Control of Data Access in Information Systems through Identity Propagation Mechanisms and Execution of Authorization Rules
Abstract
Information security is a critical issue for organizations and comprises several perspectives, including that of information systems and data repositories development. In current distributed information systems architectures, information security involves identity propagation and data access authorization issues. This work describes the design and implementation of a simple, yet not trivial, architecture for effectively assuring information security, based on a series of standard technology.
Keywords:
Access control, Propagation of identity, Authorization rules
References
Azevedo, L. G., Puntar, S., Thiago, R., Baião, F., Cappelli, C (2010) ―A Flexible Framework for Applying Data Access Authorization Business Rules. In: 12th International Conference on Enterprise Information Systems, pp. 275-280.
BRG, 2000. Defining Business Rules What Are They Really?, Rev. 1.3, 2000, http://www.businessrulesgroup.org/first_paper/BRG-whatisBR_3ed.pdf.
Call, A., Martinenghi, D. (2008). ―Querying data under access limitations. In: IEEE 24th International Conference on Data Engineering, pp. 50 – 59.
DoD (1983) ―Trusted Computer Security Evaluation Criteria. Department of Defense, DoD 5200.28-STD.
Ferraiolo, D.F. e Khun, D. R. (1992) ―Role-Based Access Control. In: 15th National Computer Security Conference, pp. 554—563, Baltimore, MD, 1992.
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R. (2001) ―Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4 (3), pp. 224—274,.
IBM (2010) RACF Security Guide. IBM, SC34-7003-01.
Jeloka, S., Mulagund, G., Lewis N. et al. (2008). ―Oracle Database Security Guide, Oracle RDBMS 10gR2. Oracle Corporation. http://download.oracle.com/docs/cd/B19306_01/network.102/b14266.pdf.
Murthy, R., Sedlar, E. (2007) ―Flexible and efficient access control in oracle. In: ACM SIGMOD 2007, pp. 973-980, Beijing.
Needham, R. M., Schroeder, M.D. (1978) ―Using Encryption for Authentication in Large Networks od Computers. Communications of the ACM 21(12) .
Prasanna, D., R. (2009) Dependency Injection. Manning Publications Co.
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E. (1996) Role-based access control models. IEEE Computer, vol. 29, no. 2, pp 38-47.
TPCH (2008) ―TPC Benchmark H Standard Specification Revision 2.8.0. Transaction Processing Perfermance Council. http://www.tpc.org/tpch/spec/tpch2.8.0.pdf.
Yang, L. (2009) ―Teaching database security and auditing. ACM SIGCSE’09, v.1, issue 1, pp. 241—245.
BRG, 2000. Defining Business Rules What Are They Really?, Rev. 1.3, 2000, http://www.businessrulesgroup.org/first_paper/BRG-whatisBR_3ed.pdf.
Call, A., Martinenghi, D. (2008). ―Querying data under access limitations. In: IEEE 24th International Conference on Data Engineering, pp. 50 – 59.
DoD (1983) ―Trusted Computer Security Evaluation Criteria. Department of Defense, DoD 5200.28-STD.
Ferraiolo, D.F. e Khun, D. R. (1992) ―Role-Based Access Control. In: 15th National Computer Security Conference, pp. 554—563, Baltimore, MD, 1992.
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R. (2001) ―Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4 (3), pp. 224—274,.
IBM (2010) RACF Security Guide. IBM, SC34-7003-01.
Jeloka, S., Mulagund, G., Lewis N. et al. (2008). ―Oracle Database Security Guide, Oracle RDBMS 10gR2. Oracle Corporation. http://download.oracle.com/docs/cd/B19306_01/network.102/b14266.pdf.
Murthy, R., Sedlar, E. (2007) ―Flexible and efficient access control in oracle. In: ACM SIGMOD 2007, pp. 973-980, Beijing.
Needham, R. M., Schroeder, M.D. (1978) ―Using Encryption for Authentication in Large Networks od Computers. Communications of the ACM 21(12) .
Prasanna, D., R. (2009) Dependency Injection. Manning Publications Co.
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E. (1996) Role-based access control models. IEEE Computer, vol. 29, no. 2, pp 38-47.
TPCH (2008) ―TPC Benchmark H Standard Specification Revision 2.8.0. Transaction Processing Perfermance Council. http://www.tpc.org/tpch/spec/tpch2.8.0.pdf.
Yang, L. (2009) ―Teaching database security and auditing. ACM SIGCSE’09, v.1, issue 1, pp. 241—245.
Published
2011-05-23
How to Cite
LEÃO, Felipe; PUNTAR, Sergio; AZEVEDO, Leonardo Guerreiro; BAIÃO, Fernanda; CAPPELLI, Claudia.
Control of Data Access in Information Systems through Identity Propagation Mechanisms and Execution of Authorization Rules. In: BRAZILIAN SYMPOSIUM ON INFORMATION SYSTEMS (SBSI), 7. , 2011, Salvador.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2011
.
p. 117-128.
DOI: https://doi.org/10.5753/sbsi.2011.14570.
