The current desktop metaphor is unsuitable for the coming age of cloud-based applications. The desktop was developed in an era that was focused on local resources, and consequently its gestures, semantics, and securit...
详细信息
ISBN:
(纸本)9781605588438
The current desktop metaphor is unsuitable for the coming age of cloud-based applications. The desktop was developed in an era that was focused on local resources, and consequently its gestures, semantics, and security model reflect heavy reliance on hierarchy and physical locations. This paper proposes a new user interface model that accounts for cloud applications, incorporating representations of people and new gestures for sharing andaccess, while minimizing the prominence of location. The model's key feature is a lightweight mechanism to group objects for resource organization, sharing, andaccesscontrol, towards the goal of providing simple semantics for a wide range of tasks, while also achieving security through greater usability.
In practical accesscontrol systems, it is important to enforce an upper bound on the time taken to respond to an access request. This response time is directly influenced by the size (often called the weight) of each...
详细信息
ISBN:
(纸本)9781450347020
In practical accesscontrol systems, it is important to enforce an upper bound on the time taken to respond to an access request. This response time is directly influenced by the size (often called the weight) of each of the underlying accesscontrol rules. We present a constrained policy mining algorithm which takes an accesscontrol matrix as input and generates a set of attribute based accesscontrol (ABAC) rules, such that the weight of each rule is not more than a specified value and the sum of weights of all the rules is minimized. Our initial experiments show encouraging results.
Data security and privacy issues are magnified by the volume, the variety, and the velocity of Big Data and by the lack, up to now, of a standard data model and related data manipulation language. In this paper, we fo...
详细信息
ISBN:
(纸本)9781450356664
Data security and privacy issues are magnified by the volume, the variety, and the velocity of Big Data and by the lack, up to now, of a standard data model and related data manipulation language. In this paper, we focus on one of the key data security services, that is, accesscontrol, by highlighting the differences with traditional data management systems and describing a set of requirements that any accesscontrol solution for Big Data platforms may fulfill. We then describe the state of the art and discuss open research issues.
Confidentiality and privacy of data managed by IoT ecosystems is becoming a primary concern. This paper targets the design of a general accesscontrol enforcement mechanism for MQTT-based IoT ecosystems. The proposed ...
详细信息
ISBN:
(纸本)9781450356664
Confidentiality and privacy of data managed by IoT ecosystems is becoming a primary concern. This paper targets the design of a general accesscontrol enforcement mechanism for MQTT-based IoT ecosystems. The proposed approach is presented with ABAC, but other accesscontrolmodels can be similarly supported. The solution is based on an enforcement monitor that has been designed to operate as a proxy between MQTT clients and an MQTT server. The monitor enforces accesscontrol constraints by intercepting and possibly manipulating the flow of exchanged MQTT control packets. Early experimental evaluations have overall shown low enforcement overhead.
The proceedings contains 23 papers. Topics discussed include enterprise role administration, contraints, role based accesscontrol for collaborative environments, accesscontrolmodels and mechanisms, role engineering...
详细信息
The proceedings contains 23 papers. Topics discussed include enterprise role administration, contraints, role based accesscontrol for collaborative environments, accesscontrolmodels and mechanisms, role engineering, verification and dynamic accesscontrol.
In context-aware applications, user's access privileges rely on both user's identity and context. accesscontrol rules are usually statically defined while contexts and the system state can change dynamically....
详细信息
ISBN:
(纸本)9781450356664
In context-aware applications, user's access privileges rely on both user's identity and context. accesscontrol rules are usually statically defined while contexts and the system state can change dynamically. Changes in contexts can result in service disruptions. To address this issue, this poster proposes a reactive accesscontrol system that associates contingency plans with accesscontrol rules. Risk scores are also associated with actions part of the contingency plans. Such risks are estimated by using fuzzy inference. Our approach is cast into the XacmL reference architecture.
Nowadays, most of business practices involve personal data processing of customers and employees. This is strictly regulated by legislation to protect the rights of the data subject. Enforcing regulation into enterpri...
详细信息
ISBN:
(纸本)9781450347020
Nowadays, most of business practices involve personal data processing of customers and employees. This is strictly regulated by legislation to protect the rights of the data subject. Enforcing regulation into enterprise information system is a non-trivial task that requires an interdisciplinary approach. This paper presents a declarative framework to support the specification of information system designs, purpose-aware accesscontrol policies, and the legal requirements derived from the European Data Protection Directive. This allows for compliance checking via a reduction to policy refinement that is supported by available automated tools. We briefly discuss the results of the compliance analysis with a prototype tool on a simple but realistic scenario about the processing of personal data to produce salary slips of employees in an Italian organization.
Relationship-based accesscontrol (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based a...
详细信息
ISBN:
(纸本)9781450347020
Relationship-based accesscontrol (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based accesscontrol (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy accesscontrol systems to ReBAC, by partially automating the development of a ReBAC policy from an existing accesscontrol policy and attribute data. This paper presents an algorithm for mining ReBAC policies from accesscontrol lists (ACLs) and attribute data represented as an object model, and an evaluation of the algorithm on four sample policies and two large case studies. Our algorithm can be adapted to mine ReBAC policies from access logs and object models. It is the first algorithm for these problems.
Apache Hadoop is an important framework for fault-tolerant and distributed storage and processing of Big Data. Hadoop core platform along with other open-source tools such as Apache Hive, Storm, HBase offer an ecosyst...
详细信息
ISBN:
(纸本)9781450347020
Apache Hadoop is an important framework for fault-tolerant and distributed storage and processing of Big Data. Hadoop core platform along with other open-source tools such as Apache Hive, Storm, HBase offer an ecosystem to enable users to fully harness Big Data potential. Apache Ranger and Apache Sentry provide accesscontrol capabilities to several ecosystem components by offering centralized policy administration and enforcement through plugins. In this work we discuss the accesscontrol model for Hadoop ecosystem (referred as HeAC) used by Apache Ranger (release 0.6) and Sentry (release 1.7.0) along with Hadoop 2.x native authorization capabilities. This multi-layer model provides several access enforcement points to restrict unauthorized users to cluster resources. We further outline some preliminary approaches to extend the HeAC model consistent with widely accepted accesscontrolmodels.
Mining accesscontrol policies can reduce the burden of adopting more modern accesscontrolmodels by automating the process of generating policies based on existing authorization information in a system. Previous wor...
详细信息
ISBN:
(纸本)9781450356664
Mining accesscontrol policies can reduce the burden of adopting more modern accesscontrolmodels by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining positive authorizations only. That includes the literature on mining role-based accesscontrol policies (which are naturally about positive authorization) and even more recent work on mining attribute-based accesscontrol (ABAC) policies. However, various theoretical accesscontrolmodels (including ABAC), specification standards (such as XacmL), and implementations (such as operating systems and databases) support negative authorization as well as positive authorization. In this paper, we propose a novel approach to mine ABAC policies that may contain both positive and negative authorization rules. We evaluate our approach using two different policies in terms of correctness, quality of rules (conciseness), and time. We show that while achieving the new goal of supporting negative authorizations, our proposed algorithm outperforms existing approach to ABAC mining in terms of time.
暂无评论