This book describes, in lay terms, the contents of both the 1988 and 1993 editions of the ISO OSI Directory Standard (CCITT Recommendation X.500). Dr. Chadwick has been directly involved in the development of the new standard for ITU/ISO and is therefore well placed to write this explanatory text on the subject. An in-depth account is given of all the features of the Standard and numerous examples of its application are provided throughout. The implications of the Standard are related to implementation details in terms of product usefulness, differentiation and ease of management. This book will appeal to students and researchers involved with computer communications as well as system administrators.

In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of users’ data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the users’ privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.

Abstract This paper describes a conceptual model for attribute aggregation that allows a service provider (SP) to authorise a users access request based on attributes asserted by multiple identity providers (IdPs), when the user is known by different identities at each of the IdPs. The user only needs to authenticate to one of the IdPs and the SP is given an overall level of assurance (LoA) about the authenticity of the user and his/her attributes. The model employs a new component called a Linking Service (LS), which is a trusted third party under the control of the user, whose purpose is to link together the different IdP accounts that hold a users attributes, along with their respective LoAs. There are several possible interaction models for communications between the IdPs, the SP, LSs and the user, and each are described. The model is underpinned with a fully specified trust model, which also describes the implications when participants do not fully trust each other as required. Finally, the paper describes how the model has been implemented by mapping onto existing standard protocols based on SAMLv2.

Purpose The objective of this paper is to show that grounded theory (GT), together with mixed methods, can be used to involve healthcare professionals in the design and definition of access control policies to EMR systems. Methods The mixed methods applied for this research included, in this sequence, focus groups (main qualitative method that used grounded theory for the data analysis) and structured questionnaires (secondary quantitative method). Results Results showed that the presented methodology can be used to involve healthcare professionals in the definition of access control policies to EMR systems and explore these issues in a diversified and integrated way. The methodology allowed for the generation of great amounts of data in the beginning of the study and in a short time span. Results from the applied methodology revealed a first glimpse of the theories to be generated and integrated, with future research, into the access control policies. Conclusions The methodological research described in this paper is very rarely, if ever, applied in developing security tools such as access control. Nevertheless, it can be an effective way of involving healthcare professionals in the definition of access control policies and in making information security more grounded into their workflows and daily practices.

There are several problems associated with the current ways that certificates are published and revoked. This paper discusses these problems, and then proposes a solution based on the use of WebDAV, an enhancement to the HTTP protocol. The proposed solution provides instant certificate revocation, minimizes the processing costs of the certificate issuer and relying party, and eases the administrative burden of publishing certificates and certificate revocation lists (CRLs). We describe how WebDAV can be used for X.509 certificate revocation, and describe how we have implemented it in the PERMIS authorization infrastructure.

Abstract We describe how in todays federated identity management (FIM) systems, such as CardSpace and Shibboleth, service providers (SPs) rely on identity providers (IdPs) to authenticate the users and provide their identity attributes. The SPs then use these attributes for granting or denying users access to their resources. Unfortunately most FIM systems have one significant limitation, which is that the user can only use one IdP within a single SP session, when in many scenarios the user needs to provide attributes from multiple IdPs. We describe how this can be achieved through the introduction of a new service called a linking service. The conceptual model of the linking service is described as well as the mapping of its messages onto todays standard protocols (SAML, Liberty Alliance and WS-*).

Abstract. We describe adding support for dynamic delegation of authority between users in multiple administrative domains, to the XACML model for authorisation decision making. Delegation of authority is enacted via the issuing of credentials from one user to another, and follows the role based access control model. We present the problems and requirements that such a delegation model demands, the policy elements that are necessary to control the delegation chains and a description of the architected solution. We propose a new conceptual entity called the Credential Validation Service (CVS) to work alongside the XACML PDP. We describe our implementation of the CVS and present performance measurements for validating delegated chains of credentials.

Purpose This paper describes a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. We introduce the concept of the Obligation of Trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which we term a Notification of Obligation (NoB), as well as their commitments to fulfilling each others requirements, which we term Signed Acceptance of Obligations (SAO). We describe some applicability of these concepts and show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control. Design/Methodology/Approach Existing access control and privacy protection systems are typically unilateral and provider-centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. We adopt a symmetric, more user-centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties. Findings We demonstrate how the Obligation of Trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today. Practical Implications This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed Acceptance of Obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery. Originality/Value This paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate Signed Acceptance of Obligations messages, this strengthens the legal case of the injured party should a dispute arise.

In a virtual organization environment, where services and data are provided and shared amongorganizations from different administrative domains and protected with dissimilar security policies and measures, there is a need for a flexible authentication framework that supports the use of various authentication methods and tokens. The authentication strengths derived from the authentication methods and tokens should be incorporated into an access-control decision-making process, so that more sensitive resources are available only to users authenticated with stronger methods. This paper reports our ongoingefforts in designing and implementing such a framework to facilitate multi-level and multi-factor adaptive authentication and authentication strength linked fine-grained access control. The proof-ofconcept prototype is designed and implemented in the Shibboleth and PERMIS infrastructures, which specifies protocols to federate authentication and authorization information and provides a policy-driven, role-based, access- control decision-making capability.

This paper describes how it is possible to use today’s existing stateless PDPs such as the XACML PDP, to provide coordinated access control decision making throughout a distributed application. This is achieved by utilising an external database service to store the retained ADI that is needed by the PDPs. In this way the decision making can be coordinated and controlled throughout time and space. The retained ADI is modelled as coordination attributes of a coordination object, and coordination PIPs linked to each PDP access the coordination database service to retrieve the current values of the coordination attributes prior to the access control decision being made. Obligations in the access control policy define how the coordination attributes should be updated when the user is granted access to a resource. Three different modes of enforcing obligations are defined by a Chronicle directive, namely Chronicle ¼ Before, Chronicle ¼ After and Chronicle ¼ With. The paper describes how the coordinated decision making has been implemented in Globus Toolkit v4, by developing a Coordinated PDP that incorporates a coordination PIP, an Obligations Service that implements the Chronicle ¼ Before mode of operation, and a stateless PDP that makes the access control decisions; and an external coordination database grid service that has its own security controls to ensure that only Coordinated PDPs can access it. The paper concludes by discussing the implementation and indicating how the Chronicle ¼ After and Chronicle ¼ With modes of operation might also be supported in GT4.

This paper describes the results of our recent GridShibPERMIS project to provide policy-driven role-based access control decision making to Grid jobs, in which the users attributes are provided by a Shibboleth Identity Provider (IdP). The goal of the project is to integrate the identity-federation and attribute-assignment functions of Shibboleth with the policy- based enforcement function of PERMIS, in order to provide a flexible fine-grained authorisation system for Grid jobs running under Globus Toolkit v4. This was done by taking the GT4-Shibboleth integration performed in the United States with the PERMIS infrastructure built in the United Kingdom, and developing a GridShibPERMIS Context Handler. This allows for interoperability between GridShib and PERMIS by providing the required attribute extraction, conversion and transfer functions. As a result, the GridShibPERMIS project integrates the advantages of both Shibboleth cross-organisation identity federation and PERMIS policy-driven role-based access control and represents a new avenue of policy-based authorisation for Grids. The paper provides a brief overview of the technologies involved: GT4, Shibboleth and PERMIS, and presents how the three are combined to provide an efficient and simple fine- grained authorisation mechanism, having low implementation costs. The paper concludes with the lessons learned and plans for the future.

This paper briefly surveys how authorisation in Grid computing has evolved during the last few years, and presents the latest developments in which Grid applications can utilise a policy controlled authorisation infrastructure to make decisions about which users are allowed to perform which actions on which Grid resources. The paper describes the Global Grid Forum SAML interface for connecting policy based authorisation infrastructures to Grid applications, and then describes the PERMIS authorisation infrastructure which has implemented this interface. The paper concludes with suggestions about how this work will evolve in the future.

A lightweight role-based access control policy authoring tool was developed for e- Scientists, a community where access policies have to be implemented for an increasingly heterogeneous group of local and remote users. Two fundamental problems were identified (1) lack of understanding what the policy components are (i.e. how authorization policies are structured), and (2) lack of understanding of the underlying policy paradigm (i.e. what should go into the policy, and what should be left out). Conceptual design (CD) techniques were used to revise the user interface (UI) labels so that e-Scientists and developers were better able to describe access policy components from labels, and match labels with components (t=6.28, df=7, p=.000 two tailed). CD, instructional text, bubble help, UI behaviour and alert boxes were used to shape users? models of the policy paradigm. The final prototype improved users? efficiency and effectiveness by: more than doubling the speed with which expert users could write authorization policies; and facilitating users without specialist security knowledge to overcome the policy paradigm and components problems, enabling them to complete 80% of basic and 75% of advanced authorization policy writing tasks in a usability trial.

