Abstract
Current mechanisms for distributed access management are limited in their capabilities to provide federated information sharing while ensuring adequate levels of resource protection. This work presents a policy-based framework designed to address these limitations for access management in federated systems. In particular, it supports: (i) decentralized administration while preserving local autonomy, (ii) fine-grained access control while avoiding rule-explosion in the policy,(iii) credential federation through the use of interoperable protocols, with support for single sign on for federated users, (iv) specification and enforcement of semantic and contextual constraints to support integrity requirements and contractual obligations, and (v) usage control in resource provisioning through effective session management. The paper highlights the significance of our policy-based approach in comparison with related mechanisms. It also presents a system architecture of our implementation prototype.
Chapter PDF
References
http://www.fas.org/irp/doddir/dod/d8320_2.pdf
http://www.educause.edu/ir/library/pdf/erm0348.pdf
S. D. C. di Vimercati, P. Samarati, “Access control in federated systems”, In proceedings of ACM New Security Paradigm Workshop, pages 87–99, Lake Arrowhead, CA, USA, 1996.
D. D. Clark, D. R. Wilson, “A comparison of commercial and military computer security policies,” In IEEE Symposium on Security and Privacy, pages 184–194, Oakland, April 1987.
R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, “Role-Based Access Control Models”, IEEE Computer 29(2): 38–47, IEEE Press, 1996.
http://www.enterprisenetworksandservers.com/monthly/art.php/1117
http://xml.coverpages.org/saml.html
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
http://www-106.ibm.com/developerworks/webservices/library/ws-secure/
http://www-128.ibm.com/developerworks/library/specification/ws-polfram/
http://www.nwfusion.com/news/2002/0715saml.html
M. Blaze, J. Feigenbaum, and A. D. Keromytis, “KeyNote: Trust management for public-key infrastructures,” in Security Protocols International Workshop, Springer LNCS, no. 1550, pp. 59–63, 1998.
C. M. Ellison, “SPKI requirements,” RFC 2692, Internet Engineering Task Force Draft IETF, Sept. 1999. See http://www.ietf.org/rfc/rfc2692.txt.
A. Herzberg, Y. Mass, J. Mihaeli, D. Naor, and Y. Ravid, “Access control meets public key infrastructure, or: Assigning roles to strangers”, In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 2–14, 2000. IEEE Press.
N. Li, J. C. Mitchell, W. H. Winsborough, “Design of a role-based trust management framework”, In Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2002.
J. B. D. Joshi, R. Bhatti, E. Bertino, A. Ghafoor, “An Access Control Language for Multi-Domain Environments”, IEEE Internet Computing, vol. 8, no. 6, pp. 40–50, November/December 2004.
J. B. D. Joshi, E. Bertino, U. Latif, A. Ghafoor, “Generalized Temporal Role Based Access Control Model (GTRBAC)”, IEEE Transaction on Knowledge and Data Engineering, vol. 17, no. 1, January 2005.
R. Bhatti, J. B. D. Joshi, E. Bertino, A. Ghafoor, “X-GTRBAC: An XML-based Policy Specification Framework and Architecture for Enterprise-Wide Access Control”, ACM Transactions on Information and System Security (TISSEC), Vol. 8, No. 2.
A. Keromytis, S. Ioannidis, M. Greenwald, J. Smith, “The STRONGMAN Architecture”, In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Washington, D.C. April 22–24, 2003.
L. Lymberopoulos, E. Lupu, M. Sloman, “An Adaptive Policy Based Management Framework for Network Services Management”, In Special Issue on Policy Based Management of Networks and Services, Journal of Networks and Systems Management, Vol. 11, No. 3, Sep. 2003.
N. Damianou, N. Dulay, E. Lupu, M Sloman, “The Ponder Specification Language”, Workshop on Policies for Distributed Systems and Networks (Policy2001), HP Labs Bristol, 29–31 Jan 2001.
K. Taylor, J. Murty, “Implementing role based access control for federated information systems on the web”, Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, p.87–95, February 01, 2003, Adelaide, Australia.
M. Thompson, A. Essiari, S. Mudumbai, “Certificate-based Authorization Policy in a PKI Environment”, ACM Transactions on Information and System Security, (TISSEC), Volume 6, Issue 4 (November 2003) pp: 566–588.
D.W. Chadwick, A. Otenko, “The PERMIS X.509 role based privilege management infrastructure”, In proceedings of the seventh ACM Symposium on Access Control Models and Technologies, Monterey, California, USA.
http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-arch-protocols-latest.pdf
http://www.projectliberty.org/resources/specifications.php
X. Zhang, J. Park, F. Parisi-Presicce, R. Sandhu, “A Logical Specification for Usage Control”, In proceedings of the ninth ACM Symposium on Access Control Models and Technologies, Monterey, California, USA.
B. Rosenblatt, B. Trippe, S. Mooney, “Digital Rights Management: Business and Technology”, New York: Hungry Minds/John Wiley and Sons, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Bhatti, R., Bertino, E., Ghafoor, A. (2005). A Policy Framework for Access Management in Federated Information Sharing. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_7
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)