James B. D. Joshi

Security and Privacy Challenges in Cloud Computing Environments

Cloud computing is an evolving paradigm with tremendous momentum, but its unique aspects exacerbate security and privacy challenges. This article explores the roadblocks and solutions to providing a trustworthy cloud computing environment.

A generalized temporal role-based access control model

Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time periods. Furthermore, roles may only be invoked on prespecified intervals of time depending upon when certain actions are permitted. To capture such dynamic aspects of a role, a temporal RBAC (TRBAC) model has been recently proposed. However, the TRBAC model addresses the role enabling constraints only. In This work, we propose a generalized temporal role-based access control (GTRBAC) model capable of expressing a wider range of temporal constraints. In particular, the model allows expressing periodic as well as duration constraints on roles, user-role assignments, and role-permission assignments. In an interval, activation of a role can further be restricted as a result of numerous activation constraints including cardinality constraints and maximum active duration constraints. The GTRBAC model extends the syntactic structure of the TRBAC model and its event and trigger expressions subsume those of TRBAC. Furthermore, GTRBAC allows expressing role hierarchies and separation of duty (SoD) constraints for specifying fine-grained temporal semantics.

Digital government security infrastructure design challenges

The authors propose an approach that provides a theoretical foundation for the use of object-oriented databases and object-relational databases in data warehouse, multidimensional database, and online analytical processing applications. This approach introduces a set of minimal constraints and extensions to the Unified Modeling Language for representing multidimensional modeling properties for these applications. Multidimensional modeling offers two benefits. First, the model closely parallels how data analyzers think and, therefore, helps users understand data. Second, multidimensional modeling helps predict what final users want to do, thereby facilitating performance improvements. The authors are using their approach to create an automatic implementation of a multidimensional model. They plan to integrate commercial online-analytical-processing tool facilities within their GOLD model case tool as well, a task that involves data warehouse prototyping and sample data generation issues.M ost developers agree that data warehouse, multidimensional database (MDB), and online analytical processing (OLAP) applications emphasize multidimen-sional modeling, which offers two benefits. First, the multidimensional model closely parallels how data analyzers think and, therefore, helps users understand data. Second, this approach helps predict what final users want to do, thereby facilitating performance improvements. Developers have proposed various approaches for the conceptual design of multidimensional systems. These proposals try to represent the main multidi-mensional properties at the conceptual level with special emphasis on data structures. A conceptual modeling approach for data warehouses , however, should also address other relevant aspects such as initial user requirements, system behavior , available data sources, and specific issues related to automatic generation of the database schemes. We believe that object orientation with the Unified Modeling Language can provide an adequate notation for modeling every aspect of a data warehouse system from user requirements to implementation. We propose an OO approach to accomplish the conceptual modeling of data warehouses, MDB, and OLAP applications. This approach introduces a set of minimal constraints and extensions to UML 1 for representing multidimensional modeling properties for these applications. We base these extensions on the standard mechanisms that UML provides for adapting itself to a specific method or model, such as constraints and tagged values. Our work builds on previous research, 2-4 which provided a foundation for the results we report here and for earlier versions of our work. We believe that our innovative approach provides a theoretical foundation for the use of OO databases and object-relational databases in data warehouses, MDB, and OLAP applications. We use UML to design data warehouses because it considers an information systems structural and dynamic properties at the conceptual level more naturally than do classic approaches such as the Entity-Relationship model. Further, UML provides powerful mechanisms—such as the Object Constraint Language 1 and the Object Query Language 1 —for embedding data warehouse constraints and initial user requirements in the conceptual model. This approach to modeling a data warehouse system yields simple yet powerful extended UML class diagrams that represent main data warehouse properties at the conceptual level. Multidimensional modeling structures information into facts and dimensions. We define a fact as an item of interest for an enterprise, and describe it through a set of attributes called measures or fact attributes—atomic or derived—which are contained in cells or points within the data cube. We base …

Security models for web-based applications

Using traditional and emerging access control approaches to develop secure applications for the Web.