The United Kingdom National Health Service (NHS) is about to commence upon major computerisation of its processes as part of a government plan of modernisation. One of these is the Electronic Transmission of Prescription (ETP). To achieve success it is important to know what benefits are expected from the new system and what barriers to adoption the systems will face. This paper reviews substantial ETP published material, and identifies seventeen issues that need to be addressed. These issues are categorised under 4 major headings of stakeholders, cost, technology, and current process and practice, and are then further classified as positive or negative influences on the projects success. Many of these influences will be common to most of the computerisation projects to be undertaken by the NHS, and therefore this paper has wider applicability than ETP.

Performance tests of XML and ASN.1 found that signed complex XML messages can be up to 1,000 percent slower to decode than an equivalent ASN.1 message.

This article summarises the findings of five focus group sessions discussing the Electronic Transfer of Prescriptions (ETP), held in 2003 at Salford and Huddersfield Universities. The aim of this evaluation was to ascertain the views of the stakeholders towards the introduction of ETP and views on existing ETP pilot models. The eight hypotheses identified as most important from the findings [1] are described.

The UK government has stated within its plan of reform for the National Health Service that a secure system for the Electronic Transfer of Prescriptions will be available by 2004. The objectives of this paper are to highlight the significant barriers faced in securing an ETP system, to provide a critical analysis of the security mechanisms in the models currently being piloted and to suggest an alternative revised model which overcomes the identified deficiencies and security hurdles. To identify the significant security issues relevant to the adoption of ETP, the authors have combined their analysis of present prescription processing practice with their knowledge of computer security. The authors identify and describe how the issues of patient confidentiality, authorization, identity authentication, audit, scalability, availability and reliability are significant barriers to the adoption of ETP, particularly if they effect ease of use. The papers contribution to the field of ETP is to suggest solutions to each of the identified security issues and to combine the solutions together in a revised and developed model.

This paper describes a system that gives opticians Internet access from their high street shops to patient data held in a hospital Diabetes Information System (DIS), using a standard Web browser. The system is a revision of an earlier one we provided to General Practitioners (GPs), and uses a public key infrastructure with strong encryption and digitally signed messages to secure the data as it traverses the Internet. We describe the PKI and the security architecture, the DIS we chose to distribute, the changes that we made to the Web interface to tailor it to the opticians needs, the validation testing we performed, the results of the pilot testing and the feedback we obtained from the opticians. We also compare the results with our earlier work with GPs. We found that in a well-designed system the underlying PKI is virtually invisible to the users, and its security is taken for granted. Users then concentrate on the costs and benefits of the electronic application. In our system, benefits can accrue to opticians by giving them access to the latest patient data, and this can help to improve patient care. Benefits also accrue to the DIS administrators and the wider community of DIS users, in that data quality can be significantly improved. However, we found that the slow speed of Internet access via a dial up connection is a significant impediment to its frequent use. We also found that it is extremely difficult to produce a user interface that pleases everyone. Finally, in complex information systems such as this PKI, failure of just one component or administrative procedure can have a catastrophic effect on the availability of the entire system.

The lightweight directory access protocol (LDAP) is the Internet standard way of accessing directory services that conform to the X.500 data model. It is very widely supported by all the leading software vendors, and is part of Windows 2000 Active Directory. LDAP comes in two versions: * LDAPv2 - the original lightweight variation of the X.500 Directory Access Protocol (DAP), and * LDAPv3 [10] - the heavyweight version. Whilst the DAP was designed from its inception to support public key infrastructures (PKIs), being part of the same X.500 family of standards as X.509, LDAP was not. LDAP has however become the predominant protocol in support of PKIs accessing directory services for certificates and certificate revocation lists (CRLs), but because of its lineage, it has some deficiencies. This paper describes the deficiencies in both the LDAPv2 and v3 protocols, along with the solutions that have been and are being standardised within the IETF to rectify them. The deficiencies are documented firstly for a centralised directory service, in which a single standalone LDAP server is used to support a single PKI, and secondly for a distributed directory service, in which there are many LDAP servers that need to co-operate in order to support a network of interconnected PKIs.

This paper describes a policy driven role based access control system. The user's roles, and the policy are stored in X509 Attribute Certificates. The policy, written in XML, describes who is trusted to allocate roles to users, and what permissions each role has. The DTD has been published at XML.org. Access control decisions are made by an Access Control Decision Function consisting of just three Java methods and a constructor. The decision is made according to the requested mode of access, the user’s trusted roles and the policy. A tool making and storing ACs is also described.

This paper describes the EC PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs ACs and stores them in an LDAP directory for subsequent use by the ADF.

With the growth of many different public key infrastructures on the Internet, relying parties have the difficult task of deciding whether the sender of digitally signed message is really who the public key certificate says they are. We have built an expert system that calculates the amount of trust, or trust quotient, that one can place in the name to public key binding in a certificate. The structure of the expert system is based on the CPS framework of Chokhani and Ford (RFC 2527), whilst the relative importance of the various factors that comprise the trust quotient, were determined by interviewing PKI experts from around the globe. This paper discusses the knowledge analysis strategy employed to collect this expert information and how we used it to develop the KBS. The analysis of the results of the interviews are also presented, and they can be summarised succinctly as "there are some factors concerning trust in a PKI which nearly all experts agree upon, and there are other factors in which there is very little agreement at all". The importance of identifying contextual factors when building a knowledge base is very important. In many cases, a disagreement between experts, as shown by a bimodal split in importance, was traced to differences in context and we show how this can be a source of new knowledge.

The paper describes a knowledge based system (KBS) for modelling trust in the Certification Authority (CA) of a Public Key Infrastructure (PKI). It was built using a graphical KBS toolkit, Istar, that allows the knowledge builder to easily model the important relationships between concepts of the domain. The knowledge base was initially built using published work and was subsequently extended by knowledge obtained from leading PKI experts. The first prototype system computes the trust in a CA by asking the user a series of questions about the CA's Certification Practice Statement. Examples of its use with two well known public CAs is discussed. An important issue raised and discussed in this paper is how to map symbols in the KB to the knowledge level of human trust and beliefs, for such an ill-defined area of knowledge as trust, and four main mappings have been identified. Another issue that emerged relates to the use of questionnaires during knowledge acquisition. The expert system is currently available online via the Istar Knowledge Server, and future work is discussed.

While the widespread adoption of Internet and Intranet technology has been one of the exciting developments of recent years, many hospitals are finding that their data and legacy applications do not naturally fit into the new methods of dissemination. Existing applications often rely on isolation or trusted networks for their access control or security, whereas untrusted wide area networks pay little attention to the authenticity, integrity or confidentiality of the data they transport. Many hospitals do not have the resources to develop new ''network-ready'' versions of existing centralised applications. In this paper, we examine the issues that must be considered when providing network access to an existing health care application, and we describe how we have implemented the proposed solution in one healthcare application namely the diabetic register at Hope Hospital. We describe the architecture that allows remote access to the legacy application, providing it with encrypted communications and strongly authenticated access control but without requiring any modifications to the underlying application. As well as comparing alternative ways of implementing such a system, we also consider issues relating to usability and manageability, such as password management.

A project that piloted the secure electronic preparation of examination papers ran during the first semester of the academic year 1998-99 at the University of Salford. The examination papers were transferred between the participants (lecturers, administrators and external examiners) using secure electronic mail. Security was provided by a managed public key infrastructure. Users were profiled and interviewed in order to determine the likely success of further roll out within the institution, as well as the user friendliness of the existing paper based and proposed electronic systems. The project found that, while the technology worked for some participants, others had severe problems with installation of the software and failed to grasp key concepts. There appear to be formidable obstacles to extending the system to cover the whole university, including compatibility of equipment and the reliability of the network infrastructure.

Microsoft conceived Windows 2000 as the operating system for the Internet. This gave many people pause for thought, what with Microsoft's less-than-sterling reputation regarding cohabitation of competitors' software on their operating system. The Internet is based on open standards and interworking between different systems from different suppliers. If Windows 2000 compromises the Internet's integrity and ubiquity-two of its primary hallmarks-will it really be the best operating system to base your Internet services on? Some of the new additions to Windows 2000 show that, although Microsoft pays lip-service to the Internet's sacred tenets of openness and support for standards, it has actually (and sometimes only subtly) removed or subverted these tenets. The Windows 2000 changes appear to subtly exclude technologies from other vendors and make interworking more difficult

The ICE-TEL project is a pan-European project that is building an Internet X.509 based certification infrastructure throughout Europe, plus several secure applications that will use it. This paper describes the trust model that is being implemented by the project. A trust model specifies the means by which a user may build trust in the assertion that a remote user is really who he purports to be (authentication) and that he does in fact have a right to access the service or information that he is requesting (authorization). The ICE-TEL trust model is based on a merging of and extensions to the existing Pretty Good Privacy (PGP) web of trust and Privacy Enhanced Mail (PEM) hierarchy of trust models, and is called a web of hierarchies trust model. The web of hierarchies model has significant advantages over both of the previous models, and these are highlighted here. The paper further describes the way that the trust model is enforced through some of the new extensions in the X.509 V3 certificates, and gives examples of its use in different scenarios.

