DOCSLIB.ORG

Attribute-Based Access Control with Distributed Policies for Future

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Attribute-Based Access Control with Distributed Policies for Future ICN 2015 : The Fourteenth International Conference on Networks ACROSS-FI: Attribute-Based Access Control with Distributed Policies for Future Internet Testbeds Edelberto Franco Silva Natalia Fernandes Castro Debora´ C. Muchaluat Saade Institute of Computing Dept. of Telecommunications Engineering Institute of Computing Fluminense Federal University (UFF) Fluminense Federal University (UFF) Fluminense Federal University (UFF) M´ıdiaCom Laboratory M´ıdiaCom Laboratory M´ıdiaCom Laboratory Niteroi,´ RJ, Brazil Niteroi,´ RJ, Brazil Niteroi,´ RJ, Brazil Email: [email protected] Email: [email protected] Email: [email protected] Abstract—Interests in access control authorization methods tities of the CAFe academic federation [4]. Hence, there is no for distributed resources have been growing as more shared need to duplicate user information in local databases. resources environments and resource federations have been made available, both in academy and in industry. Different propos- The Federated Identity Management (FIM) is the basis als aiming at creating a granular and scalable access control of this work, when users from many institutions can access in those distributed environments have been presented in the services provided by other partner institutions. A federated and literature. The standardization of access control models based distributed identity service depends on the ability of any ser- on roles and attributes are examples of that effort. However, vice provider to trust the credentials provided to them by other none of the existing proposals or standards present a complete entities. In this scenario, IdM appears as a strong requirement authentication and authorization framework that can be adapted for different distributed environments. This work presents an for establishing the trust environment among participants, as authentication and authorization framework based on policies to share tools or resources among each other. and attribute aggregation for controlling access into Future Important examples of such environments are the initia- Internet (FI) distributed testbeds. A generic solution for attribute- based access control in Future Internet testbeds federation is tives for experimental facilities for the Future Internet (FI) implemented and evaluated, providing a generic interface to allow research [5][6]. New network architectural proposals depend communication between the FI resource federation and our access on exhaustive tests before they are implemented in the real control proposal. Based on user and resource’s attributes, policies world. Thus, various experimental facilities, or testbeds, were are dynamically applied to control which resources a user may developed [7][8]. Researchers, however, realized that intercon- require. This work has been validated in an experimental identity necting those testbeds is a requirement in order to carry out real management laboratory (GIdLab) enabling the use of identity experiments in geographically dispersed scenarios. This brings management services offered in an academic identity federation up many management challenges, because communication and and in an experimental environment for the Future Internet. access control agreements are necessary. The need to specify Keywords—future internet; authorization; authentication; an IdM architecture in this context draws attention. attribute-based access control. There are some proposals for federating FI testbeds. Among them, we highlight the Slice-Based Federation Archi- I. INTRODUCTION tecture (SFA) [9], which is currently in use in testbeds such as OneLab, FIBRE Project (Future Internet testbeds experi- Identity Management (IdM) is the set of processes and mentation between BRazil and Europe) [10], and PlanetLab. technologies used for guaranteeing the identity of an entity. In SFA-based FI testbeds, users supply their credentials to get IdM ensures the quality of identity information such as identi- access authorization to a set of resources located in different fiers, credentials, and attributes and uses it for authentication, institutions, such as a set of computers and a minimal specified authorization, and accounting processes [1]. bandwidth. Although SFA is the most important initiative to Authentication procedures focus on confirming the identity create a federation of FI testbeds, it presents open issues related of an entity, that is, checking that an entity is who it claims to A&A. Briefly, this occurs because its proposal is focused to be. Authorization mechanisms define the access rights to on interconnecting resources through a resource federation. resources associated to an identity. Authorization procedures The A&A ends up in background, composed only of a simple describe these access rights to ensure that they are obeyed. Fi- authentication mechanism based on X.509 certificates and nally, accounting refers to track network resource consumption static profiles. by users for capacity planning and billing. To illustrate our proposal a component architecture is In recent years, the use of academic authentication and shown in Figure 1. On top the identity federation is responsible authorization (A&A) federations to control access to resources for authenticating users. In the middle all components of a became popular [2][3]. In Brazil, for instance, academic re- federated resource environment are depicted, with an attribute searchers access scientific publication repositories using iden- provider, an access control component, a credential translation Copyright (c) IARIA, 2015. ISBN: 978-1-61208-398-8 198 ICN 2015 : The Fourteenth International Conference on Networks component (necessary to translate the credential from the presents current results. In Section VI, conclusions and future identity federation to the testbed federation, which is presented works are described. in [11]), a service provider and the resource federation (i.e., FI testbeds or islands). II. RELATED WORK There are many initiatives to federate testbeds, such as GENI (Global Environment for Network Innovations), OneLab and FED4FIRE [5]–[8][16]. A recent initiative for creation of testbeds in Brazil and Europe is the FIBRE Project [10]. FIBRE proposes the con- struction