A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University.

Slides:

Advertisements

Similar presentations

Contextual Linking Architecture Christophe Blanchi June Corporation for National Research Initiatives Approved for.

Advertisements

Modelling with expert systems. Expert systems Modelling with expert systems Coaching modelling with expert systems Advantages and limitations of modelling.

Operating System Security

1 Authorization XACML – a language for expressing policies and rules.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

ReQuest (Validating Semantic Searches) Norman Piedade de Noronha 16 th July, 2004.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Chapter 7 Requirement Modeling : Flow, Behaviour, Patterns And WebApps.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Madrid. Oct 8, 2004IADIS International Conference WWW/Internet Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Discovering E-Services Using UDDI in SELF-SERV Quan Z. Sheng, Boualem Benatallah, Rayan Stephan, Eileen Oi-Yan Mak, Yan Q. Zhu School of Computer Science.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Software Requirements Presented By Dr. Shazzad Hosain.

Indo-US Workshop, June23-25, 2003 Building Digital Libraries for Communities using Kepler Framework M. Zubair Old Dominion University.

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

ICDL 2004 Improving Federated Service for Non-cooperating Digital Libraries R. Shi, K. Maly, M. Zubair Department of Computer Science Old Dominion University.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed Zubair Ravi Mukkamala Old Dominion University Norfolk, Virginia.

FEA DRM Management Strategy Presented by : Mary McCaffery, US EPA.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

1 GRID Based Federated Digital Library K. Maly, M. Zubair, V. Chilukamarri, and P. Kothari Department of Computer Science Old Dominion University February,

Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.

CSIIR Workshop March 14-15, Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth.

Funded by: © AHDS Preservation in Institutional Repositories Preliminary conclusions of the SHERPA DP project Gareth Knight Digital Preservation Officer.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

JISC/NSF PI Meeting, June Archon - A Digital Library that Federates Physics Collections with Varying Degrees of Metadata Richness Department of Computer.

Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance.

Week 04 Object Oriented Analysis and Designing. What is a model? A model is quicker and easier to build A model can be used in simulations, to learn more.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Feb 24-27, 2004ICDL 2004, New Dehli Improving Federated Service for Non-cooperating Digital Libraries R. Shi, K. Maly, M. Zubair Department of Computer.

Advanced Web Technologies Lecture # 5 By: Faraz Ahmed.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

June 3-6, 2003E-Society Lisbon Automatic Metadata Discovery from Non-cooperative Digital Libraries R. Shi, K. Maly, M. Zubair Department of Computer Science.

May 7-8, 2007ICVCI 2007 RTP Autonomic Approach to IT Infrastructure Management in a Virtual Computing Lab Environment H. Abdel SalamK. Maly R. MukkamalaM.

1 Security and Dependability Organizational Patterns - A Proof of Concept Demo for SERENITY A. Saidane, F. Dalpiaz, V.H. Nguyen, F. Massacci.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

1 Software Requirements Descriptions and specifications of a system.

Enabling Grids for E-sciencE Agreement-based Workload and Resource Management Tiziana Ferrari, Elisabetta Ronchieri Mar 30-31, 2006.

A Semi-Automated Digital Preservation System based on Semantic Web Services Jane Hunter Sharmin Choudhury DSTC PTY LTD, Brisbane, Australia Slides by Ananta.

Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University Purdue University.

Chapter 4 – Requirements Engineering

XACML and the Cloud.

Federated Digital Rights Management

The Vision of Autonomic Computing

Chapter 29: Program Security

Attributes and Values Describing Entities.

Access Control What’s New?

Presentation transcript:

A Comparative Study of Specification Models for Autonomic Access Control of Digital Rights K. Bhoopalam,K. Maly, R. MukkamalaM. Zubair Old Dominion University D. Kaminsky IBM, Research Triangle Park D. Agrawal IBM, T. J. Watson

Nov 2005DRMTICS2005 Sydney Australia 2 Contents Motivation Background Autonomic Cycle for Protection of Access Rights Application Domain (digital library) Access Management Architecture Comparison of XACML and CIM –Information Model –Computational Model –Linkage Model Conclusion

Nov 2005DRMTICS2005 Sydney Australia 3 Motivation Policy-based models ease the management of access rights for Digital Information. Many policy specifications exist (XrML, ODRL) and many more are emerging (XACML, CIM based ACPL, etc.) A categorical or structured analysis of emerging specifications is necessary to choose the appropriate specification.