X.500 is a new and complex electronic directory technology, whose basic specification was first published as an international standard in 1988, with an enhanced revision in 1993. The technology is still unproven in many organisations. This paper presents case studies of 15 pioneering pilot and operational X.500 based directory services. The paper provides valuable insights into how organisations are coming to understand this new technology, are using X.500 for both traditional and novel directory based services, and consequently are deriving benefits from it. Important lessons that have been learnt by these X.500 pioneers are presented here, so that future organisations can benefit from their experiences. Factors critical to the success of implementing X.500 in an organisation are derived from the studies.

The Internet is rapidly becoming the communications infrastructure. With its advantages of speed, availability, and `different time, different place' mode of communication, it can be successfully harnessed to accomplish tasks that previously required face-to-face meetings. Such meetings can consume large travel budgets and staff time, and therefore alternative mechanisms that achieve the same results for less cost should be welcomed. One of these new uses of the Internet is to collect case study material. This paper presents a method that has been successfully employed by the author to collect 15 case studies of X.500 implementations. The method described herein consists of three phases: preparation, correspondence and documentation phases. Each of the phases is described, and the author also presents useful tips that he gained during the course of his studies. The method should provide future researchers with a framework which can be successfully employed to productively utilise the resources of the Internet.

This paper presents the extraction of a legal access control policy and a conflict resolution policy from the EU Data Protection Directive [1]. These policies are installed in a multi-policy authorization infrastructure described in [2, 3]. A Legal Policy Decision Point (PDP) is constructed with a legal access control policy to provide automated decisions based on the relevant legal provisions. The legal conflict resolution policy is configured into a Master PDP to make sure that the legal access control policy gets priority over access control policies provided by other authorities i.e. the data subject, the data issuer and the data controller. We describe how clauses of the Directive are converted into access control rules based on attributes of the subject, action, resource and environment. There are currently some limitations in the conversion process, since the majority of provisions requires additional interpretation by humans. These provisions cannot be converted into deterministic rules for the PDP. Other provisions do allow for the extraction of PDP rules but need to be tailored to the application environment before they are configured into the Legal PDP.

With the increase in the number of electronic services and the number of users, concerns about the privacy protection of electronic data are growing day by day. Organisations are facing a huge pressure to assure their users about the privacy protection of their personal data. Organisations need to include the privacy policies of their users when deciding who should access their personal data. The user’s privacy policy will need to be combined with the organisation’s own policy, as well as policies from different authorities such as the issuer of the data, and the law. The authorisation system will need to ensure the enforcement of all these policies. We have designed a system that will ensure the enforcement of multiple privacy policies within an organisation and throughout a distributed system.

Password sharing is a common security problem. Some application domains are more exposed than others and, by dealing with very sensitive information, the healthcare domain is definitely not exempt from this problem. This chapter presents a case study of a cross section of how healthcare professionals actually deal with password authentication in typical real world scenarios. It then compares the professionals’ actual practice with what they feel about password sharing and what are the most frequent problems associated with it. Further, this chapter discusses and suggests how to solve or minimize some of these problems using both technological and social cultural mechanisms.

Abstract. This paper addresses the topic of federated identity management. It discusses in detail the following topics: what is digital identity, what is identity management, what is federated identity management, Kim Camerons 7 Laws of Identity, how can we protect the users privacy in a federated environment, levels of assurance, some past and present federated identity management systems, and some current research in FIM.

This paper devises a classification system for reputation systems based on two axes, namely: who performs the evaluation of a subjects reputation, and how the information is collected by the reputation system. This leads to 4 possible operational models for reputation systems, termed the Voting Model, the Opinion Poll Model, the MP Model and the Research Model, each of which is then analyzed. Finally, the paper postulates the inherent trustworthiness of each operational model, and concludes with a hypothesis of how these systems might evolve in the future.

Delegation of authority (DOA) is an essential procedure in every modern business. This chapter enumerates the requirements for a delegation of authority Web service that allows users and services to delegate to other users and services authority to access computer- based resources. The various models and architecture that can support a DOA Web service are described. A key component of the DOA service is the organisations delegation policy, which provides the rules for who is allowed to delegate what to whom, and which needs to be enforced by the DOA service. The essential elements of such a delegation policy are outlined. The chapter then describes a practical DOA Web service that has been built and piloted in various grid applications. It concludes by reviewing some related research and highlighting where future research is still required.

The Electronic Medical Record (EMR) is a very important support tool for patients and healthcare professionals but it has some barriers that prevent its successful integration within the healthcare practice. These barriers comprise not only security concerns but also costs, in terms of time and effort, as well as relational and educational issues that can hinder its proper use. Access control is an essential part of the EMR and provides for its confidentiality by checking if a user has the necessary rights to access the resources he/she requested. This paper comprehensively reviews the published material about access control in healthcare. The review reveals that most of the access control systems that are published in the literature are just studies or prototypes in which healthcare professionals and patients did not participate in the definition of the access control policies, models or mechanisms. Healthcare professionals usually needed to change their workflow patterns a nd adapt their tasks and processes in order to use the systems. If access control could be improved according to the users needs and be properly adapted to their workflow patterns we hypothesise that some of the barriers to the effective use of EMR could be reduced. Then EMR could be more successfully integrated into the healthcare practice and provide for better patient treatment. Keywords. Computer Security, access control, computerized patient record

In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.

Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role based authorization infrastructure along with its conceptual authorisation, access control, and trust models. PERMIS has the novel concept of a credential validation service, which verifies a user’s credentials prior to access control decision making and enables the distributed management of credentials. Details of the design and the implementation of PERMIS are presented along with details of its integration with Globus Toolkit, Shibboleth and GridShib. A comparison of PERMIS with other authorization and access control implementations is given, along with our plans for the future.

This paper provides an overview of the Privilege Management Infrastructure (PMI) introduced in the 2000 edition of X.509. It describes the entities in the infrastructure: Sources of Authority, Attribute Authorities and Privilege Holders, as well as the basic data structure - the attribute certificate - that is used to hold privileges. The contents of attribute certificates are described in detail, including the various policy related extensions that may be added to them. The similarities between PMIs and PKIs are highlighted. The paper also describes how attribute certificates can be used to implement the three well known access control schemes: DAC, MAC and RBAC. Finally the paper gives an overview of how a privilege verifier might operate, and the various types of information that need to be provided to it.

This paper describes the PERMIS role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. Users roles can be assigned by multiple widely distributed management authorities (called Attribute Authorities in X.509), thereby easing the burden of management. All the ACs can be stored in one or more LDAP directories, thus making them widely available. The PERMIS distribution includes a Privilege Allocator GUI tool, and a bulk loader tool, that allow administrators to construct and sign ACs and store them in an LDAP directory ready for use by the PERMIS decision engine. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 AC, thus guaranteeing its integrity and trustworthiness. Authorization policies are written in XML according to a DTD that has been published at XML.org. A user friendly policy management tool is also being built that will allow non- technical managers to easily specify PERMIS authorisation policies. The access control decision engine is written in Java and has both a Java API and SAML-SOAP interface, allowing it to be called either locally or remotely. The Java API is simple to use, comprising of just 3 methods and a constructor. The SAML-SOAP interface conforms to the OASIS SAMLv1.1 specification, as profiled by a Global Grid Forum draft standard, thus making PERMIS suitable as an authorisation server for Grid applications.

As the health care industry enters the era of knowledge management it must place security at the foundation of the transition. Risks are pervasive to every aspect of information and knowledge management. Without secure practices that seek to avoid or mitigate the effects of these risks, how can health care organisations ensure that knowledge is captured, stored, distributed, used, destroyed and restored securely? In an age where risks and security threats are ever-increasing, secure knowledge management is an essential business practice. The cost of security breaches in a health care context can range from the unauthorized access of confidential information to the potential loss or unauthorized modification of patient information leading to patient injury. In this chapter the authors highlight different approaches to minimising these risks, based on the concepts of authentication, authorization, data integrity, availability and confidentiality.

