The XACML Standard - Addressing Architectural and Security Aspects

Óscar Mortágua Pereira, Vedran Semenski, Diogo Domingues Regateiro, Rui L. Aguiar

2017

Abstract

The OASIS XACML (eXtensible Access Control Markup Language) standard defines a language for the definition of access control requests and policies. It is intended to be used with ABAC (Attribute Based Access Control). Along with the language, the standard defines an architecture, workflow and evaluation mechanism. When implementing real scenarios, developers can come across with the missing of several issues not addressed by the standard. For example, the architecture proposed defines the workflow but does not define the way components should be distributed over different machines. Additionally, the standard does not include any information about how securing communications between components. This paper proposes a solution to deal with the aforementioned gaps. A proof of concept is also presented in an IoT use case in the context of the European project: SMARTIE – secure and smarter cities data management.

References

  1. Addie, R.G. & Colman, A., 2010. Five Criteria for WebServices Security Architecture. In 4th International Conference on Network and System Security (NSS),. pp. 521-526.
  2. Ardagna, C.A. et al., 2009. An XACML-based privacycentered access control system. In Proceedings of the first ACM workshop on Information security governance - WISG 7809. p. 49.
  3. Brown, K.P. et al., 2012. Fine-grained filtering of data providing Web Services with XACML. In Proceedings of the Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE. pp. 438-443.
  4. Demchenko, Y., Cristea, M. & De Laat, C., 2009. XACML policy profile for multidomain network resource provisioning and supporting authorisation infrastructure. In Proceedings - 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009. pp. 98-101.
  5. Díaz-López, D. et al., 2015. Managing XACML systems in distributed environments through Meta-Policies. Computers and Security, 48, pp.92-115.
  6. Ferrini, R. & Bertino, E., 2009. Supporting RBAC with XACML+OWL. In Proceedings of the 14th ACM symposium on Access control models and technologies SE - SACMAT 7809. pp. 145-154. Available at: citeulike-article-id:9252058%5Cnhttp:// dx.doi.org/10.1145/1542207.1542231.
  7. Fisler, K. et al., 2005. Verification and Change-Impact Analysis of Access-Control Policies. Proceedings of the 27th International Conference on Software Engineering, pp.196-205.
  8. FP7, 2016. SMARTIE - secure and smarter cities data management. Available at: http://www.smartieproject.eu/ [Accessed October 25, 2016].
  9. Kabbani, B. et al., 2014. Specification and enforcement of dynamic authorization policies oriented by situations. In 2014 6th International Conference on New Technologies, Mobility and Security - Proceedings of NTMS 2014 Conference and Workshops.
  10. Kehlenbeck, M., Sandner, T. & Breitner, M.H., 2010. Managing internal control in changing organizations through business process intelligence - A service oriented architecture for the XACML based monitoring of supporting systems. In Proceedings of the Annual Hawaii International Conference on System Sciences.
  11. Keleta, Y., Eloff, J.H. & Venter, H., 2005. Proposing a Secure XACML architecture ensuring privacy and trust, Available at: http://icsa.cs.up.ac.za/issa/ 2005/Proceedings/Research/093_Article.pdf.
  12. Lin, D. et al., 2013. A similarity measure for comparing XACML policies. IEEE Transactions on Knowledge and Data Engineering, 25(9), pp.1946-1959.
  13. Liu, A.X. et al., 2011. Designing fast and scalable XACML policy evaluation engines. IEEE Transactions on Computers, 60(12), pp.1802-1817.
  14. Lorch, M. et al., 2003. First experiences using XACML for access control in distributed systems. In Proceedings of the 2003 ACM workshop on XML security. pp. 25-37.
  15. Nam, T. & Pardo, T. a., 2011. Conceptualizing smart city with dimensions of technology, people, and institutions. Proceedings of the 12th Annual International Digital Government Research Conference on Digital Government Innovation in Challenging Times - dg.o 7811, p.282. Available at: http://dl.acm.org/citation.cfm?id=2037556.2037602% 5Cnhttp://dl.acm.org/citation.cfm?id=2072069.207210 0%5Cnhttp://dl.acm.org/citation.cfm?doid=2037556.2 037602.
  16. OASIS, 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. Available at: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-corespec-os-en.pdf [Accessed October 25, 2016].
  17. OASIS, 1993. OASIS. Available at: https://www.oasisopen.org/org [Accessed October 23, 2016].
  18. Priebe, T. et al., 2007. Supporting attribute-based access control in authorization and authentication infrastructures with ontologies. Journal of Software, 2(1), pp.27-38.
  19. Priebe, T., Dobmeier, W. & Kamprath, N., 2006. Supporting attribute-based access control with ontologies. In Proceedings - First International Conference on Availability, Reliability and Security, ARES 2006. pp. 465-472.
  20. Qing, X. & Adams, C., 2006. XACML-Based PolicyDriven Access Control for Mobile Environments. In Canadian Conference on Electrical and Computer Engineering. pp. 643-646.
  21. Samarati, P. & Di Vimercati, S.D.C., 2001. Access Control: Policies, Models, and Mechanisms. Foundations of Security Analysis and Design, 2171, pp.137-196. Available at: http:// www.springerlink.com/index/80wrewj7j1a716wb.pdf.
  22. Sardinha, A., Rao, J. & Sadeh, N., 2007. Enforcing context-sensitive policies in collaborative business environments. In Proceedings - International Conference on Data Engineering. pp. 705-714.
  23. Shelton, T., Zook, M. & Wiig, A., 2015. The “actually existing smart city.” Cambridge Journal of Regions, Economy and Society, 8, pp.13-25. Available at: http://cjres.oxfordjournals.org/lookup/doi/10.1093/cjre s/rsu026.
  24. Stepien, B., Matwin, S. & Felty, A.P., 2011. Advantages of a non-technical {XACML} notation in role-based models. In Ninth Annual Conference on Privacy, Security and Trust. pp. 193--200.
  25. XACML, 2013. AT&T XACML 3.0 Implementation. Available at: https://github.com/att/XACML [Accessed October 23, 2016].
  26. Xu, M. & Duminda, W., 2009. A role-based XACML administration and delegation profile and its enforcement architecture. In ACM workshop on Secure web services. pp. 53-60.
  27. Xu, M., Wijesekera, D. & Zhang, X., 2011. Runtime administration of an RBAC profile for XACML. IEEE Transactions on Services Computing, 4(4), pp.286- 299.
Download


Paper Citation


in Harvard Style

Mortágua Pereira Ó., Semenski V., Domingues Regateiro D. and Aguiar R. (2017). The XACML Standard - Addressing Architectural and Security Aspects . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 189-197. DOI: 10.5220/0006224901890197


in Bibtex Style

@conference{iotbds17,
author={Óscar Mortágua Pereira and Vedran Semenski and Diogo Domingues Regateiro and Rui L. Aguiar},
title={The XACML Standard - Addressing Architectural and Security Aspects},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={189-197},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006224901890197},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - The XACML Standard - Addressing Architectural and Security Aspects
SN - 978-989-758-245-5
AU - Mortágua Pereira Ó.
AU - Semenski V.
AU - Domingues Regateiro D.
AU - Aguiar R.
PY - 2017
SP - 189
EP - 197
DO - 10.5220/0006224901890197