Nov 2005DRMTICS2005 Sydney Australia 4 Background CIM and XACML XACML specification uses XML schemas for access- control policies, requests, and decisions CIM Policy Model uses Meta-Object Facility and Unified Modeling Language –Used CIM derived ACPL for comparison The XACML and CIM models provide generic vocabulary to address DRM issues, such as –user privacy –fair use –fee and non-fee based access

Nov 2005DRMTICS2005 Sydney Australia 5 Background Comparison Axes Information model: How the abstract data model is specified as syntactical elements in the language. –Provides insight into how its supports various access rights requirements for self protection. Computational model: Computational complexity of evaluating an access request against an access policy to guarantee an access decision. –Provides insight into the kinds of rules for which these models provide low latency access evaluation. Linkage model: How these specifications interact with the environment, namely, the restrictions they place on the input (access request) and the output (access decision). –provides insight into the adaptability of these languages and models for various application domains.

Nov 2005DRMTICS2005 Sydney Australia 6 Autonomic Cycle for Protection of Access Right 1.Receive user attributes 2.Fetch all resource names 3.Compose requests from user attributes and resource names 1.Receive request contexts 2.Evaluate decision based on knowledge base 1.Receive access decisions 2.Perform provisional actions 3.Sequence the execution of access decisions 1.Prepare User Interface or response 2.Serve the response to the user [Knowledge Base] Policy Monitor AnalyzePlan Execute

Nov 2005DRMTICS2005 Sydney Australia 7 Application Domain (Federated Digital Library) 1.User request’s resource protected by Shibboleth 2.Target and User’s home organization authenticate each other and the home organization provides user attributes 3.End-User gains access to resource based on access control specifications provided in the policy (XACML/ACPL) Contributors Aggregator Shibboleth Target Federated DL & Harvester Policy Enforcement Point PDP Policy Editor Reg. Shibboleth Origin (CMU) [Admin classifies users into groups] Shibboleth Origin (ODU) Shibboleth Origin (TWRC) [ODU Users, CMU Users, TWRC Users] End-Users xArchiveCERNAPS a.Contributor registers with Federated Digital Library b.Contributor manages access policies for user access to its documents c.Provides policy in XACML/ACPL compliant format to the Policy Decision Point a.a. b.b. c.c. SUBSCRIBERSSUBSCRIBERS

Nov 2005DRMTICS2005 Sydney Australia 8 Comparison of XACML and CIM (Information Model) faculty odu author description references Read XACML 1.Uses vocabulary from the access control domain 2.Multiple requests are required to gather compendium of access privileges (one for each resource) 3.Number of requests required increases based on the number of operations (read, distribute, etc) that can be performed.

Nov 2005DRMTICS2005 Sydney Australia 9 Comparison of XACML and CIM (Information Model) faculty odu read ACPL 1.Does not used vocabulary from the access control domain, as it is a more generic rule language. 2.A single request is sufficient irrespective of the number of resources. 3.The number of requests required do not change even if the number of permitted operations increases

Nov 2005DRMTICS2005 Sydney Australia 10 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in XACML Simple Boolean Expression in CNF or DNF Un-Conditional Boolean Expression Most commonly used condition is isolated and optimized.

Nov 2005DRMTICS2005 Sydney Australia 11 Comparison of XACML and CIM (Computational Model) … … Boolean Expressions in ACPL Un-Conditional Boolean Expression Does not have optimization for any specific kind of Boolean expressions

Nov 2005DRMTICS2005 Sydney Australia 12 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in XACML Conflict resolution is more catered towards access rights and uses vocabulary from access control

Nov 2005DRMTICS2005 Sydney Australia 13 Comparison of XACML and CIM (Computational Model) … … Conflict resolution in ACPL Conflict resolution is accomplished using a simple prioritization.

Nov 2005DRMTICS2005 Sydney Australia 14 Comparison of XACML and CIM (Linkage Model) XACML, in addition to specifying syntax for policies, also specifies syntax for decision requests and decision responses. –The monitoring phase composes XACML compliant requests from user attributes that arrive as HTTP request parameters and delivers them to the analysis phase for evaluation –The PDP at the analysis phase provides the planning phase with XACML compliant responses, which need interpretation. –The existence of a standard, however, fosters interoperability. CIM model does not prescribe a format for requests and responses. –The absence of a specification for input formats, and the provision for multiple input formats by the CIM implementation eased the task of request and response processing. –However, generally, the lack of standard may hinder interoperability.

Nov 2005DRMTICS2005 Sydney Australia 15 Conclusion XACML –Plus capability to represent provisional actions XML schema ensure interoperability lower latency access evaluation – optimized Boolean evaluation Allows specification of resources as XPath artifacts –Minus lack of access to resource hierarchies and delegation CIM –Plus ability to represent complex actions requires fewer policies need be managed efficient mechanism when simple conditions need to be evaluated to obtain permissions on multiple resources. –Minus lack of standards-based XML schema lack of access to resource hierarchies and delegation