This paper describes a system that allows the trust index of a Certification Authority (CA) to be computed both statically and dynamically. Static calculation is based on a CA's published Certificate Policy (CP) and Certification Practice Statement (CPS), whilst dynamic calculation is based on the actual current practices of the CA. At the heart of the system is an expert system that has knowledge about the factors that are important in computing the trust in a CA. Static calculation may be performed in one of two ways. In Method 1, the expert system asks the user (the CA's relying party) a series of questions, which he can answer by consulting the published CP/CPS of the CA. In Method 2, the expert system asks the same questions to a CPS Server, which takes its answers from an XML formatted CPS. This requires the CA administrator to first produce an XML formatted CPS, which we describe, and publish this in its LDAP directory along with its public key certificates and revocation lists. We describe the CPS server, which retrieves the XML CPS's as signed attribute certificates, and feeds answers to the questions posed by the expert system using a Simple SOAP protocol that we have designed. Dynamic calculation of the trust index may be based on information gathered from up to five sources: an Audit Certificate created by the external auditors of the CA, dynamic performance monitoring of the CA's rate of publication of Certificate Revocation Lists, information gathered by the relying party, information gathered by the subscriber, and information gathered about the vendor of the CA's PKI software. We have currently implemented the first two of these. The software has been written in Java and also provides tools that enable Audit Certificates and CPSs to be prepared and published.

This paper provides an overview of the Privilege Management Infrastructure (PMI) introduced in the 2000 edition of X.509. It describes the entities in the infrastructure: Sources of Authority, Attribute Authorities and Privilege Holders, as well as the basic data structure - the attribute certificate - that is used to hold privileges. The contents of attribute certificates are described in detail, including the various policy related extensions that may be added to them. The similarities between PMIs and PKIs are highlighted. The paper also describes how attribute certificates can be used to implement the three well known access control schemes: DAC, MAC and RBAC. Finally the paper gives an overview of how a privilege verifier might operate, and the various types of information that need to be provided to it.

The Internet White Pages Service has been slow to materialise for many reasons. One of them is the security concerns that organisations have, over allowing the public to gain access to either their Intranet or their directory database. The Guardian DSA is a firewall application proxy for X.500 and LDAP protocols that is designed to alleviate these fears. Sitting in the firewall system, it filters directory protocol messages passing into and out of the Intranet, allowing security administrators to carefully control the amount of directory information that is released to the outside world. This paper describes the design of our Guardian system, and shows how relatively easy it is to configure its filtering capabilities. Finally the paper describes the working demonstration of the Guardian that was built for the 1997 World Electronic Messaging Association directory challenge. This linked the WEMA directory to the NameFLOW-Paradise Internet directory, and demonstrated some of the powerful filtering capabilities of the Guardian. This paper was originally presented at The Internet Society 1998 Symposium on Network and Distributed Systems Security (NDSS 98), March 10-12, San Diego, California

A project to enable health care professionals (GPs, practice nurses and diabetes nurse specialists) to access, via the Internet, confidential patient data held on a secondary care (hospital) diabetes information system, has been implemented. We describe the application that we chose to distribute (a diabetes register); the security mechanisms we used to protect the data (a public key infrastructure with strong encryption and digitally signed messages, plus a firewall); the reasons for the implementation decisions we made; the validation testing that we performed and the preliminary results of the pilot implementation.

This paper describes the mechanisms that are needed in order to provide a secure directory service based on the X.500 data model. A brief introduction to the X.500 data model is given followed by an overview of the Lightweight Directory Access Protocol. Security can be provided by three functions: an application level firewall, an authentication mechanism, and an access control scheme. A description of the X.500 and LDAP access control models is presented followed by the authentication methods that have been standardised for LDAPv3. A companion paper describes a directory application firewall.

Authorization systems are an integral part of any network where resources need to be protected. They act as the gateway for providing (or denying) subjects (users) access to resources. As networks expand and organisations start to federate access to their resources, authorization infrastructures become increasingly difficult to manage. In this paper, we explore the potential of self-adaptive authorization as a means to automate the management of the access control configuration. We propose a Self-Adaptive Authorization Framework (SAAF) that is capable of managing any policy based distributed RBAC/ABAC authorization infrastructure. SAAF relies on a feedback control loop to monitor decisions (by policy decision points) of a target authorization infrastructure. These decisions are analysed to form a view of the subjects behaviour to decide whether to adapt the target authorization infrastructure. Adaptations are made in order to either endorse or restrict the identified behaviour, e.g. by loosening or tightening the current authorization policy. We demonstrate in terms of representative scenarios SAAFs ability for detecting abnormal behaviour, such as, misuse of access to system resources, proposing solutions that either prevent/endorse such behaviour, applying a cost function to each of these solutions, and executing the adaptive changes against a target authorization infrastructure.

We describe a set of security APIs that grant federated access to a user’s cloud resources, and that also allow the user to grant access to his resources to anyone from anywhere at any time. The APIs implement federated access to clouds, fine grained access controls and delegation of authority. We have integrated these APIs into two cloud applications in order to validate their utility. This paper describes the conceptual model and architecture of the APIs, as well as their integration into the Eucalyptus S3 service. The paper concludes by specifying the current limitations.

We describe a federated identity management service that allows users to access organisational resources using their existing login accounts at social networking and other sites, without compromising the security of the organisation’s resources. We utilise and extend the Level of Assurance (LoA) concept to ensure the organisation’s site remains secure. Users are empowered to link together their various accounts, including their organizational one with an external one, so that the strongest registration procedure of one linked account can be leveraged by the other sites’ login processes that have less stringent registration procedures. Coupled with attribute release from their organizational account, this allows users to escalate their privileges due to either an increased LoA, or additional attributes, or both. The conceptual and architectural designs are described, followed by the implementation details, the user trials we carried out, and a discussion of the current limitations of the system.

The use of Shibboleth as a mechanism for implementing federated authentication is commonplace in many countries. The ability of Shibboleth to transmit extra information about a user, including licenses, roles and other attributes, is not exploited for many reasons, mainly because institional Identity Providers (IdPs) are not maintainable sources of ?ne-grained authorisation information. The JISC-funded Shintau project has produced an extension to the Shibboleth pro?le which allows a user to link information from more than one IdP together utilising a custom Linking Service (LS). This paper describes both the application and independent evaluation of this software by the National e-Science Centre (NeSC) at the University of Glasgow within the context of the ESRC-funded Data Management through e-Social Science (DAMES) project.

Based on the assumption that cloud providers can be trusted (to a certain extent) we define a trust, security and privacy preserving infrastructure that relies on trusted cloud providers to operate properly. Working in tandem with legal agreements, our open source software supports: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails. Armed with these tools, cloud service providers are then able to offer a reliable privacy preserving infrastructure-as-a-service to their clients.

With increasingly distributed computing systems, the management task of controlling access to shared resources becomes more and more complicated. Policy based access control systems may provide a solution to this problem, but the issue then becomes one of how to easily specify access control policies. We have designed and implemented a user interface that enables novice users to author their own access control policies using a controlled natural language (CNL) interface. With this interface, users are able to author their policies by typing sentences in a sub set of the English language. The sentences are then parsed and output as a machine readable policy, ready for automatic enforcement by a policy decision point (PDP). In this paper we describe the details of the design and implementation of this CNL interface, along with a summary of the user evaluation.

Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. Although flexible and easier to manage within large-scale authorization frameworks, RBAC is usually a static model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies can be provided in order to break or override the access controls within an access control policy but in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG. This allows break the glass policies to be implemented in any application without any major changes to either the application or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.

We describe a more advanced authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), a credential validation service (CVS) and a master PDP. The AIPEP is responsible for handling sticky policies, calling the master PDP, performing application independent obligations, and validating credentials using the CVS. The master PDP is responsible for calling multiple traditional PDPs that support a variety of policy languages, and resolving conflicts between the various authorisation decisions. Whilst this authorisation infrastructure may seem more complex to implement, it is in fact easier for applications to integrate since nearly all of the complexity is hidden beneath the PEP interface.

Authorization infrastructures manage privileges and render access control decisions, allowing applications to adjust their behavior according to the privileges allocated to users. This paper describes the PERMIS role-based authorization infrastructure along with its conceptual authorization, access control, and trust models. PERMIS has the novel concept of a credential validation service, which verifies a user's credentials prior to access control decision-making and enables the distributed management of credentials. PERMIS also supports delegation of authority; thus, credentials can be delegated between users, further decentralizing credential management. Finally, PERMIS supports history-based decision-making, which can be used to enforce such aspects as separation of duties and cumulative use of resources. Details of the design and the implementation of PERMIS are presented along with details of its integration with Globus Toolkit, Shibboleth, and GridShib. A comparison of PERMIS with other authorization and access control implementations is given, along with suggestions where future research and development are still needed.

Grids allow for collaborative e-Research to be undertaken, often across institutional and national boundaries. Typically this is through the establishment of virtual organizations (VOs) where policies on access and usage of resources across partner sites are defined and subsequently enforced. For many VOs, these agreements have been lightweight and erred on the side of flexibility with minimal constraints on the kinds of jobs a user is allowed to run or the amount of resources that can be consumed. For many new domains such as e-Health, such flexibility is simply not tenable. Instead, precise definitions of what jobs can be run, and what data can be accessed by who need to be defined and enforced by sites. The role based access control model (RBAC) provides a well researched paradigm for controlling access to large scale dynamic VOs. However, the standard RBAC model assumes a single domain with centralised role management. When RBAC is applied to VOs, it does not specify how or where roles should be defined or made known to the distributed resource sites (who are always deemed to be autonomous to make access control decisions). Two main possibilities exist based on either a centralized or decentralized approach to VO role management. We present the advantages and disadvantages of the centralized and decentralized role models and describe how we have implemented them in a range of security focused e-Research domains at the National e-Science Centre (NeSC) at the University of Glasgow.

