Decentralized XACML Overlay Network

Alzahrani, Ali; Janicke, Helge; Abubaker, Sarshad

doi:10.1109/cit.2010.189

Cited by 5 publications

(8 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By submitting the form (1), a new ContractRequest (CR) object is created (2) and the web server sends the CR to a set of clerks via the mail server (3,4). One of the clerks will then review the attached CR (5) and start an analysis job on the internal data analysis server (6), thereby creating a new AnalysisResult (AR) object (7). Once the analysis is performed, the clerk retrieves the AR (8) and performs a manual review on her workstation (9).…”

Section: Running Examplementioning

confidence: 99%

“…The authors Alzahrani et al [5,6] propose and implement an overlay network that allows for the dynamic and distributed deployment of multiple PDPs which are expected to collaboratively enforce history-based XACML policies such as dynamic separation of 168 6. Related Work duties [54].…”

Section: Distributed Policy Decisionsmentioning

confidence: 99%

“…Similar to the approach taken in Section 3.3.2, policies are analyzed and divided into sub-policies which can be independently enforced by different distributed PDPs. Policies which still pose dependencies among another, are "distributed among various synchronized PDPs" [6]. Different from this thesis, Alzahrani et al assume that the objects being protected by policies are static, meaning that they are neither moved across nor within systems and/or domains.…”

Section: Distributed Policy Decisionsmentioning

confidence: 99%

“…(2) Others do not consider that protected resources (i.e. data) keep being propagated throughout the entire distributed system and are thus only able to protect static resources [6,28,31,63,64]. (3) Some works only consider a posteriori detective enforcement of policy violations rather than preventive enforcement [12,13,18].…”

Section: Distributed Policy Decisionsmentioning

confidence: 99%

See 3 more Smart Citations

Data Usage Control for Distributed Systems

Kelbert

Pretschner

2018

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

AcknowledgementsMy thanks go to• Prof. Pretschner. For introducing me to the academic world with all its diverse aspects: administrative matters, conferences, discussions, learning, reading, presentations, projects, reviewing, teaching, writing, pain and glory. For letting me work on an interesting thesis topic. For guidance, feedback, liberty, criticism and plaudits.• Prof. Katzenbeisser. For providing feedback on earlier partial results of this thesis.• all co-authors and internal reviewers. Alexander, Dominik, Enrico, Fatemeh, Hervais, Matthias, Mojdeh, Prachi, Saahil, Sebastian, Tobias. For teaching me how to collaboratively write scientific documents and how to cope best with endless discussions, reviews, corrections, rewriting, etc.• all remaining current and former colleagues and collaborators from KIT, TUM, • all project partners from TU Darmstadt, Universität Freiburg, Universität Kassel, Capurro Fiek Stiftung für Informationsethik, Fraunhofer SIT, Google Germany GmbH, Deutsche Post AG, Nokia, IBM, AGT International, DFKI, Seeburger, Stadtwerke Saarlouis. For innumerable interesting and diverse experiences.• all developers and authors of free tools and Q&A websites. For developing and maintaining software such as Eclipse, Firefox, Gimp, Gnome, Gnuplot, Inkscape, LaTeX, LibreOffice, Linux, StackExchange, Thunderbird, and many more.• all friends and family. Which are simply too many to enumerate. For constantly reminding me, both consciously and unconsciously, in countless ways that there is more to life than work and research. AbstractData usage control provides mechanisms for data owners to remain in control over how their data is used after it has been accessed. Corresponding technical solutions are thus applicable in many distinct areas such as the protection of business, military and government secrets, intellectual property, as well as private user data. However, most existing solutions focus on the enforcement of data usage control within single systems and disregard distributed aspects of data usage control, i.e. how the usage of data can be controlled once data has been shared across systems and organizations.In fact, many data usage policies can only be enforced on a global scale, as they refer to data as well as data usage events happening within several distributed systems, e.g. "at each point in time at most two clerks might have a local copy of this contract", or "a contract must be approved by at least two clerks before it is sent to the customer".While such policies can intuitively be enforced using a centralized infrastructure, major drawbacks are that such solutions constitute a single point of failure and that they are expected to cause heavy communication and performance overheads.In order to address these open challenges, this dissertation contributes by providing (i) a formal distributed data usage control system model, and (ii) the first fully decentralized infrastructure for the preventive enforcement of data usage policies. More precisely, the provided model allows to track the f...

show abstract

Section: Running Examplementioning

confidence: 99%

Section: Distributed Policy Decisionsmentioning

confidence: 99%

Section: Distributed Policy Decisionsmentioning

confidence: 99%

Section: Distributed Policy Decisionsmentioning

confidence: 99%

See 2 more Smart Citations

Data Usage Control for Distributed Systems

Kelbert

Pretschner

2018

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

show abstract

“…According to the attributes contained within the targets in a policy or a rule, Kateb et al [29] decomposed the global policy into several subpolicies. Alzahrani et al [30] proposed an XACML distributed authorization model. In this model, the global policy in the centralized authorization model was decomposed into several subpolicies, which were deployed to corresponding PDPs.…”

Section: Introductionmentioning

confidence: 99%

Policy Decomposition for Evaluation Performance Improvement of PDP

Fan

Chen

Zhang

et al. 2014

Mathematical Problems in Engineering

View full text Add to dashboard Cite

In conventional centralized authorization models, the evaluation performance of policy decision point (PDP) decreases obviously with the growing numbers of rules embodied in a policy. Aiming to improve the evaluation performance of PDP, a distributed policy evaluation engine called XDPEE is presented. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple subpolicies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of subpolicies deployed to each PDP. Policy decomposition is the key problem of the evaluation performance improvement of PDPs. A greedy algorithm withO(nlgn)time complexity for policy decomposition is constructed. In experiments, the policy of the LMS, VMS, and ASMS in real applications is decomposed separately into multiple subpolicies based on the greedy algorithm. Policy decomposition guarantees that the cost of subpolicies deployed to each PDP is equal or approximately equal. Experimental results show that (1) the method of policy decomposition improves the evaluation performance of PDPs effectively and that (2) the evaluation time of PDPs reduces with the growing numbers of PDPs.

show abstract

Fast Distributed Evaluation of Stateful Attribute-Based Access Control Policies

Bui¹,

Stoller²,

Sharma³

2017

Data and Applications Security and Privacy XXXI

View full text Add to dashboard Cite

Separation of access control logic from other components of applications facilitates uniform enforcement of policies across applications in enterprise systems. This approach is popular in attribute-based access control (ABAC) systems and is embodied in the XACML standard. For this approach to be practical in an enterprise system, the access control decision engine must be scalable, able to quickly respond to access control requests from many concurrently running applications. This is especially challenging for stateful (also called history-based) access control policies, in which access control requests may trigger state updates. This paper presents an policy evaluation algorithm for stateful ABAC policies that achieves high throughput by distributed processing, using a specialized multi-version concurrency control scheme to deal with possibly conicting concurrent updates. The algorithm is especially designed to achieve low latency, by minimizing the number of messages on the critical path of each access control decision.

show abstract

Decentralized XACML Overlay Network

Cited by 5 publications

References 9 publications

Data Usage Control for Distributed Systems

Data Usage Control for Distributed Systems

Policy Decomposition for Evaluation Performance Improvement of PDP

Fast Distributed Evaluation of Stateful Attribute-Based Access Control Policies

Contact Info

Product

Resources

About