Dynamic Access Control Policy Management for Web Applications

Misbah IrumNUST-MS-CCS-21Supervisor:Dr.Abdul Ghafoor Abbasi

1

Agenda

•Overview•Introduction•Existing work•Problem statement•Abstract Architecture •Workflow•Roadmap•References

2

Overview• The rapidly developing web

environment provides users with a wide set of rich services as varied and complex as desktop applications.

• This allow users to create, manage and share their content online.

• It is the user who creates this data, who disseminates it and who shares it with other users and services.

• Storing and sharing resources on the Web poses new security challenges. Access control in particular, is currently poorly addressed in such an environment

3

Introduction

• Access control (authorization) protects resources against unauthorized disclosure and unauthorized or improper modifications.

• It ensures that any access to resources or data is according to access control policies of the system.

4

Introduction• As the web evolved user is storing and sharing more and more resources

on the web.

• Access control provided by the web application is tightly bound to the

functionality of the application and is not flexible and according to the

security requirements of the user.

• User control the resources according to the limited access control options

provided by these web applications which can result in loss of privacy

and may raise other security concerns like theft, fraud etc.

5

Introduction• As the Web has evolved it has become exceedingly user-centric and user-

driven.

• It has recently adopted a user centric identity model where authentication

is delegated to third party Identity Providers (IdP) using such protocols

as OpenID or Shibboleth .

• However, the Web still lacks a comparable access control solution based

on concepts analogous to OpenID. Such a mechanism would allow users

to choose their preferred access control components and use their

functionality for various Web applications

6

Literature Survey•For the purposed work literature survey is

to be carried out in two parts:

▫ Research been done on user-centric access control

▫ Access control in traditional web applications

7

xAccess: A Unified User-Centric Access ControlFramework for Web Applications

• In this research Kapil Singh provides a user centric access control framework. It

allows the user to set access control on their content which they upload on web

applications.

Analysis:• Can only be used with the applications which has installed the xAccess

server component.• Not generic and can not meet all the access requirements of the user. E.g.

section level access control etc.

Singh, K.“ xAccess: A unified user-centric access control framework for web applications," Network Operations and Management Symposium (NOMS),, pp.530-533, 16-20 April 2012

8

Architecture and Protocol for User-ControlledAccess Management in Web 2.0 Applications

• Machulak and Moorsel presented this paper in the 2010 IEEE 30th International Conference on Distributed Computing Systems.

Analysis:• No authentication, only deals with authorization.• Working of authorization Manager is not explained.• Too many steps involved which increases the complexity .

Machulak, M.P., van Moorsel, A., "Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications" . 30th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp.62-71, 21-25 June 2010.

9

Policy Management as a Service: An Approach to Manage Policy Heterogeneity in Cloud Computing Environment

• This paper was presented in 2012 45th Hawaii International conference on system sciences. In this research Takabi and Joshi provides policy management as a service in cloud computing environment.

Analysis:• Only policy specification service is provided.• Exporting policies into CSP is a complex task and interoperability is a big

issue.• If user removes the content from one application and move to another

application the removal and exportation of policies have to be done.

Takabi, H., Joshi, J.B.D., "Policy Management as a Service: An Approach to Manage Policy Heterogeneity in Cloud Computing Environment”. 45th Hawaii International Conference on System Science (HICSS) , pp.5500-5508, 4-7 Jan, 2012.

10

Oauth 2.0 protocol• Oath is an open standard for authorization. It is an authorization

delegation protocol.• users delegate limited access of their content to other third party

applications• .

• Only provide access delegation services.• User cannot write access policies and protect their resources according to their

access requirements.

Client

Resource Owner

Authorization Server

Resource Server

1.Authorization request

2. Authorization grant

3.Authorization grant

5.Access Token

4.Access Token

6.Protected Resource

11

Access Control in Traditional Web Applications

• Access control provided by web application resides within the web application.

• User is provided with certain Access control options.• User sets access control on its own resource from these

options.

12

Problems• Some of the problems found in the access control provided

by web services are as follows:

▫ Access control lacks sophistication since it is a side issue for

typical cloud-based Web 2.0 applications.

▫ User needs to use many diverse and possibly incompatible

policy languages.

▫ User needs to use many diverse and bespoke policy

management tools with diversified User Experience.

▫ User lacks a consolidated view of the applied access control

policies across multiple Web applications.

13

Problem Statement

Design a secure and generic User Control Access Management protocol which facilitates the user to dynamically define access control policies on their self generated resources and their sharing to authorized users through web services.

