Advertisement

Neural Computing and Applications

, Volume 29, Issue 10, pp 887–901 | Cite as

A novel multilayer AAA model for integrated applications

  • Afshin Rezakhani
  • Hossein Shirazi
  • Nasser Modiri
Original Article
  • 117 Downloads

Abstract

Nowadays, one of the problems in current authentication, authorization and accounting (AAA) model is lack of accurate roadmap of access management in integrated applications based on operational needs. In the current systems, attributes are used as effective parameters of AAA in static form. We want to present that, in order to have an efficient AAA model, we should consider AAA requirements via multilayers security policies. In this paper, a comprehensive approach is represented which defines designing AAA not only for operational and implementation level, but also in the enterprise level. In this regard, the proposed model provides all security requirements for the establishment of appropriate application-level AAA. Some of these requirements must be obtained from regulations and threat modeling, and some of other are calculated by business processes and also operational levels. According to proposed multilayer approach, the evaluation must be considered in several dimensions. So, we’ll evaluate several aspects of the proposed model. The results show that the proposed model covers many security requirements as well. It can also be useful to enhance the information security in integrated applications.

Keywords

AAA Multilayer security policies Integrated applications Regulations 

References

  1. 1.
    Nakhjiri M, Nakhjiri M (2005) AAA and network security for mobile access: radius, diameter, EAP, PKI and IP mobility. Wiley, LondonCrossRefGoogle Scholar
  2. 2.
    Bertino E, Ghinita G, Kamra A (2011) Access control for databases: concepts and systems. Found Trends Databases 3(1–2):1–148zbMATHGoogle Scholar
  3. 3.
    Majumder A (2014) Taxonomy and classification of access control models for cloud environments. In: Mahmood Z (ed) Continued rise of the cloud. Springer, London, pp 23–53Google Scholar
  4. 4.
    Schweitzer D et al. (2007) A visual approach to teaching formal access models in security. In: Proceedings of national colloquium for information systems security education. Boston University, Boston. Academic ConferencesGoogle Scholar
  5. 5.
    Aluvalu R (2015) A survey on access control models in cloud computing. In: Satapathy SC (ed) Emerging ICT for bridging the future—proceedings of the 49th annual convention of the computer society of India. Springer, Berlin, pp 653–664Google Scholar
  6. 6.
    Jafarian JH (2008) A context-aware mandatory access control model for multilevel security environments. In: Harrison MD, Sujan M (eds) Computer safety, reliability, and security. Springer, Berlin, pp 401–414CrossRefGoogle Scholar
  7. 7.
    Yadav A, Shah R (2015) Review on database access control mechanisms and models. Int J Comput Appl 120(18):21–24Google Scholar
  8. 8.
    Van Tilborg H, Jajodia S (2011) Encyclopedia of cryptography and security, 2nd edn. Springer, BerlinCrossRefzbMATHGoogle Scholar
  9. 9.
    Jafarian JH, Amini M (2009) CAMAC: a context-aware mandatory access control model. ISC Int J Inf Secur 1(1):35–54Google Scholar
  10. 10.
    Kamboj P (2016) Analysis of role-based access control in software-defined networking. In: Pant M (ed) Proceedings of fifth international conference on soft computing for problem solving. Springer, Berlin, pp 687–697Google Scholar
  11. 11.
    Sharma et al (2013) AMTRAC: an administrative model for temporal role-based access control. Comput Secur 39(1):201–218MathSciNetCrossRefGoogle Scholar
  12. 12.
    Chen L (2012) Risk-aware role-based access control. In: Meadows C, Fernandez-gago C (eds) Security and trust management. Springer, Berlin, pp 140–156CrossRefGoogle Scholar
  13. 13.
    Salim F et al (2013) Budget-aware role based access control. Comput Secur 35(1):37–50MathSciNetCrossRefGoogle Scholar
  14. 14.
    Zhou X, Wang Z (2007) An access control model of workflow system integrating RBAC and TBAC. In: Wang W (ed) Integration and innovation orient to e-society. Springer, Berlin, pp 246–251Google Scholar
  15. 15.
    Hu VC et al (2014) Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800-162, USAGoogle Scholar
  16. 16.
    Smari W, Clemente P, Lalande J (2014) An extended attribute based access control model with trust and privacy: application to a collaborative crisis management system. Future Gener Comput Syst 31(1):147–168CrossRefGoogle Scholar
  17. 17.
    Almutairi A, Sarfraz M, Ghafoor A (2015) Risk-aware management of virtual resources in access controlled service-oriented cloud datacenters. IEEE Trans Cloud Comput PP:1Google Scholar