The Bell-LaPadula security model is a hybrid model that combines mandatory access controls and discretionary access controls. The Bell-LaPadula security model has been widely accepted in military environments for its capability to specify military style confidentiality policies. The role based access control (RBAC) model has attracted extensive research effort and has been acknowledged as a flexible and policy natural model. This paper investigates a way of modeling Bell-LaPadula security policies using the RBAC model. The capability of modeling Bell-LaPadula security policies using RBAC model means that applications that are implemented using the RBAC model can then be deployed in military environments and will meet their requirements for information confidentiality.

The implementation of usable security is particularly challenging in the growing field of Grid computing, where control is decentralised, systems are heterogeneous, and authorization applies across administrative domains. PERMIS, based on the Role-Based Access Control (RBAC) model, provides a unified, scalable infrastructure to address these challenges. Previous research has found that resource owners generally do not understand the PERMIS RBAC model and consequently have difficulty expressing access control policies. We have addressed this issue by investigating the use of a controlled natural language parser for expressing these policies. In this paper, we describe our experiences in the design, implementation, and evaluation of this parser for the PERMIS Editor. We began by understanding the ways in which non-security specialists express their Grid access control needs, through interviews and focus groups with 45 resource owners. We found that the many areas of Grid computing use present varied security requirements; this suggests a minimal, open design. We designed and implemented a controlled natural language system to support these needs, which we evaluated with a cross-section of 17 target users. We found that the interface is highly usable for interaction: participants were not daunted by the text editor, and understood the syntax easily. However, some strict requirements of the controlled language were problematic. Using natural language helps overcome some conceptual mis-matches between PERMIS RBAC and older paradigms; however, there are still subtleties which are not always understood. In conclusion, the parser is not sufficient on its own, and should be seen in the interplay with other parts of the PERMIS Editor, so that, iteratively, users are helped to understand the underlying PERMIS model and to express their security policies more accurately and more completely.

Existing access control systems are typically unilateral in that the enterprise service provider assigns the access rights and makes the access control decisions, and there is no negotiation between the client and the service provider. As access management systems lean towards being user-centric, unilateral approaches can no longer adequately preserve the users privacy, particularly where the communicating parties have no pre-existing trust relationships. Establishing sufficient trust is therefore essential before parties can exchange sensitive information. This paper describes a bilateral symmetric approach to access control which deals with privacy and confidentiality simultaneously in distributed transactions. We introduce the concept of Obligation of Trust (OoT) as a privacy assurance mechanism that is built upon the XACML standard. The OoT allows communicating parties to dynamically exchange their privacy requirements, which we term Notification of Obligations (NOB) as well as their committed obligations, which we term Signed Acceptance of Obligations (SAO). We describe some applicability of these concepts and show how they can be integrated into distributed access control systems for stricter privacy and confidentiality control.

This paper presents the results of a survey of requirements for attribute aggregation in authorisation systems, gathered from an international community of security professionals. It then analyses these requirements against 4 generic models for attribute aggregation and makes some recommendations for future implementations.

A Virtual Organisation (VO) is a temporary alliance of autonomous, diverse, and geographically dispersed organisations, where the participants pool resources, information and knowledge in order to meet common objectives. This requires dynamic security policy management. We propose an authorisation policy management model called recognition of authority (ROA) which allows dynamically trusted authorities to adjust the authorisation policies for VO resources. The model supports dynamic delegation of authority, and the expansion and contraction of organizations in a VO, so that the underlying authorisation system is able to use existing user credentials issued by participating organisations to evaluate the users access rights to VO resources.

The widening use of Information Systems, which allow the collection, extraction, storage, management and search of information, is increasing the need for information security. After a user is successfully identified and authenticated to a system, he needs to be authorised to access the resources he/she requested. Access control is part of this last process that checks if a user can access those resources. This is particularly important in the healthcare environment where there is the need to control access to Electronic Medical Records (EMR). Although EMR can be an important support tool for the healthcare professional there are some barriers that prevent its successful integration. These barriers include the fact that healthcare professionals do not participate in the development of access control to access the EMR imposing them extra effort in its use. New access control policies to be implemented should focus on human processes and needs. The main objective of this project is to reduce EMR barriers by including healthcare professionals and patients in the definition and improvement of access control policies and models. If this can be achieved, we hypothesize that the EMR can be more successfully integrated into the healthcare practice and provide for better patient treatment.

One of the most challenging problems in managing large networks is the complexity of security administration. Role based access control (RBAC) has become the predominant model for advanced access control. Flexibility and manageability are important requirements for any delegation system which is one of the most important access control management mechanisms in authorisation systems This paper proposes a delegation model that satisfies these requirements.

Separation of duties (SoD) is a key security requirement for many business and information systems. Role Based Access Controls (RBAC) is a relatively new paradigm for protecting information systems. In the ANSI standard RBAC model both static and dynamic SoD are defined. However, static SoD policies assume that the system has full control over the assignment of all roles to users, whilst dynamic SoD policies assume that conflicts of interest can only arise during the simultaneous activation of a user's roles. Unfortunately neither of these assumptions hold true in dynamic virtual organisations (VOs), or in business processes that span multiple user sessions, or where users only partially disclose their roles at each session. In this paper we propose multi-session SoD (MSoD) policies for business processes which include multiple tasks enacted by multiple users over many user access control sessions. We explore the means to define MSoD policies in RBAC via multi-session mutually exclusive roles (MMER) and multi-session mutually exclusive privileges (MMEP). We propose an approach to expressing MSoD policies in XML and enforcing MSoD policies in a policy controlled RBAC infrastructure. Finally, we describe how we have implemented MSoD policies in the PERMIS Privilege Management Infrastructure

Role based access control has been widely used in security critical systems. Conventional role based access control is a passive model, which makes authorization decisions on requests, and the authorization decisions contain only information about whether the corresponding requests are authorised or not. One of the potential improvements for role based access control is the augmentation of obligations, where obligations are tasked and requirements to be fulfilled together with the enforcement of authorization decisions. This paper conducts a comprehensive literature review about role based access control and obligation related research, and proposes a design of the augmentation of obligations in the context of RBAC standard. The design is then further consolidated in the PERMIS RBAC authorization infrastructure. Details of incorporating obligations into the PERMIS RBAC authorization infrastructure are given. This paper also discusses the possible nondeterminism caused by overlapped authorisation.

There are several problems associated with the current ways that certificates are published and revoked. This paper discusses these problems, and then proposes a solution based on the use of WebDAV, an enhancement to the HTTP protocol. The proposed solution provides instant certificate revocation, minimizes the processing costs of the certificate issuer and relying party, and eases the administrative burden of publishing certificates and certificate revocation lists (CRLs).

The ability to dynamically create and subsequently manage secure virtual organisations (VO) is one of the key challenges facing the Grid community. Existing approaches for establishing and managing VOs typically suffer from lack of fine grained security since they largely focus on public key infrastructures with statically defined access control lists, or they are based upon a centralised site for storage of VO specific security information. What is really needed is a federated model of security where sites are able to manage their own security information for their own institutional members, delegating where necessary to trusted local or remote entities, as well as defining and enforcing authorisation policies for their own resources. In this paper we present tools that support such capabilities and highlight how they have been applied to dynamically create and manage security focused VOs in the education domain. We believe that this federated VO security model for fine grained access to Grid services and resources should be the future model upon which security focused Grids are based.

Coordinating the cumulative use of distributed resources in a grid environment so that users do not consume too much is a difficult task. This paper presents one approach that we have implemented in Globus Toolkit version 4 (GT4), that uses an SQL database to hold coordination data, and policy decision points (PDPs) to make access control decisions about whether the users request for more resources can be granted or denied. When access is granted, obligations in the policy ensure that the coordination database is appropriately updated. In our initial implementation, the coordination service is embedded into the GT4 authorization chain as a custom PDP so that any web service can be provided with a security policy that provides a coordination capability. In the final section we describe how coordinated decision making could be more tightly integrated into a future version of GT.

This short paper reports on a current project to conduct a detailed investigation into non-security professionals vocabulary and understanding of e-infrastructure and assets, with the longer term aim of building an ontology and controlled natural language interface that will allow them to build security policies, incorporating complex concepts such as delegation of authority, separation of duties (SoD), obligations and conditions. The interface is designed around the principle of the virtuous circle, whereby the users controlled natural language input is converted into machine processable XML, and then converted back again into natural language, so that the user can compare the computers understanding of his policy with his own. The user can then iteratively alter his policy until the input and output are semantically the same. To date, two GUI interfaces have been constructed that aid users in the construction of authorization policies, and produce natural language output. This will serve as a benchmark for measuring the ease of use and effectiveness of the controlled natural language interface. Work has started on the controlled natural language interface, and the first results are reported.

