Attributed based access control (ABAC) for Web services

For companies and government agencies alike, the emergence of Web services technologies and the evolution of distributed systems toward service oriented architectures (SOA) have helped promote collaboration and information sharing by breaking down "stove-piped" systems and connecting them via loosely coupled, interoperable system-to-system interfaces. Such architectures, however, also bring about their own security challenges that require due consideration. Unfortunately, the current information security mechanisms are insufficient to address these challenges. In particular, the access control models today are mostly static and coarsely grained; they are not well-suited for the service-oriented environments where information access is dynamic and ad-hoc in nature. This paper outlines the access control challenges for Web services and SOA, and proposes an attribute based access control (ABAC) model as a new approach, which is based on subject, object, and environment attributes and supports both mandatory and discretionary access control needs. The paper describes the ABAC model in terms of its authorization architecture and policy formulation, and makes a detailed comparison between ABAC and traditional role-based models, which clearly shows the advantages of ABAC. The paper then describes how this new model can be applied to securing Web service invocations, with an implementation based on standard protocols and open-source tools. The paper concludes with a summary of the ABAC model's benefits and some future directions.

[1]  Konstantin Beznosov,et al.  Supporting relationships in access control using role based access control , 1999, RBAC '99.

[2]  William Stallings Network and Internetwork Security: Principles and Practice , 1994 .

[3]  Ravi S. Sandhu,et al.  Induced role hierarchies with attribute-based RBAC , 2003, SACMAT '03.

[4]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[5]  Gail-Joon Ahn,et al.  Secure information sharing using role-based delegation , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[6]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[7]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[8]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[9]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[10]  Jonathan K. Millen,et al.  Cross-domain access control via PKI , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[11]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[12]  S. Berg,et al.  Glossary of Computer Security Terms , 1998 .

[13]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.