for public purposes.”However, it is held that the whole interest in the corporation must be public to make it a public corporation. “Public corporations are political corporations or such as are founded wholly for public purposes and the whole interest in which is in the public. The fact of the public having an interest in the works or property or the object of a corporation, does not make it a public corporation.”

scholarly journals An ABAC Based Policy Definement for Enriching Access Control in Cloud

2019 ◽  
pp. 586-592
Author(s):  
Yagnik A. Rathod ◽  
Chetan B. Kotwal ◽  
Sohil D. Pandya
Keyword(s):  
Cloud Computing ◽  
Access Control ◽  
Access Management ◽  
Web Based ◽  
Software Application ◽  
Access Control Policies ◽  
Processing Power ◽  
Amazon Web Services ◽  
Access Policies ◽  
And Storage

Cloud Computing becomes most preferable solution for satisfying the various requirements of organizations and institutions. Different types of clouds like IaaS, PaaS, SaaS makes cloud capable to fulfills the client's different kind of needs like computer processing power, storage spaces, databases, software, application, web based solutions. Cloud computing can also be useful and worthy in providing certain customized solutions to enhance the capability of legacy systems in terms of effectiveness, reliability and optimization by replication of environment up to satisfactory extent. To provide adequate security solutions for cloud is still a challenging task and access control mechanism is one of the domain which demands significant attention on the mission towards securing clouds. In this paper, our work primarily focus on defining ABAC components, mapping functions and access control policies composed by access rules. Amazon Web Services is one of the most prominent cloud providers. Identity and Access Management (IAM) and Amazon S3 are access management and storage facilities of AWS respectively. ABAC based access policies are attached with the user and storage components for authorization.

Sign in / Sign up

Export Citation Format

Share Document