This paper describes the research conducted into advanced authorization infrastructures at the National e-Science Centre (NeSC) at the University of Glasgow and their application to support a teaching environment as part of the Dynamic Virtual Organisations in e-Science Education (DyVOSE) project. We outline the lessons learnt in teaching Grid computing and rolling out the associated security authorisation infrastructures, and describe our plans for a future, extended security infrastructure for dynamic establishment of inter-institutional virtual organisations (VO) in the education domain.

As attribute based authorisation infrastructures such as XACML gain in popularity, linking together user attributes from multiple attribute authorities (AAs) is becoming a pressing problem. Current models and mechanisms do not support this linking, primarily because the user is known by different names in the different AAs. Furthermore, linking the attributes together poses a potential risk to the users privacy. This paper provides a model and protocol elements for linking AAs, service providers and user attributes together, under the sole control of the user, thereby maintaining the users privacy. The paper also shows how the model and protocol elements can be implemented using existing technologies, namely relational databases or LDAP directories, and the SAML protocol.

For distributed applications, using a centralised policy decision point (PDP) with a common policy allows coordination between multiple resources that are being accessed. But the central PDP is a bottleneck to performance because every request needs to be diverted to it. Having a set of distributed PDPs co-located with resources can overcome the performance bottleneck, but any form of coordination is then lost. Furthermore, even a centralised PDP sometimes needs to coordinate its access control decision making over time. Therefore, coordination between decision making, for both centralised and distributed PDPs, is needed. This paper addresses issues of coordination between distributed or centralised decision making, by examining when coordination is needed, providing a conceptual model for coordination, defining policy elements that can control coordination, and rules for the refinement of coordination policies The paper provides a detailed example of coordination policy refinement, and provides an outline of how we are implementing the model in our system.

The Electronic Medical Record (EMR) integrates heterogeneous information within a Healthcare Institution stressing the need for security and access control. The Biostatistics and Medical Informatics Department from Porto Faculty of Medicine has recently implemented a Virtual EMR (VEMR) in order to integrate patient information and clinical reports within a university hospital. With more than 500 medical doctors using the system on a daily basis, an access control policy and model were implemented. However, the healthcare environment has unanticipated situations (i.e. emergency situations) where access to information is essential. Most traditional policies do not allow for overriding. A policy that allows for Break-The-Glass (BTG) was implemented in order to override access control whilst providing for non-repudiation mechanisms for its usage. The policy was easily integrated within the model confirming its modularity and the fact that user intervention in defining security procedures is crucial to its successful implementation and use.

Nowadays many organisations share sensitive services through open network systems and this raises the need for an authorization framework that can interoperate even when the parties have no pre-existing relationships. Trust Negotiation is the process used to establish these first relationships, through the transfer of attributes, embedded in digital credentials, between the two parties. However, these attributes may themselves be considered sensitive and so may need protection from disclosure. In some environments, the policies that govern the protected services may also be considered sensitive and their release to arbitrary strangers may leak confidential business information. Thus, the electronic services, the policies that control access to them, and the digital credentials used to gain access may all be sensitive and require access protections. This paper describes how to unify the protection of services, sensitive credentials and policies in a synchronised trustworthy manner. We propose a trust authorization framework (TAF) that builds on the capabilities of XACML to support the bilateral exchange of policies and credentials through trust negotiation. Our framework addresses privacy and trust issues, and considers services, credentials, and authorization policies protected resources whose access is subject to credential proof and trust level validation

Secure Role Based Messaging (SRBM) augments messaging systems with role oriented communication in a secure manner. Role occupants can sign and decrypt messages on behalf of roles. This paper identifies the requirements of SRBM and recognises the need for: distributed key shares, fast membership revocation, mandatory security controls and detection of identity spoofing. A shared RSA scheme is constructed. RSA keys are shared and distributed to role occupants and role gate keepers. Role occupants and role gate keepers must cooperate together to use the key shares to sign and decrypt the messages. Role occupant signatures can be verified by an audit service. A SRBM system architecture is developed to show the security related performance of the proposed scheme, which also demonstrates the implementation of fast membership revocation, mandatory security control and prevention of spoofing. It is shown that the proposed scheme has successfully coupled distributed security with mandatory security controls to realize secure role based messaging.

We describe how to control the cumulative use of distributed grid resources by using coordination-aware policy decision points (coordinated PDPs) and an SQL database to hold 'coordination' data. When access to a resource is granted, obligations in the security policy ensure that the coordination database is updated. The coordination database is a normal grid service providing distributed access to the coordinated PDPs. Access to the databases is secured by the grid security infrastructure (GSI) and its own PDP, so that only authorized users (the coordinated PDPs) can access it. A coordinated PDP is imbedded into the Globus Toolkitv4 authorization chain as a custom PDP so that any grid service can be protected by a security policy that provides a coordination capability. Each coordinated PDP uses the services of an uncoordinated PDP to make its access control decisions, so that any existing stateless PDP can be supplemented with a coordination capability. We provide performance results for the coordinated PDPs and compare these with two stateless PDPs. Virtually the entire performance penalty of using coordinated PDPs is accounted for by the heavy costs of using GSI to secure communications between the coordinated PDPs and the coordination database.

For many applications, access control and other business related information of all user transactions should be kept in secure log files for intrusion and misuse detection or system audit purposes. Because the log files may be stored on or moved to an untrusted machine and may attract attackers because of the large amounts of potentially sensitive information contained in them, we would like to guarantee that in the event an attacker gains access to this machine, we can limit his ability to corrupt the log files and we are able to detect any compromises afterwards. We also may want to ensure that he can gain little or no information from the log files. In this paper we propose a secure audit web service (SAWS) which can provide a secure audit trail service for multiple clients. The secure audit trail generated by SAWS can be stored on any untrusted machine and it is impossible to be modified or destroyed without detection, and its integrity can be validated by any client. Optionally, the audit file can be encrypted, making it impossible for unauthorised parties to read its contents.

The expansion of inter-organizational scenarios based on different authorization schemes involves the development of integration solutions allowing different authorization domains to share, in some way, protected resources. This paper analyzes different emerging technologies. On the one hand, we have two XML-based standards, the SAML standard, which is being widely accepted as a language to express and exchange authorization data, and the XACML standard, which constitutes a promising framework for access control policies. On the other hand, PERMIS is a trust management system for X.509 attribute certificates and includes a powerful authorization decision engine governed by the PERMIS XML policy. This paper presents a sample scenario where domains using these technologies can be integrated allowing, for example, the use of attribute certificates in a SAML environment and the utilization of the PERMIS authorization engine to decide about the disclosure or concealment of attributes. In order to design this scenario we have based our work on a Credential Conversion Service (CCS) which is able to convert ACs into SAML attributes, and a User Attribute Manager (UAM) which controls the disclosure of credentials. These modules are governed by policies defining the conversion process (the Conversion Policy) and the disclosure of attributes (the Disclosure Policy).

This paper describes the development of a flexible Role Based Access Control (RBAC) authorisation module - the Shibboleth and Apache Authorisation Module (SAAM) which is based on the PERMIS privilege management infrastructure. It explains how the module can work with the Apache web server, with or without Shibboleth. We argue that this can effectively improve the level of trust and flexibility of access control for the Shibboleth architecture and the Apache web server, as well as provide a finer grained level of control over web resources.

Modern dynamic distributed information systems need access control policies to address controlling access to multiple resources that are distributed. The resources may be considered as a single abstract hierarchical resource. An access control policy at a high level should be able to define who is allowed to use the resources. At lower levels, the policy will address controlling access to concrete resources. By modelling the resource hierarchy, it is possible that low level policies can be automatically produced from the high level policy. These low level policies can then be distributed to the concrete resources that use an existing policy based access control decision system so that the high level policy can be enforced throughout the system. In this paper a model for representing and refining high level policies is presented. Other relevant issues and examples for demonstrating the capability of the policy decomposition

This paper articulates a system design for the secure role based messaging model built based on existing messaging systems, public key infrastructures, and a privilege management infrastructure, which enables role-oriented secure communication. Users can send and access messages on behalf of a role. Access to the messages is authorised dynamically according to the authorisation policies conveyed by X.509 Attribute Certificates. The architecture design extends the current messaging systems without invalidating the system's compliance with existing standards, and enables easy integration with existing messaging systems. This paper also contributes to providing security features based on architecture design, and demonstrates the deliberative architecture design for information confidentiality and privacy.

