Usage-Based Access Control for Cloud Applications

The Cloud technology takes Service Oriented Architecture to the next level, where applications and infrastructure can be outsourced over the internet. It affords flexibility to businesses in terms of the on-demand scalability of services as well as the corresponding payment model. However, these advantages do not make up for the inherent security weaknesses in the Cloud. Among various concerns, Cloud providers struggle to provide adequate authorization mechanisms that would protect customer's critical data. In this regard, Usage Control (UCON) is considered to be the next generation model for digital rights management for all the service models of Cloud. Limited literature work exists on the UCON model; however, new tracks need to be laid out to make this model comply with international standards and policy languages. This chapter provides standardized UCON policy specifications, which will help in the effective development of access control for the Cloud environment.

Leveraging UML for Access Control Engineering in a Collaboration on Duty and Adaptive Workflow Model that Extends NIST RBAC

To facilitate collaboration in emerging domains such as the Patient-Centered Medical Home (PCMH), the authors' prior work extended the NIST Role-Based Access Control (RBAC) model to yield a formal Collaboration on Duty and Adaptive Workflow (CoD/AWF) model. The next logical step is to place this work into the context of an integrated software process for security engineering from design through enforcement. Towards this goal, the authors promote a secure software engineering process that leverages an extended Unified Modeling Language (UML) to visualize CoD/AWF policies to achieve a solution that separates concerns while still providing the means to securely engineer dynamic collaborations for applications such as the PCMH.

Towards User Authentication Requirements for Mobile Computing

The emergence and ubiquity of mobile computing has placed powerful capabilities in one's hand providing a wide range of applications such as email, calendar, photos, browsers, social network, communication, shopping, health and fitness, games etc., which were once restricted to traditional platforms. Such applications on a single mobile device raise critical security issues related to managing identity, re-authenticating users that stay active for long periods of time, protecting sensitive PII and PHI against access and misuse, insuring secure transactions, and protecting the physical device. This chapter explores user authentication requirements for mobile computing by: evaluating alternative user authentication requirements in order to make recommendations on their usage in authentication; identifying authentication methods used in mobile healthcare applications; and proposing a set of requirements for user authentication to handle the situation when a user seeks to be securely authenticated across a set of applications that are placed into context within a framework.

Optimistic Access Control for Collaborative Applications

Collaborative applications are important applications, allowing users to cooperate in order to perform a given task. Their importance has grown significantly over the recent years since they are required in many fields. However, they still lack of an appropriate access control mechanism which limits their full potential. It is hard to conceive an access control model for collaborative applications since they need to change dynamically access rights while maintaining high local responsiveness. This chapter presents a decentralized access control model based on replicating the shared document and its access control policy at each collaborating site. The interaction between document updates and authorizations updates is carefully studied to maintain the convergence of the shared data. Our model relies on an optimistic approach to enforce the access control, i.e. users may temporarily violate the access control policy if their rights were revoked concurrently. Illegal operations are undone selectively to eliminate their effects and converge to the same final state of the shared object.

Intelligent Multi-Domain RBAC Model

The information sharing tends to be dynamic in multi-domains because different teams are sharing information in a Collaborative Working Environment (CWE). The secure information sharing is a challenge in such environments. The Role Based Access Control (RBAC) is an efficient model for rights management in large systems, but it does not handle dynamisms of collaboration in multi-domain environments to access resources at a fine-grained level. The research aimed to address this issue of secure information and data sharing across multiple domains. The proposed model extends the RBAC model using intelligent agents, ontologies and design patterns. It introduces multi-agent monitors for role and permission assignments, session tracking, constraint handling and maintaining role hierarchy semantically. These agents use deductive learning to adapt changes and help in decision making for role and permission assignment. The model's working is discussed using a case scenario to ensure secure collaboration in a multi-domain environment.

Managing Access in Cloud Service Chains Using Role-Level Agreements

Service-Oriented Architecture (SOA) has introduced a phenomena of system's interaction with maximum users. With the development of high speed Internet services, the use of remote devices and software has rapidly increased. It has opened new gateways for renting out resources. The Cloud Service Chain is a process of ownership transfer of a service at different levels by different service providers. The concept of service chain poses novel challenges related to security, trust and privacy of data. In this chapter, we are introducing a mechanism of access control for Cloud service chains. We have discussed the realization of Role-Based Access Control (RBAC) to services of Federated-Cloud. When services are purchased in bundle, separate SLA is signed for each. We are also going to introduce a dynamic Role-Level Agreement (RLA) for such type of access control to services. The RLA will be an aggregated SLA for different services in a role. This will be helpful for service providers and the customers to sign a single document for a bundle rather than having separate one for every service.

ICMetric-Based Secure Communication

Secure communication refers to successful and secure interaction among the participants having common intentions in peer-to-peer or group settings. Group setting is a dynamic environment composed of activities exhibited by individuals in a group where number of participants are variable. Therefore the level of security in this environment needs to be given utmost importance. This challenging environment requires maintaining secrecy of cryptographic keys which is often overlooked. ICMetric is an emerging technology that has gained importance because of its security advantages for embedded system applications. This technology resolves issues of key theft and storage, through the development of device fingerprint that can be used for secure key generation. This research discusses ICMetric in detail by elaborating its salient features. Authors enumerate the current research being carried out on ICMetric technology along with its areas of application. This research elucidates the changes that ICMetric technology has brought to conventional cryptosystem design.

Network Intrusion Detection Using Multi-Objective Ensemble Classifiers

During the past few years, Internet has become a public platform for communication and exchange of information online. The increase in network usage has increased the chance of network attacks. In order to detect the malicious activities and threats, several kinds of Intrusion Detection Systems (IDSs) have been designed over the past few years. The goal of IDS is to intelligently monitor events occurring in a computer system or a network and analyze them for any sign of violation of the security policy as well as retain the availability, integrity, and confidentiality of a network information system. An IDS may be categorized as anomaly detection system or misuse detection system. Anomaly detection systems usually apply statistical or Artificial Intelligence (AI) techniques to detect attacks; therefore, these systems have the ability to detect novel or unknown attacks. A misuse detection system uses signature-based detection; therefore, these systems are good at identifying already known attacks but cannot detect unknown attacks.

Identification and Adaptive Trust Negotiation in Interconnected Systems

Creating an online identity via a username/password does not provide the ability to establish trust with other systems in order to get access to unauthorized information in a time-critical situation. Trust is the ability of two entities to believe one another at some level, so that they can interact in a secure manner, e.g., a physician at one hospital may need to obtain medical data on a patient from another hospital to treat a patient, facilitated if there is a trusted relationship. This chapter explores adaptive trust negotiation that obtains near real-time permission to access a system to which a user has never previously been authorized to, so that the system receiving the request can adjust its security policies depending on the attributes that the requester possesses. To accomplish this, a set of interacting systems (e.g., from different hospitals) can be augmented with identity management and adaptive trust negotiation to create a means where multiple disparate systems can make informed and dynamic security decisions about users relative to their defined security policies.

A Survey on Access Control Techniques for Social Networks

Online Social Networks (OSN) are getting popular day by day. Users share their information in OSN with others users. Access control is required to prevent unauthorized access to this information. Several studies have been conducted for access control in social networks. This chapter is a survey of available access control models/techniques based on social networks. Available access control models can be categorized as relationship-based, attributes-based, community structure-based and user activity centric model. A number of techniques have been proposed by several authors for access control in social networks. Most of the approaches use Social Network Analysis (SNA) techniques, others use user related information, for example, attributes or activities, the rest use a combination of approaches.