of a network for large-scale experimentation, which includes wired and wireless environments, through the inter- connection of small testbeds, called islands, in various parts of Brazil and Europe. Thus, FIBRE is strongly grounded in building a federated environment. Although these proposals are strongly based on the resource federation, using tools such as SFA, they present open issues related to identity management. These projects integrate testbeds using different control and management frameworks, each of them using a different user database and different authentication and access control methods. Tools such as SFA do not provide a proper A&A federation architecture to integrate such different environments. Related work, in general, proposes the introduction of a standardized model (such as RBAC [17], ABAC [15]) for Figure 1. Proposed component architecture for authentication and resource distributed environments such as grid computing, and authorization. more recently, cloud computing. The area where there is more related work is undoubtedly grid computating. We can cite works as [18][19], on which role-based access control models In this work, we propose a new authorization method (RBAC) are applied. More recent works in cloud computing for SFA-based testbeds. Our proposal integrates A&A feder- use ABAC for access control, such as [20]. However, we ations based on Shibboleth [12] and a authorization frame- must emphasize the need to know how access control in these work based on Extensible Access Control Markup Language environments has been employed, but each distributed resource (XACML) [13]. Shibboleth implements the Security Assertion environment has its particularities. Markup Language (SAML) standard [14] and also supports Attribute-Based Access Control (ABAC), which has become a In this paper, we present the first proposal for policy standard in 2014 [15]. Using ABAC, it is possible to implement and Attribute-Based Access Control in FI testbeds, different more granular and dynamic access policies. Moreover, Shib- of GENI ABAC proposal (the other – and only – similar boleth is used by the Brazilian academic federation, named proposal), when attributes are used to restrict and delegate CAFe, and also by eduGAIN. Our proposal allows the user to access [21], introducing a new way to represent the resources, allocate resources in testbed federations based on attributes attributes and policies in this enviroment. arising from an identity federation. We propose a generic III. BACKGROUND framework for ABAC using an aggregate attribute mechanism that associates points for user attributes and resource attributes. This section presents an introduction of technologies and Our goal is to use the access control proposal in the FIBRE concepts needed to understand the solution proposed by this testbed, which is an initiative of federated testbeds between work. Brazil and Europe, using CAFe and eduGAIN for authentica- tion. A. SAML and Shibboleth We implemented the proposed A&A architecture using a The Security Assertion Markup Language (SAML) stan- real experimentation laboratory called GIdLab. GIdLab pro- dard [14] presents a set of specifications to define an infras- vides a mirror of the CAFe federation, which serves as an tructure for dynamic exchange of security
Load more

Recommended publications
  • Dod Enterpriseidentity, Credential, and Access Management (ICAM)
    UNCLASSIFIED DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design Version 1.0 June 2020 Prepared by Department of Defense, Office of the Chief Information Officer (DoD CIO) DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS. UNCLASSIFIED UNCLASSIFIED Document Approvals Prepared By: N. Thomas Lam IE/Architecture and Engineering Department of Defense, Office of the Chief Information Officer (DoD CIO) Thomas J Clancy, COL US Army CS/Architecture and Capability Oversight, DoD ICAM Lead Department of Defense, Office of the Chief Information Officer (DoD CIO) Approved By: Peter T. Ranks Deputy Chief Information Officer for Information Enterprise (DCIO IE) Department of Defense, Office of the Chief Information Officer (DoD CIO) John (Jack) W. Wilmer III Deputy Chief Information Officer for Cyber Security (DCIO CS) Department of Defense, Office of the Chief Information Officer (DoD CIO) ii UNCLASSIFIED UNCLASSIFIED Version History Version Date Approved By Summary of Changes 1.0 TBD TBD Renames and replaces the IdAM Portfolio Description dated August 2015 and the IdAM Reference Architecture dated April 2014. (Existing IdAM SDs and TADs will remain valid until updated versions are established.) Updates name from Identity and Access Management (IdAM) to Identity, Credential, and Access Management (ICAM) to align with Federal government terminology Removes and cancels
    [Show full text]
  • City Research Online
    Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) City Research Online Original citation: Li, F. (2015). Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment. (Unpublished Doctoral thesis, City University London) Permanent City Research Online URL: http://openaccess.city.ac.uk/11891/ Copyright & reuse City University London has developed City Research Online so that its users may access the research outputs of City University London's staff. Copyright © and Moral Rights for this paper are retained by the individual author(s) and/ or other copyright holders. All material in City Research Online is checked for eligibility for copyright before being made available in the live archive. URLs from City Research Online may be freely distributed and linked to from other web pages. Versions of research The version in City Research Online may differ from the final published version. Users are advised to check the Permanent City Research Online URL above for the status of the paper. Enquiries If you have any enquiries about any aspect of City Research Online, or if you wish to make contact with the author(s) of this paper, please email the team at [email protected]. Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment A Thesis Submitted to City University London, School of Engineering and Mathematical Sciences In
    [Show full text]
  • Identity Management, Privacy, and Price Discrimination