This paper describes the concept of a delegation issuing service (DIS), which is a service that issues X.509 attribute certificates on behalf of an attribute authority (typically a manager). The paper defines the X.509 certificate extensions that are being proposed for the 2005 edition of X.509 in order to implement the DIS concept, as well as the additional steps that a relying party will need to undertake when validating certificates issued in this way. The paper also presents our initial experiences of designing a DIS to add to the PERMIS authorization infrastructure. The paper concludes by reviewing some of the previous standards work in delegation of authority and anticipating some of the further standardization work that is still required in the field of privilege management.

The widespread acceptance and uptake of Grid technology can only be achieved if it can be ensured that the security mechanisms needed to support Grid based collaborations are at least as strong as local security mechanisms. The predominant way in which security is currently addressed in the Grid community is through Public Key Infrastructures (PKI) to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorisation). The Grid community have put forward numerous software proposals for authorisation infrastructures such as AKENTI [1], CAS [2], CARDEA [3], GSI [4], PERMIS [5,6,7] and VOMS [8,9]. It is clear that for the foreseeable future a collection of solutions will be the norm. To address this, the Global Grid Forum (GGF) have proposed a generic SAML based authorisation API which in principle should allow for fine grained control for authorised access to any Grid service. Experiences in applying and stress testing this API from a variety of different application domains are essential to give insight into the practical aspects of large scale usage of authorisation infrastructures. This paper presents experiences from the DTI funded BRIDGES project [10] and the JISC funded DyVOSE project [11] in using this API with Globus version 3.3 [12] and the PERMIS authorisation infrastructure.

In this article the new trend in authorisation decision making will be described, using the Security Assertions Mark up Language (SAML). We then present an overview of the Globus Toolkit (GT), used in Grid computing environments, and highlight its authorisation requirements. We then introduce the PERMIS authorisation infrastructure and describe how it has been adapted to support SAML so that it can be deployed to make authorisation decisions for GTversion 3.3.

This paper describes a secure role based messaging system design based on the use of X.509 Attribute Certificates for holding user roles. Access to the mes-sages is authorised by the PERMIS Privilege Management Infrastructure, a pol-icy driven role based access control (RBAC) infrastructure, which allows the assignment of roles to be distributed between trusted issuing authorities, and allows a change of access control policy at runtime. Messages can be sent by roles and users, and can be sent to roles and users. Messages are secure in their exchange between senders and recipients. Details of the security and messaging design are presented.

Abstract: This paper briefly describes the existing PERMIS privilege management infrastructure (PMI), the new Integrated Project TrustCoM, and autonomic security. It then provides the business case for an autonomic PMI, and looks at the issues that will need to be resolved in order to make PERMIS more autonomic. In addition, it addresses the issues that TrustCoM will need to solve in order to maximise its use of an autonomic PERMIS.

This paper analyses the security threats that can arise against an Active Directory server when it is included in a Web application. The approach is based on the STRIDE classification methodology. The paper also provides outline descriptions of countermeasures that can be deployed to protect against the different threats and vulnerabilities identified here.

The BRIDGES project has been funded by the UK Department of Trade and Industry to develop a Grid infrastructure suitable for the research activities involved in the Wellcome Trust funded Cardiovascular Functional Genomics (CFG) project. The CFG project is investigating possible genetic causes of hypertension. Key requirements on this infrastructure are to link various distributed biomedical data sources together; to transparently address the different security requirements associated with those data resources, and develop tools for analysing and exploring those data sets. In this paper we discuss the security solutions that the BRIDGES team is pursuing through the first practical exploration of Global Grid Forum Security Assertion Markup Language (SAML) AuthZ interface to an authorisation infrastructure (PERMIS) using Globus Toolkit version 3 technology.

Rapid advancements in Grid Computing and the convergence of Grid and Web Services, and the development of infrastructures such as the Ecology GRID (ECO 2003) and NERC DataGrid (Lawrence 2003), bring about protocols and machine-processable message/document formats that will soon enable seamless and open application-application communication. This will bring about the prospect of ad hoc integration of systems across institutional boundaries to support collaborations that may last for a single transaction or evolve over many years. We will witness on-demand creation of dynamically-evolving, scalable Virtual Organisations (VO) spanning national and institutional borders, where the participating entities pool resources, capabilities and information to achieve common objectives. As a motivating example, consider a hypothetical environmental project where there are several research groups in different institutes collaborating on a study of complex physical phenomenon which involves simulation and on-line analysis of existing atmospheric and oceanographic data (including satellite imagery). Being a large project, it would have several work packages involving different parts of the consortia and running for different periods of time within the project timeframe. The satellite images, plus significant quantities of metadata and derived data are held in data centres. This data, collected from many sources, may be commercially sensitive, and therefore access is to be restricted to only those individually with a project-relevant need. The data owners may want to apply varying conditions on access to their data, e.g. non-military personnel should only be given degraded versions of military sourced images, with different degradation filters applicable for different application domains. The data centres have to ensure the security and confidentiality of data and so has to control who can do what on their machines, e.g. who can carry out cross database correlations, or upload filters to be applied to images. The project, which is paying for the data access, wishes to control who is allowed to access the data and when. It needs to be able to define several authorization groups (e.g. corresponding to work packages) and specify what data is available to that group. The groups will have a specific lifetime, and individuals may join or leave the group during its lifetime, i.e. they are dynamic virtual organizations. The data centres need to take these different authorization policies and apply them for each of the actions and units of data being accessed. This raises several challenges: * Applying multiple authorization policies to control access to resources. * Enforcing fine-grained access control at the resource. * Managing dynamic virtual organizations comprising of resources and individuals authorized to use them. * Handling the multiple authorities necessitated by distributed VOs and resources. * Handling policy conflicts where individuals may play different roles, at the same time or at different times. In this paper we outline a new project, DyCom, which seeks to combine the results of two European projects, Grasp and PERMIS, to provide an architecture to manage the complex privileges required in such scenarios. We will describe the mechanisms developed in these projects and show how they could be combined.

A lightweight role-based access control policy authoring tool was developed for e-Scientists, a community for which access policies have to be implemented for an increasingly heterogeneous group of local and remote users. Two fundamental problems were identified: (1) lack of understanding of what the policy components are (i.e. how authorization policies are structured), and (2) lack of understanding of the underlying policy paradigm (i.e. what should go into the policy, and what should be left out). Conceptual design (CD) techniques were used to revise the user interface (UI) labels so that e-Scientists and developers were better able to describe access policy components from labels, and match labels with components (t = 6.28, df = 7, p = 0.000 two-tailed). CD, instructional text, bubble help, UI behaviour and alert boxes were used to shape users' models of the policy paradigm. The final prototype improved users' efficiency and effectiveness by more than doubling the speed with which expert users could write authorization policies, and facilitating users without specialist security knowledge to overcome the policy paradigm and components problems, enabling them to complete 80% of basic and 75% of advanced authorization policy-writing tasks in a usability trial.

This paper describes the information security attributes of confidentiality, integrity and availability, and then uses these to determine the security requirements for ETP. It briefly describes the four published UK ETP models (from Flexiscript, Phamacy2U, Salford and Transcript) and evaluates these from the perspectives of confidentiality, integrity and availability. Deficiencies, from a security perspective, in the 3 UK ETP pilot models (from Flexiscript, Phamacy2U, and Transcript) are described. Possible solutions to these deficiencies, as implemented in the Salford model, are described.

This paper describes the similarities and differences between the Akenti and PERMIS authorisation infrastructures. It describes their features, ease of use and performance statistics. This report was compiled from: a desk comparison of published documentation, by talking to the authors of both infrastructures, and by building both infrastructures along with a test application. The performance statistics are limited to some extent, in that it was not possible to build multiple arbitrarily complex policies in the time available. Also we did not run Akenti as a stand alone server, since PERMIS has no equivalent capability.

This paper contains the results of a study into the benefits and barriers in implementing a system for the Electronic Transmission of Prescriptions (ETP) in the UK National Health Service (NHS). The study involved a review and critical appraisal of most of the available literature on the topic, as well as field research by the authors, and by colleagues at a neighbouring university. The authors have found there to be nine significant benefits that stakeholders should realise from the implementation of a successful ETP system. On the reverse side there are nine important barriers towards the successful implementation of ETP that need to be overcome. Dissemination of these results should provide a useful stepping stone to the successful implementation of ETP in the UK NHS.

The provision of one or more separate authorisation infrastructures, comparable to the existing Grid authentication infrastructure, is desirable, since it will allow Grid applications to plug and play different authorisation infrastructures in order to choose the best one for their needs. The first half of this paper describes the features that are needed from this interface. Whilst it is possible to standardise every conceivable feature of this interface, it is not practical in the short term, since no existing authorisation infrastructure could easily comply with it, nor are we yet sure of the full set of requirements. Rather, this paper presents the basic minimum set of features that are needed to provide an initial plug and play functionality. Other features, such as a management interface, may be standardised in the future, whilst yet other features may continue to be met in an implementation specific manner. The second half of this paper provides a brief introduction to the Security Assertions Markup Language (SAML) and says how each of the initial authorisation interface requirements can be met by either the basic SAMLv1.0 specification or by extensions to it. The paper concludes by anticipating the future standardisation effort that will be needed to completely specify an authorisation interface for the Grid.

