The Experts below are selected from a list of 75879 Experts worldwide ranked by ideXlab platform

David W Chadwick - One of the best experts on this subject based on the ideXlab platform.

  • Digital Identity Management - An advanced policy based Authorisation infrastructure
    Proceedings of the 5th ACM workshop on Digital identity management - DIM '09, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema
    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • an advanced policy based Authorisation infrastructure
    Digital Identity Management, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema
    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • Adding Authorisation to EduRoam
    2008
    Co-Authors: Gareth Owen, G. Beitis, David W Chadwick
    Abstract:

    EduRoam allows universities to cooperate to authenticate users as they roam between the federated institutions. However, authentication is not always sufficient since the host institution does not know how to differentiate between different groups of roaming users in order to give them access to different network resources. We have designed and built a fine grained Authorisation infrastructure which allows different groups of users to be given access to different network resources. The infrastructure uses JRadius to intercept radius server events and gain the appropriate Authorisation using the PERMIS Authorisation infrastructure. The Network Access Server (NAS) then grants access to the appropriate VLAN given the user's access permissions.

  • experiences of applying advanced grid Authorisation infrastructures
    Grid Computing, 2005
    Co-Authors: Richard O Sinnott, David W Chadwick, Anthony Stell, O Otenko
    Abstract:

    The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (Authorisation). The Grid community have put forward numerous software proposals for Authorisation infrastructures such as AKENTI [1], CAS [2], CARDEA [3], GSI [4], PERMIS [5,6,7] and VOMS [8,9]. It is clear that for the foreseeable future a collection of solutions will be the norm. To address this, the Global Grid Forum (GGF) have proposed a generic SAML based Authorisation API which in principle should allow for fine grained control for authorised access to any Grid service. Experiences in applying and stress testing this API from a variety of different application domains are essential to give insight into the practical aspects of large scale usage of Authorisation infrastructures. This paper presents experiences from the DTI funded BRIDGES project [10] and the JISC funded DyVOSE project [11] in using this API with Globus version 3.3 [12] and the PERMIS Authorisation infrastructure.

  • EGC - Experiences of applying advanced grid Authorisation infrastructures
    Advances in Grid Computing - EGC 2005, 2005
    Co-Authors: Richard O Sinnott, David W Chadwick, Anthony Stell, O Otenko
    Abstract:

    The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (Authorisation). The Grid community have put forward numerous software proposals for Authorisation infrastructures such as AKENTI [1], CAS [2], CARDEA [3], GSI [4], PERMIS [5,6,7] and VOMS [8,9]. It is clear that for the foreseeable future a collection of solutions will be the norm. To address this, the Global Grid Forum (GGF) have proposed a generic SAML based Authorisation API which in principle should allow for fine grained control for authorised access to any Grid service. Experiences in applying and stress testing this API from a variety of different application domains are essential to give insight into the practical aspects of large scale usage of Authorisation infrastructures. This paper presents experiences from the DTI funded BRIDGES project [10] and the JISC funded DyVOSE project [11] in using this API with Globus version 3.3 [12] and the PERMIS Authorisation infrastructure.

Kaniz Fatema - One of the best experts on this subject based on the ideXlab platform.

  • Adding privacy protection to policy based Authorisation systems
    2013
    Co-Authors: Kaniz Fatema
    Abstract:

    An Authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional Authorisation decision system, which is simply called Authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional Authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an Authorisation system that will provide privacy for personal data by including sticky Authorisation policies from the issuers and data subjects, to supplement the Authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data. A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the Authorisation system. Hence, the designed Authorisation system also includes the Authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable. Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts. As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract. The Authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed Authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions.

  • an advanced policy based Authorisation infrastructure
    Digital Identity Management, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema
    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

  • Digital Identity Management - An advanced policy based Authorisation infrastructure
    Proceedings of the 5th ACM workshop on Digital identity management - DIM '09, 2009
    Co-Authors: David W Chadwick, Kaniz Fatema
    Abstract:

    We describe a more advanced Authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various Authorisation decisions. Whilst this Authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

Moritz Y Becker - One of the best experts on this subject based on the ideXlab platform.

  • specification and analysis of dynamic Authorisation policies
    IEEE Computer Security Foundations Symposium, 2009
    Co-Authors: Moritz Y Becker
    Abstract:

    This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.

  • CSF - Specification and Analysis of Dynamic Authorisation Policies
    2009 22nd IEEE Computer Security Foundations Symposium, 2009
    Co-Authors: Moritz Y Becker
    Abstract:

    This paper presents a language, based on transaction logic, for specifying dynamic Authorisation policies, i.e., rules governing actions that may depend on and update the Authorisation state. The language is more expressive than previous dynamic Authorisation languages, featuring conditional bulk insertions and retractions of Authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.

Vijay Varadharajan - One of the best experts on this subject based on the ideXlab platform.

