İbrahim SOĞUKPINAR, Alper UĞUR

Multilayer authorization model and analysis of authorization methods

There are various methods proposed in the literature to provide authorization control in workflows and information systems. Authorization implementations have deficiencies based on procedural scope. Basic login mechanisms grant system-wide access; the provided margins are broad. Access control lists provide limited definition on access restrictions; the authorization is bounded by these definitions. Role based authorizations do not cover regulations in institutions where the regulations describe specific operations and their operational procedures in institutional work- flows. The proposed multilayer authorization model depicts the attributes of authorization mechanisms and analyzes the methods according to their authorization capabilities and contributions to the reliability of documents in the workflow. The layered structure provides comparative and integrated analysis of the authorization mechanisms. The incremental authorization structure would be a guide for implementations in that each layer presents the scope of authorization by providing analysis on deficiencies and the methods of solution. An institutional authorization mechanism on documents is also proposed. The proposed mechanism suggests and implements an authorization mechanism to enclose authorization restrictions in institutional regulations.

PDF

___

[1] PwC, CSO Magazine, the U.S. Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service .2014 US State of Cybercrime Survey. CSO Magazine April 2014.
[2] PwC, CSO Magazine, the U.S. Computer Emergency Readiness Team (CERT) Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service 2013 Cyber Security Watch Survey. CSO Magazine, 2013.
[3] Schneier B, Ranum M., Schneier-Ranum Face-Off: Is perfect access control possible? Information Security Magazine, 2009.
[4] Poovendran, R., Narayanan, S. Protecting patient privacy against unauthorized release of medical images in a group communication situation. Computerized Medical Imaging and Graphics, 2005; 29: 367-383.
[5] Fakhari P, Vahedi E, Lucas C. Protecting patient privacy from unauthorized release of medical images using a bio-inspired wavelet-based watermarking approach. Digital Signal Processing 2011; 21: 433-446.
[6] Neuman BC, Tso T. Kerberos: An authentication service for computer networks. IEEE Communications 1994; 32: 33-38.
[7] Rigney C, Rubens A, Simpson W, Willens S. Remote authentication dial in user service (RADIUS). RFC 2138, April 1997.
[8] Jie W, Arshad J, Sinnott R, Townend P, Lei Z. A review of grid authentication and authorization technologies and support for federated access control. ACM Computing Surveys 2011; 43: 12.
[9] Barkley J. Comparing simple role based access control models and access control lists. In Proceedings of RBAC 97, ACM. NY, USA, 1997, pp. 127-132.
[10] Ferraiolo DF, Kuhn R, Sandhu R. RBAC standard rationale: comments on a critique of the ANSI standard on role based access control. IEEE Security & Privacy 2007; 5: 51-53.
[11] FIPS PUB 186-3 Digital Signature Standard (DSS), 2009.
[12] Tan K, Crampton J, Gunter C. The consistency of task-based authorization constraints in workflow. In Proceedings of the 17th IEEE Computer Security Foundations Workshop. IEEE, 2004, pp. 155-169.
[13] Dempsey K, Ross RS., McGuire KS. National Institute of Standards and Technology (NIST) Supplemental Guidance on Ongoing Authorization (OA). June 2014.
[14] Ferraiolo DF, Kuhn R. Role Based Access Control, In: 15th National Computer Security Conference, Oct 1316, 1992. pp. 554-563.
[15] Lui RWC, Hui LCK, Yiu SM. Delegation with supervision. Information Sciences, 2007; 177: 4014-4030.
[16] Coyne E, Weil TR. ABAC and RBAC: Scalable, flexible, and auditable access management. IT Professional, 2013; 15: 14-16.
[17] The OAuth 2.0 authorization framework. IETF, RFC6749, 2012.
[18] ANSI, American National Standard for Information TechnologyRole Based Access Control, ANSI Intl Committee for Inf. Tech. Stds, 2004, pp. 359.
[19] Yuqing S, Qihua W, Ninghui L, Bertino E, Atallah M. On the complexity of authorization in RBAC under qualification and security constraints. IEEE T Dependable Secure Computing, 2011; 883-897.
[20] Fakhari P, Vahedi E, Lucas C. Protecting patient privacy from unauthorized release of medical images using a bio-inspired wavelet-based watermarking approach. Digital Signal Processing 2011; 21: 433-446.
[21] Freudenthal E, Das B. VPAF: a flexible framework for establishing and monitoring prolonged authorization relationships, In: CollaborateCom, IEEE, 2009.
[22] Jensen, K. Coloured Petrinets. Basic concepts, analysis methods and practical use. Monographs in Theoretical Computer Science, Vol. 1. 1992.
[23] Al-Azzoni I, Down DG, Khedri R. Modelling and verification of cryptographic protocols using coloured Petrinets and Design/CPN. Nordic Journal of Computing 2005; 12: 200-228.