X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control

Modern day enterprises exhibit a growing trend toward adoption of enterprise computing services for efficient resource utilization, scalability, and flexibility. These environments are characterized by heterogeneous, distributed computing systems exchanging enormous volumes of time-critical data with varying levels of access control in a dynamic business environment. The enterprises are thus faced with significant challenges as they endeavor to achieve their primary goals, and simultaneously ensure enterprise-wide secure interoperation among the various collaborating entities. Key among these challenges are providing effective mechanism for enforcement of enterprise policy across distributed domains, ensuring secure content-based access to enterprise resources at all user levels, and allowing the specification of temporal and nontemporal context conditions to support fine-grained dynamic access control. In this paper, we investigate these challenges, and present X-GTRBAC, an XML-based GTRBAC policy specification language and its implementation for enforcing enterprise-wide access control. Our specification language is based on the GTRBAC model that incorporates the content- and context-aware dynamic access control requirements of an enterprise. An X-GTRBAC system has been implemented as a Java application. We discuss the salient features of the specification language, and present the software architecture of our system. A comprehensive example is included to discuss and motivate the applicability of the X-GTRBAC framework to a generic enterprise environment. An application level interface for implementing the policy in the X-GTRBAC system is also provided to consolidate the ideas presented in the paper.

LoT-RBAC : a location and time-based RBAC model

Recent growth in location-based mobile services has introduced a significant need for location and time-based access control to resources. High mobility of the users and services in the emerging mobile applications in particular make the issue of controlling who can access what information and resources from which locations a daunting challenge. Several RBAC based models have been proposed that attempt to capture the location based and/or time-based access control requirements in various applications. However, they have limited flexibility and granularity. In this paper, we propose a Location and Time-based RBAC (LoT-RBAC) model to address the access control requirements of highly mobile, dynamic environments to provide both location and time based control.

Temporal hierarchies and inheritance semantics for GTRBAC

A Generalized Temporal Role Based Access Control (GTRBAC) model that allows specification of a comprehensive set of temporal constraint for access control has recently been proposed. The model constructs allow one to specify various temporal constraints on role, user-role assignments and role-permission assignments. However, Temporal constraints on role enablings and role activations can have various implications on a role hierarchy. In this paper, we present an analysis of the effects of GTRBAC temporal constraints on a role hierarchy and introduce various kinds of temporal hierarchies. In particular, we show that there are certain distinctions that need to be made in permission inheritance and role activation semantics in order to capture all the effects of GTRBAC constraints such as role enablings and role activations on a role hierarchy.

SecureCloud: Towards a Comprehensive Security Framework for Cloud Computing Environments

Cloud computing has recently gained tremendous momentum but still is in its infancy. It has the potential for significant cost reduction and the increased operating efficiencies in computing. Although security issues are delaying its fast adoption, cloud computing is an unstoppable force and we need to provide security mechanisms to ensure its secure adoption. In this paper, we propose a comprehensive security framework for cloud computing environments. We also discuss challenges, existing solutions, approaches, and future work needed to provide a trustworthy cloud computing environment.

XML-based specification for Web services document security

The Internet and related technologies have seen tremendous growth in distributed applications such as medicine, education, e-commerce, and digital libraries. As demand increases for online content and integrated, automated services, various applications employ Web services technology for document exchange among data repositories. Web services provide a mechanism to expose data and functionality using standard protocols, and hence to integrate many features that enhance Web applications. XML, a well-established text format, is playing an increasingly important role in supporting Web services. XML separates data from style and format definition and allows uniform representation, interchange, sharing, and dissemination of information content over the Internet. XML and Web services provide a simplified application integration framework that drives demand for models that support secure information interchange. Providing document security in XML-based Web services requires access control models that offer specific capabilities. Our XML-based access control specification language addresses a new set of challenges that traditional security models do not address.

Towards active detection of identity clone attacks on online social networks

Online social networks (OSNs) are becoming increasingly popular and Identity Clone Attacks (ICAs) that aim at creating fake identities for malicious purposes on OSNs are becoming a significantly growing concern. Such attacks severely affect the trust relationships a victim has built with other users if no active protection is applied. In this paper, we first analyze and characterize the behaviors of ICAs. Then we propose a detection framework that is focused on discovering suspicious identities and then validating them. Towards detecting suspicious identities, we propose two approaches based on attribute similarity and similarity of friend networks. The first approach addresses a simpler scenario where mutual friends in friend networks are considered; and the second one captures the scenario where similar friend identities are involved. We also present experimental results to demonstrate flexibility and effectiveness of the proposed approaches. Finally, we discuss some feasible solutions to validate suspicious identities.