    Identity Management Identity Management, Privacy, and Price Discrimination In economics, privacy is usually discussed in the context of consumer preferences and price discrimination. But what forms of personal data privacy are compatible with merchants’ interests in knowing more about their consumers, and how can identity management systems protect information privacy while enabling personalization and price discrimination? ALESSANDRO n the economics literature, privacy is usually dis­ or her purchas­ ACQUISTI cussed in the context of consumer preferences ing history. Carnegie and reservation prices: merchants are interested Identity management systems can support such Mellon in finding out a consumer’s preferences because selective information revelation strategies by giving University Ifrom those they can infer the consumer’s maximum consumers greater control over which identities are willingness to pay for a good (his reservation price). established, which attributes are associated with them, The ability to identify consumers and track their pur­ and under what circumstances they’re revealed to oth­ chase histories, therefore, lets merchants charge prices ers. Therefore, such systems allow for transactions in that extract as much surplus as possible from the sale, which some level of information sharing is accompa­ which is what economists call price discrimination.1–3 nied by some level of information hiding. At the same In this context, consumer privacy concerns reduce to time, economic views of privacy that are more granu­ individuals’
    [Show full text]
  • Mastering Identity and Access Management
    Whitepaper Mastering Identity and Access Management Contents Introduction ........................................................................................................................................................................ 1 Types of users ............................................................................................................................................................................ 2 Types of identities ..................................................................................................................................................................... 2 Local identities .................................................................................................................................................................... 2 Network identities .............................................................................................................................................................. 2 Cloud identities ................................................................................................................................................................... 2 IAM concepts ............................................................................................................................................................................. 3 IAM system overview ................................................................................................................................................................ 3 IAM system options
    [Show full text]
  • Identity Management
    Identity Management A White Paper by: Skip Slone & The Open Group Identity Management Work Area A Joint Work Area of the Directory Interoperability Forum, Messaging Forum, Mobile Management Forum, and Security Forum March, 2004 Copyright © 2004 The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owners. The materials contained in Appendix B of this document is: Copyright © 2003 Securities Industry Middleware Council, Inc. (SIMC). All rights reserved. The Open Group has been granted permission to reproduce the materials in accordance with the publishing guidelines set out by SIMC. The materials have previously been published on the SIMC web site (www.simc-inc.org). Boundaryless Information Flow is a trademark and UNIX and The Open Group are registered trademarks of The Open Group in the United States and other countries. All other trademarks are the property of their respective owners. Identity Management Document No.: W041 Published by The Open Group, March, 2004 Any comments relating to the material contained in this document may be submitted to: The Open Group 44 Montgomery St. #960 San Francisco, CA 94104 or by Electronic Mail to: [email protected] www.opengroup.org A White Paper Published by The Open Group 2 Contents Executive Summary 4 Introduction 5 Key Concepts 6 Business Value of Identity Management 17 Identity Management
    [Show full text]
  • Ts 124 482 V14.0.0 (2017-04)
    ETSI TS 124 482 V14.0.0 (2017-04) TECHNICAL SPECIFICATION LTE; Mission Critical Services (MCS) identity management; Protocol specification (3GPP TS 24.482 version 14.0.0 Release 14) 3GPP TS 24.482 version 14.0.0 Release 14 1 ETSI TS 124 482 V14.0.0 (2017-04) Reference RTS/TSGC-0124482ve00 Keywords LTE ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Federated Identity and Trust Management
    Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage employee, business partner, and customer identities. The relationship between the business and these individuals can change frequently, and each change requires an administrative action. For the individuals also the situation is unsatisfactory, because they need to create separate accounts at all the businesses that they access. A federation is defined as a group of two or more business partners who work together. This federation can be formed to provide a better experience for their mutual customers, to reduce identity management costs, or both. For example, a financial institution might want to provide seamless access for their high-value clients to financial market information provided by a third-party research firm. Government departments might want to collaborate to provide a single citizen login for their government services. A small online store might not want to manage large numbers of customer records and instead prefer to partner with a financial institution to provide that service. In all of these cases, the businesses need to work together to create a business federation. Business federations are built on trust relationships. These trust relationships are created using out-of-band business and legal agreements between the federation participants. These agreements must be in place before a federation can begin to operate.1 After the business and legal agreements are in place, these partners can begin to operate together using technology that supports the federation arrangements.
