A dynamic context-aware access control architecture for e-services

The universal adoption of the Internet and the emerging web services technologies constitutes the infrastructure that enables the provision of a new generation of e-services and applications. However, the provision of e-services through the Internet imposes increased risks, since it exposes data and sensitive information outside the client premises. Thus, an advanced security mechanism has to be incorporated, in order to protect this information against unauthorized access. In this paper, we present a context-aware access control architecture, in order to support fine-grained authorizations for the provision of e-services, based on an end-to-end web services infrastructure. Access permissions to distributed web services are controlled through an intermediary server, in a completely transparent way to both clients and protected resources. The access control mechanism is based on a Role-Based Access Control (RBAC) model, which incorporates dynamic context information, in the form of context constraints. Context is dynamically updated and provides a high level of abstraction of the physical environment by using the concepts of simple and composite context conditions. Also, the paper deals with implementation issues and presents a system that incorporates the proposed access control mechanism in a web services infrastructure that conform to the OPC XML-DA specification.

[1]  Elisa Bertino,et al.  Generalized Temporal Role Based Access Control Model (GTRBAC) Part I Specification and Modeling , 2001 .

[2]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[3]  Gregory D. Abowd,et al.  Towards a Better Understanding of Context and Context-Awareness , 1999, HUC.

[4]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[5]  Elisa Bertino,et al.  X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control , 2005, TSEC.

[6]  George D. Papadopoulos,et al.  A SOAP-based system for the provision of e-services , 2004, Comput. Stand. Interfaces.

[7]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[8]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[9]  Mark Strembeck,et al.  An approach to engineer and enforce context constraints in an RBAC environment , 2003, SACMAT '03.

[10]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[11]  Elisa Bertino,et al.  A Content-Based Authorization Model for Digital Libraries , 2002, IEEE Trans. Knowl. Data Eng..

[12]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[13]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[14]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[15]  Jan H. P. Eloff,et al.  Towards Web Service access control , 2004, Comput. Secur..

[16]  Emil C. Lupu,et al.  A Survey of Policy Specification Approaches , 2002 .

[17]  Mustaque Ahamad,et al.  A context-aware security architecture for emerging applications , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..