  18. 18.
    Kandala et al (2011) An attribute based framework for risk-adaptive access control models. In: Sixth international conference on availability, reliability and security (ARES). IEEE, Vienna, pp 236–241Google Scholar
  19. 19.
    Zhang Z (2008) Scalable role & organization based access control and its administration. Doctoral thesis. George Mason University, USAGoogle Scholar
  20. 20.
    Zhao L (2008) A role-based access control security model for workflow management system in an e-healthcare enterprise. Doctoral thesis. The Florida Agricultural and Mechanical University, USAGoogle Scholar
  21. 21.
    Toahchoodee M (2010) Access control models for pervasive computing environments. Doctoral thesis. Colorado State University, USAGoogle Scholar
  22. 22.
    Kirkpatrick M (2011) Trusted enforcement of contextual access control. Doctoral thesis. Purdue University, USAGoogle Scholar
  23. 23.
    Chen L (2011) Analyzing and developing role-based access control models. Doctoral thesis. University of London, United KingdomGoogle Scholar
  24. 24.
    Turkmen F (2012) Exploring dynamic constraint enforcement and efficiency in access control. Doctoral thesis. University of Trento, CanadaGoogle Scholar
  25. 25.
    Salim F (2012) Approaches to access control under uncertainty. Doctoral thesis. Queensland University of Technology, Australian StateGoogle Scholar
  26. 26.
    Nistgov (2016) Nistgov. Retrieved 1 April, 2016, from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
  27. 27.
    Nistgov (2016) Nistgov. Retrieved 1 April, 2016, from http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
  28. 28.
    Cisco (2015) Token authentication. In: Cisco (ed) Authentication, authorization, and accounting configuration guide, Cisco IOS Release 15M&T. Cisco Systems, San Jose, pp 321–326Google Scholar
  29. 29.
    Hastings N, Franklin J (2015) Considerations for identity management in public safety mobile networks. National Institute of Standards and Technology (NIST), MarylandCrossRefGoogle Scholar
  30. 30.
    Isoorg (2016) ISO. Retrieved 13 August, 2016, from http://www.iso.org/iso/catalogue_detail.htm?csnumber=23615
  31. 31.
    Federal Chief Information Officers Council & The Federal Enterprise Architecture (2011) Federal identity, credential, and access management (FICAM) roadmap and implementation guidance, 2 edn. Federal Chief Information Officers Council and the Federal Enterprise Architecture, USAGoogle Scholar
  32. 32.
    ISO/IEC (2014) ISO/IEC 27000:2014, Information technology—security techniques—information security management systems: ISO/IECGoogle Scholar
  33. 33.
    Information Systems Audit and Control Association (2012) COBIT 5 for information security. ISACA, Rolling MeadowsGoogle Scholar
  34. 34.
    Rezakhani et al (2011) Mapping ITIL services to ontology-based model to more use in enterprises. In: 5thSASTech, Khavaran Higher-education Institute. Khavaran Higher-education Institute Publisher, Mashhad, pp 1–8Google Scholar
  35. 35.
    Oasis-openorg (2016) Oasis-openorg. Retrieved 1 April, 2016, from http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
  36. 36.
    Jackson D (2011) Application abstractions: logic, language, and analysis (Revised Edition edn). Mit PressGoogle Scholar
  37. 37.
    Mankai M, Logrippo L (2005) Access control policies: modeling and validation. In: Proceedings of the 5th NOTERE conference. Notre Dame: University of Notre Dame Press, Gatineau, pp 85–91Google Scholar
  38. 38.
    Alissa K (2015) BP-XACML an authorisation policy language for business processes. In: Foo E, Stebila D (eds) Information security and privacy. Springer, Berlin, pp 307–325CrossRefGoogle Scholar
  39. 39.
    Nuffel DV, Backer MD (2012) Multi-abstraction layered business process modeling. Comput Ind 63(2):131–147CrossRefGoogle Scholar
  40. 40.
    Boulares S (2015) Information flow-based security levels assessment for access control systems. In: Benyoucef M (ed) E-technologies. Springer, Berlin, pp 105–121Google Scholar
  41. 41.
    Wikipediaorg (2016) Wikipediaorg. Retrieved 11 July, 2016, from https://en.wikipedia.org/wiki/Insider_threat
  42. 42.
    United States Government US Army (2015) Field manual FM 3-99 airborne and air assault operations. Army Field Manual, USAGoogle Scholar

Copyright information

© The Natural Computing Applications Forum 2016

Authors and Affiliations

  • Afshin Rezakhani
    • 1
  • Hossein Shirazi
    • 1
  • Nasser Modiri
    • 2
  1. 1.Information, communications and Security Technologies ComplexMalek-Ashtar University of TechnologyTehranIran
  2. 2.Department of Computer EngineeringIslamic Azad University, Zanjan BranchZanjanIran

Personalised recommendations