TY - JOUR
T1 - Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database
AU - Singh, Mahendra Pratap
AU - Sural, Shamik
AU - Vaidya, Jaideep
AU - Atluri, Vijayalakshmi
N1 - Publisher Copyright:
© 2019 Elsevier Ltd
PY - 2019/9
Y1 - 2019/9
N2 - Over the last few years, various types of access control models have been proposed for expressing the growing needs of organizations. Out of these, there is an increasing interest towards specification and enforcement of flexible and dynamic decision making security policies using Attribute Based Access Control (ABAC). However, it is not easy to migrate an existing security policy specified in a different model into ABAC. Furthermore, there exists no comprehensive approach that can specify, enforce and manage ABAC policies along with other policies potentially already existing in the organization as a unified security policy. In this article, we present a unique and flexible solution that enables concurrent specification and enforcement of such security policies through storing and querying data in a multi-dimensional and multi-granular data model. Specifically, we present a unified database schema, similar to that traditionally used in data warehouse design, that can represent different types of access control policies and store relevant policies as in-memory data, thereby significantly reducing the execution time of access request evaluation. We also present a novel approach for combining multiple access control policies through meta-policies. For ease of management, an administrative schema is presented that can specify different types of administrative policies. Extensive experiments on a wide range of data sets demonstrate the viability of the proposed approach.
AB - Over the last few years, various types of access control models have been proposed for expressing the growing needs of organizations. Out of these, there is an increasing interest towards specification and enforcement of flexible and dynamic decision making security policies using Attribute Based Access Control (ABAC). However, it is not easy to migrate an existing security policy specified in a different model into ABAC. Furthermore, there exists no comprehensive approach that can specify, enforce and manage ABAC policies along with other policies potentially already existing in the organization as a unified security policy. In this article, we present a unique and flexible solution that enables concurrent specification and enforcement of such security policies through storing and querying data in a multi-dimensional and multi-granular data model. Specifically, we present a unified database schema, similar to that traditionally used in data warehouse design, that can represent different types of access control policies and store relevant policies as in-memory data, thereby significantly reducing the execution time of access request evaluation. We also present a novel approach for combining multiple access control policies through meta-policies. For ease of management, an administrative schema is presented that can specify different types of administrative policies. Extensive experiments on a wide range of data sets demonstrate the viability of the proposed approach.
KW - Attribute Based Access Control
KW - Authorization
KW - Data warehousing
KW - In-memory database
KW - Meta-policy
KW - Unified security policy
UR - http://www.scopus.com/inward/record.url?scp=85067677483&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85067677483&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2019.06.001
DO - 10.1016/j.cose.2019.06.001
M3 - Article
AN - SCOPUS:85067677483
SN - 0167-4048
VL - 86
SP - 183
EP - 205
JO - Computers and Security
JF - Computers and Security
ER -