    [Show full text]
  • The 7 Things You Should Know About Federated Identity Management
    THINGS YOU SHOULD KNOW ABOUT… FEDERated IDENTITY Management What is it? Identity management refers to the policies, processes, and technologies that establish user identities and enforce rules about Scenario access to digital resources. In a campus setting, many information Gillian’s graduate work in oceanography involves enormous systems—such as e-mail, learning management systems, library da- amounts of water-quality data from many sources along the tabases, and grid computing applications—require users to authen- Atlantic seaboard as well as the West Coast. From her insti- ticate themselves (typically with a username and password). An tution in Florida, she collects and analyzes data sets from authorization process then determines which systems an authenti- laboratories and oceanographic facilities affiliated with oth- cated user is permitted to access. With an enterprise identity man- er colleges and universities, government agencies, and even agement system, rather than having separate credentials for each some private organizations. Not only do these entities share system, a user can employ a single digital identity to access all re- data with Gillian from their underwater instrumentation, but sources to which the user is entitled. Federated identity manage- some also allow her to remotely access specialized applica- ment permits extending this approach above the enterprise level, tions they have developed. creating a trusted authority for digital identities across multiple or- ganizations. In a federated system, participating institutions share Enabling this level of collaboration to take place in a man- identity attributes based on agreed-upon standards, facilitating ageable way is a federated identity system that includes all authentication from other members of the federation and granting of the organizations in Gillian’s research as members.
    [Show full text]
  • Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect
    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user.
    [Show full text]
  • Integrator's Guide / Forgerock Identity Management 6.0
    Integrator's Guide / ForgeRock Identity Management 6.0 Latest update: 6.0.0.6 Anders Askåsen Paul Bryan Mark Craig Andi Egloff Laszlo Hordos Matthias Tristl Lana Frost Mike Jang Daly Chikhaoui Nabil Maynard ForgeRock AS 201 Mission St., Suite 2900 San Francisco, CA 94105, USA +1 415-599-1100 (US) www.forgerock.com Copyright © 2011-2017 ForgeRock AS. Abstract Guide to configuring and integrating ForgeRock® Identity Management software into identity management solutions. This software offers flexible services for automating management of the identity life cycle. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. ForgeRock® and ForgeRock Identity Platform™ are trademarks of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. Trademarks are the property of their respective owners. UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Oracle Data Sheet
    ORACLE DATA SHEET ORACLE IDENTITY MANAGER 11g KEY FEATURES Oracle Identity Manager is a highly flexible and scalable • Self-service identity management enterprise identity administration system that provides operational drives user productivity, increases user and business efficiency by providing centralized administration & satisfaction and optimizes IT efficiency • Universal delegated administration complete automation of identity and user provisioning events enhances security and reduces costs across enterprise as well as extranet applications. It manages the • Requests with approval workflows and entire identity and role lifecycle to meet changing business and policy-driven provisioning improves IT efficiency, enhances security and regulatory requirements and provides essential reporting and enables compliance compliance functionalities. By applying the business rules, roles, • Password management reduces IT and audit policies, it ensures consistent enforcement of identity help desk costs, and improves service based controls and reduces ongoing operational and compliance levels • Integration solutions featuring Adapter costs. Factory and pre-configured connectors enables quick and low cost system integration Introduction Oracle Identity Manager is a highly flexible and scalable enterprise identity management KEY BENEFITS system that is designed to administer user access privileges across a company's resources • Increased security: Enforce internal throughout the entire identity management life cycle, from initial on-boarding to final
    [Show full text]
  • Identity Platform Allows Users to Authenticate to Your Applications and Services, Like Multi- Tenant Saas Applications, Mobile/Web Apps, Games, Apis and More
    1/25/2020 Authentication Identity Platform allows users to authenticate to your applications and services, like multi- tenant SaaS applications, mobile/web apps, games, APIs and more. Identity Platform provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform. Identity Platform provides backend services and works with the easy-to-use SDKs and ready- made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook, Twitter, and any provider that supports SAML or OpenID Connect protocol. Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. You can use the SDK to integrate one or more sign-in methods into your app. Authentication using the SDK Email and password based Authenticate users with their email addresses and passwords. The SDK pro authentication methods to create and manage users that use their email addresses and pa to sign in. Identity Platform also handles sending password reset emails. iOS (https://rebase.google.com/docs/auth/ios/password-auth) Android (https://rebase.google.com/docs/auth/android/password-auth Web (https://rebase.google.com/docs/auth/web/password-auth) C++ (https://rebase.google.com/docs/auth/cpp/password-auth) Unity (https://rebase.google.com/docs/auth/unity/password-auth) Federated identity provider Authenticate users by integrating with federated identity providers. The SD integration methods that allow users to sign in with their Google, Facebook, Twitter, an accounts.
    [Show full text]