14

Abstract ArchitectureAuthenticati

on Server

IDMS Authorization Server

Policy Databas

e

Policy Engine

Web Server

ProtectedResources

Requestor

15

UserAccess Control Policy

Work Flow

User Requestor

Authorization Server

Policy Databas

e

Policy Engine

Web Server

ProtectedResources

Access Control Policy

1.1. Identity info

2.3. create policy

2.1. ticket

2.2 Application access

1.2. ticket

2.5. upload resource

2.4. upload

policies

3.1. ticket

3.2. Identity info

4.1.

tick

et

4.2

Appl

icat

ion

acce

ss

4.3 Access request

4.4

qu

ery

for

deci

sion

4.5

. Acce

ss con

trol d

ecisio

n

4.6. Resource

16

Authentication Server

IDMS

Standard and Technologies

•Security Assertion Markup Language

(SAML) –web services security standard

•Extensible Access Control Markup

Language (XACML 3.0)- policy specification

•FIPS 196- authentication

•Google docs- web service

17

Thesis Road MapMilestones Duration

Preliminary Study and Research Done

Detailed Design 2 weeks

Implementation

1.1implementing authentication protocol

1 month

1.2 Creating Access control Policy module

1 month

1.3 implementing authorization server

1 month

1.4 implementation of final framework incorporating user-

centric authorization model

1 month

Testing and evaluation 1 month

Thesis writing 1 month

18

References• Fugkeaw, S. Manpanpanich, P., Juntapremjitt, S., "A development of multi-SSO authentication and

RBAC model in the distributed systems”. 2nd International Conference on Digital Information Management , pp.297-302, 28-31 Oct, 2007.

• Sunan Shen, Shaohua Tang , "Cross-Domain Grid Authentication and Authorization Scheme Based on Trust Management and Delegation”. International Conference on Computational Intelligence and Security, vol.1, pp.399-404, 13-17 Dec, 2008.

• Osio, G., "A User Perspective on Cloud Computing“. Third International Conference on Advances in Human-Oriented and Personalized Mechanisms, Technologies and Services, pp.1-4, 22-27 Aug, 2010.

• Ting Zhang, WenAn Tan, "Role-based dynamic access control for Web services ", International Conference on Computer Application and System Modeling (ICCASM), vol.4, pp.V4-507-V4-510, 22-24 Oct, 2010.

• Laborde, R., Cheaito, M., Barrere, F., Benzekri, A., "An Extensible XACML Authorization Web Service: Application to Dynamic Web Sites Access Control”. Fifth International Conference on Signal-Image Technology & Internet-Based Systems (SITIS), pp.499-505, Nov. 29 2009-Dec. 4 2009.

19

• Jing Gao, Bin Zhang, Zhiyu Ren , "A dynamic authorization model based on security label and role”. IEEE International Conference on Information Theory and Information Security (ICITIS), pp.650-653, 17-19 Dec, 2010.

• Fei Xu, Jingsha He, Xu Wu, Jing Xu , "A User-Centric Privacy Access Control Model”. 2nd International Symposium on Information Engineering and Electronic Commerce (IEEC), pp.1-4, 23-25 July, 2010.

• Gail-Joon Ahn, Moonam Ko, Shehab, M., "Privacy-Enhanced User-Centric Identity Management”. IEEE International Conference on Communications, pp.1-5, 14-18 June, 2009.

• Becker, M.Y., "Specification and Analysis of Dynamic Authorization Policies”. 22nd IEEE Computer Security Foundations Symposium, pp.203-217, 8-10 July, 2009.

• Xiangrong Zu, Lianzhong Liu, Yan Bai, "A Role and Task-Based Workflow Dynamic Authorization Modeling and Enforcement Mechanism" .1st International Conference on Information Science and Engineering (ICISE), pp.1593-1596, 26-28 Dec, 2009.

• Procha´zka, M., Kouril, D.,Matyska, L., "User centric authentication for web applications” . International Symposium on Collaborative Technologies and Systems (CTS), , pp.67-74, 17-21 May, 2010.

References

20

• http:// www.oauth.net• http:// www.wikipedia.org/wiki/OAuth• http:// www.tools.ietf.org/html/draft-ietf-oauth-v2-31• http://www.security.setecs.com/Documents/

4_SETECS_Cloud_Portal_Security_System.pdf• http://www.security.setecs.com/Documents/

5_SETECS_Cloud_Security_Architecture.pdf

References

21

Questions &

Suggestions

22