  • On the design, implementation and application of an Authorisation architecture for web services
    International Journal of Information and Computer Security, 2020
    Co-Authors: Sarath Indrakanti, Vijay Varadharajan, Ritesh Agarwal
    Abstract:

    This paper proposes an Authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure Authorisation of web services as well as the support for the management of Authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has been implemented and integrated within the .NET framework. The Authorisation architecture for web services is demonstrated using a case study in the healthcare domain. The proposed architecture has several benefits. First and foremost, the architecture supports multiple access control models and mechanisms; it supports legacy applications exposed as web services as well as new web service-based applications built to leverage the benefits offered by the Service-Oriented Architecture; it is decentralised and distributed and provides flexible management and administration of web services and related Authorisation information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to web services deployed on those platforms.45 page(s

  • Trust enhanced distributed Authorisation for web services
    Journal of Computer and System Sciences, 2014
    Co-Authors: Aarthi Nagarajan, Vijay Varadharajan, Nathan Tarr
    Abstract:

    Abstract In this paper, we propose a trust enhanced distributed Authorisation architecture (TEDA) that provides a holistic framework for Authorisation taking into account the state of a user platform. The model encompasses the notions of ‘hard’ and ‘soft’ trust to determine whether a platform can be trusted for Authorisation. We first explain the rationale for the overall model and then describe our hybrid model with ‘hard’ and ‘soft’ trust components, followed by a description of the system architecture. We then illustrate our implementation of the proposed architecture in the context of Authorisation for web services. We discuss the results and demonstrate that such a trust enhanced approach could enable better Authorisation decision making, especially in a distributed environment where user platforms are subject to dynamic security threats.

  • a hybrid trust model for Authorisation using trusted platforms
    Trust Security And Privacy In Computing And Communications, 2011
    Co-Authors: Aarthi Krishna, Vijay Varadharajan
    Abstract:

    Authorisation systems play a vital role in protecting access to resources in distributed systems. Traditionally, Authorisation is performed at the user level to determine whether a user has the necessary privileges to access a requested resource. However, when it comes to the user's platform, it is often assumed that the system hosting the user and the software running on it are 'trusted' and that it will behave correctly. In this paper, we propose a hybrid trust model that provides techniques for Authorisation taking into account state of user platforms leveraging trusted computing technology. The model encompasses the notions of 'hard' and 'soft' trust to determine whether a platform can be trusted for Authorisation. We first explain the rationale for the model and then provide a description of the proposed hybrid model.

  • TrustCom - A Hybrid Trust Model for Authorisation Using Trusted Platforms
    2011IEEE 10th International Conference on Trust Security and Privacy in Computing and Communications, 2011
    Co-Authors: Aarthi Krishna, Vijay Varadharajan
    Abstract:

    Authorisation systems play a vital role in protecting access to resources in distributed systems. Traditionally, Authorisation is performed at the user level to determine whether a user has the necessary privileges to access a requested resource. However, when it comes to the user's platform, it is often assumed that the system hosting the user and the software running on it are 'trusted' and that it will behave correctly. In this paper, we propose a hybrid trust model that provides techniques for Authorisation taking into account state of user platforms leveraging trusted computing technology. The model encompasses the notions of 'hard' and 'soft' trust to determine whether a platform can be trusted for Authorisation. We first explain the rationale for the model and then provide a description of the proposed hybrid model.

  • On the design, implementation and application of an Authorisation architecture for web services
    International Journal of Information and Computer Security, 2007
    Co-Authors: Sarath Indrakanti, Vijay Varadharajan, Ritesh Agarwal
    Abstract:

    This paper proposes an Authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure Authorisation of web services as well as the support for the management of Authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has been implemented and integrated within the.NET framework. The Authorisation architecture for web services is demonstrated using a case study in the healthcare domain. The proposed architecture has several benefits. First and foremost, the architecture supports multiple access control models and mechanisms; it supports legacy applications exposed as web services as well as new web service-based applications built to leverage the benefits offered by the Service-Oriented Architecture; it is decentralised and distributed and provides flexible management and administration of web services and related Authorisation information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to web services deployed on those platforms.

Henry Fitt - One of the best experts on this subject based on the ideXlab platform.

  • increasing scientific standards independence and transparency in post Authorisation studies the role of the european network of centres for pharmacoepidemiology and pharmacovigilance
    Pharmacoepidemiology and Drug Safety, 2012
    Co-Authors: Kevin Blake, Corinne S Devries, Peter Arlett, Xavier Kurz, Henry Fitt
    Abstract:

    Purpose The European Network of Centres for Pharmacoepidemiology and Pharmacovigilance (ENCePP), an initiative coordinated by the European Medicines Agency, aims to build capacity for and increase trust in post-Authorisation studies to further support medicine decision making. Methods ENCePP seeks to promote and support high standards throughout the post-Authorisation research process based on robust methodologies, transparency and scientific independence. Results ENCePP provides a point of access to researchers for industry, academia and regulatory authorities seeking collaboration for the conduct of post-Authorisation studies. As of 30 November 2011, the network consisted of 98 research centres, 13 networks and 18 data sources, mostly academic and publicly funded institutions but also data source providers and contract research organisations with expertise in the conduct of post-Authorisation studies. All are listed in the free, public and fully searchable electronic Database of Research Resources. A guide and a checklist on methodological standards have been published; the concept of an ‘ENCePP study’, including a Code of Conduct, introduced; and an electronic register of studies have been launched. Conclusion It is envisaged that application of the ENCePP study concept will result in an increase in trust in post-Authorisation studies of medicines. The register of studies will allow for ready access to study protocols and results, thereby enhancing transparency and facilitating review. Through the network, standards, transparency and clarity of relationships, ENCePP is expected to add to the European Union capacity to conduct robust post-Authorisation studies, thereby benefiting public health. Copyright © 2012 John Wiley & Sons, Ltd.