One of the impediments to a successful roll out of public key infrastructures (PKIs), is that Lightweight Directory Access Protocol (LDAP) directories do not fully support PKIs. In particular, it is not possible to search for X.509 attributes (certificates or CRLs) that match user defined criteria. This paper describes the various approaches that have been suggested for enabling users to search for X.509 attributes, namely component matching and attribute extraction. The implementation of attribute extraction in the OpenLDAP product is then described.

This paper describes the PERMIS PMI role based authorisation policy, and shows how it has been applied to the electronic transfer of prescriptions (ETP). The assignment of roles is distributed to the appropriate authorities in the health care and government sectors. This includes the assignment of both professional roles such as doctor and dentist, as well as patient roles that entitle patients to free prescriptions. All roles are stored as X.509 attribute certificates (ACs) in LDAP directories, which are managed by the assigning authorities. The PERMIS policy based decision engine subsequently retrieves these role ACs in order to make Granted or Denied access control decisions required by the ETP applications. The Source of Authority for setting the ETP policy is assumed to be the Secretary of State for Health. The ETP policy says what roles are recognised, who is authorised to assign the roles, what privileges are granted to each role and what conditions are attached to these privileges. The ETP policy is then formatted in XML, embedded in an X.509 attribute certificate, digitally signed by the Secretary of State for Health, and then stored in an LDAP directory. From here it can be accessed by all the ETP applications in the UK National Health Service that contain embedded policy based PERMIS decision engines.

A project to enable health care professionals (GPs, practice nurses and diabetes nurse specialists) to access, via the Internet, confidential patient data held on a secondary care (hospital) diabetes information system, has been implemented. We describe the application that we chose to distribute (a diabetes register); the security mechanisms we used to protect the data (a public key infrastructure with strong encryption and digitally signed messages, plus a firewall); the reasons for the implementation decisions we made; the validation testing that we performed and the results of the first set of user trials. From a user acceptance perspective, we conclude that perceived usefulness and perceived ease of use on their own, are insufficient to guarantee that a new application will be used extensively in its new environment. Other domain specific factors, such as the compatibility and integration of the new computing system with the old, the working practices of the clinicians, the costs of using the new system compared to the old, and the actual location of the computing equipment all need to be taken into account when establishing untried information technology in 'real world' settings.

We describe a role based, policy driven, Privilege Management Infrastructure, in which the authorisation tokens are roles held as X.509 attribute certificate stored in LDAP directories. Users are assigned roles, and roles are granted privileges. The authorisation policy says which roles and attribute certificates are to be trusted, and what access rights are to be granted to each role. The authorisation policy is written in XML by the service provider. The access control decision function(ADF) is a policy driven engine that makes the granted or denied access decisions. The ADF is written in Java, and is completely generic so that it can be built into any e-construction application. We have currently built it into two construction applications, E-tendering and E-planning, and these are described.

The National Health Service (NHS) in the United Kingdom (UK) is currently going through a period of vast reform, with guidelines for that reform set out in the NHS plan [1]. As part of the plan a system for electronic prescribing of drugs should be available by 2004. The main objective of this transformation is to remove many of the frailties of the present paper based system, in terms of fraud, inefficiency and administrative workload. However, any proposed system must also uphold the tradition of patient choice with respect to dispensing pharmacy, and must be reliable, robust and of good performance if it is to have any hope of gaining acceptance from the health professionals involved. In this paper we set out our proposed electronic prescription processing system design, with the emphasis placed firmly on performance, scalability and security. In the early sections we aim to demonstrate just why an electronic prescribing system is required, by looking at the present system and its frailties. We also identify factors that are important in the development of any future system. Our proposed system is then detailed, along with its anticipated benefits and disadvantages.

This paper describes the output of the PERMIS project, which has developed a role based access control infrastructure that uses X.509 attribute certificates (ACs) to store the users roles. All access control decisions are driven by an authorization policy, which is itself stored in an X.509 attribute certificate, thus guaranteeing its integrity. All the ACs can be stored in one or more LDAP directories, thus making them widely available. Authorization policies are written in XML according to a DTD that has been published at XML.org. The Access Control Decision Function (ADF) is written in Java and the Java API is simple to use, comprising of just 3 methods and a constructor. There is also a Privilege Allocator, which is a tool that constructs and signs attribute certificates and stores them in an LDAP directory for subsequent use by the ADF.

Can secure access be granted to confidential patient records using the Internet? Our study has involved providing distributed access to one such confidential information database in a United Kingdom (UK) secondary care (hospital) organisation. We describe the application chosen to be distributed, the security systems used to protect the data, the reasons for the implementation decisions made and the results of the test data and feedback from the users taking part in a trial of the system. We conclude by stating that secure access to patient information systems over the internet is possible using the architecture we have in place, but for distributed access to patient information systems to be successful the cost to ownership of the system must be far outweighed by the benefits. However, as more business processes become Internet based and high connection bandwidth becomes available at reasonable prices, systems such as ours will be present in day to day operation amongst a large number of the disparate operations of the UK National Health Service (NHS).

A project to enable health care professionals (GPs, practice nurses and diabetes nurse specialists) to access, via the Internet, confidential patient data held on a secondary care (hospital) diabetes information system, has been implemented. We describe the application that we chose to distribute (a diabetes register); the security mechanisms we used to protect the data (a public key infrastructure with strong encryption and digitally signed messages, plus a firewall); the reasons for the implementation decisions we made; the validation testing that we performed and the preliminary results of the pilot implementation.

The Internet White Pages Service (IWPS) has been slow to materialise for many reasons. One of them is the security concerns that organisations have, over allowing the public to gain access to either their Intranet or their directory database. The Directory Guardian is a firewall application proxy for X.500 and LDAP protocols that is designed to alleviate these fears. Sitting in the firewall system, it filters directory protocol messages passing into and out of the Intranet, allowing security administrators to carefully control the amount of directory information that is released to the outside world. This paper describes the design of our Guardian system, and shows how relatively easy it is to configure its filtering capabilities. Finally the paper describes the working demonstration of the Guardian that was built for the 1997 World Electronic Messaging Association directory challenge. This linked the WEMA directory to the NameFLOWParadise Internet directory, and demonstrated some of the powerful filtering capabilities of the Guardian.

The notion of trust, as required for secure operations over the Internet, is important for ascertaining the source of received messages. How can we measure the degree of trust in authenticating the source? Knowledge in the domain is not established, so knowledge engineering becomes knowledge generation rather than mere acquisition. Special techniques are required, and special features of KBS software become more important than in conventional domains. This paper generalizes from experience with Internet trust to discuss some techniques and software features that are important for poorly understood domains.

Public key certification provides mechanisms that can be used to build truly scaleable security services, such as allowing people who have never met to have assurance of each other's identity. Authentication involves syntactic verification of a certificate chain followed by a semantic look at the policies under which the certificates were issued. This results in a level of assurance that the identity of the person to be authenticated is an accurate description of the person involved, and requires verifiers to specify who they trust and what they trust them to do. Two widely discussed mechanisms for specifying this trust, the PEM and PGP trust models, approach the problem from fundamentally different directions. The EC funded ICE-TEL project, which is deploying a security infrastructure and application set for the European research community, has described a new trust model that attempts to be equally applicable to organisation-centric PEM users and user-centric PGP users.

This document describes an LDAP schema for X.509 attribute certificates (ACs). Each AC is broken down into a set of attribute types. These attributes can then be stored in an AC entry. An object class is defined for this AC entry. Each attribute type uses an existing LDAP syntax, so that no new matching rules need to be defined.

This document describes an LDAP schema for X.509 CRLs. Each CRL is broken down into a set of attribute types. These attributes can then be stored in a CRL entry. An object class is defined for this CRL entry. Each attribute type uses an existing LDAP syntax, so that new matching rules do not need to be defined.

RFC 2253 [2] standardises a set of strings that can be used to represent attribute types in LDAP distinguished names. This list is does not cover the full set of attribute types used in the distinguished names of issuers and subjects in public key certificates. This document standardises the strings needed for these additional attribute types.

This document describes the PERMIS X.509 Based Privilege Management Infrastructure, which is a trust management system as described in RFC 2704 [2]. The PERMIS Infrastructure is compared with the AAA Authorisation Framework described in RFC 2904 [4], and is shown to be compatible with it.

This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs.

This document describes LDAP schema features that are needed to support X.509 Public Key Infrastructures. Specifically, X.509 attribute types, object classes, matching rules, attribute value syntaxes and attribute value assertion syntaxes needed for PKIs are defined.