Abstract
Nowadays, one of the problems in current authentication, authorization and accounting (AAA) model is lack of accurate roadmap of access management in integrated applications based on operational needs. In the current systems, attributes are used as effective parameters of AAA in static form. We want to present that, in order to have an efficient AAA model, we should consider AAA requirements via multilayers security policies. In this paper, a comprehensive approach is represented which defines designing AAA not only for operational and implementation level, but also in the enterprise level. In this regard, the proposed model provides all security requirements for the establishment of appropriate application-level AAA. Some of these requirements must be obtained from regulations and threat modeling, and some of other are calculated by business processes and also operational levels. According to proposed multilayer approach, the evaluation must be considered in several dimensions. So, we’ll evaluate several aspects of the proposed model. The results show that the proposed model covers many security requirements as well. It can also be useful to enhance the information security in integrated applications.
Similar content being viewed by others
References
Nakhjiri M, Nakhjiri M (2005) AAA and network security for mobile access: radius, diameter, EAP, PKI and IP mobility. Wiley, London
Bertino E, Ghinita G, Kamra A (2011) Access control for databases: concepts and systems. Found Trends Databases 3(1–2):1–148
Majumder A (2014) Taxonomy and classification of access control models for cloud environments. In: Mahmood Z (ed) Continued rise of the cloud. Springer, London, pp 23–53
Schweitzer D et al. (2007) A visual approach to teaching formal access models in security. In: Proceedings of national colloquium for information systems security education. Boston University, Boston. Academic Conferences
Aluvalu R (2015) A survey on access control models in cloud computing. In: Satapathy SC (ed) Emerging ICT for bridging the future—proceedings of the 49th annual convention of the computer society of India. Springer, Berlin, pp 653–664
Jafarian JH (2008) A context-aware mandatory access control model for multilevel security environments. In: Harrison MD, Sujan M (eds) Computer safety, reliability, and security. Springer, Berlin, pp 401–414
Yadav A, Shah R (2015) Review on database access control mechanisms and models. Int J Comput Appl 120(18):21–24
Van Tilborg H, Jajodia S (2011) Encyclopedia of cryptography and security, 2nd edn. Springer, Berlin
Jafarian JH, Amini M (2009) CAMAC: a context-aware mandatory access control model. ISC Int J Inf Secur 1(1):35–54
Kamboj P (2016) Analysis of role-based access control in software-defined networking. In: Pant M (ed) Proceedings of fifth international conference on soft computing for problem solving. Springer, Berlin, pp 687–697
Sharma et al (2013) AMTRAC: an administrative model for temporal role-based access control. Comput Secur 39(1):201–218
Chen L (2012) Risk-aware role-based access control. In: Meadows C, Fernandez-gago C (eds) Security and trust management. Springer, Berlin, pp 140–156
Salim F et al (2013) Budget-aware role based access control. Comput Secur 35(1):37–50
Zhou X, Wang Z (2007) An access control model of workflow system integrating RBAC and TBAC. In: Wang W (ed) Integration and innovation orient to e-society. Springer, Berlin, pp 246–251
Hu VC et al (2014) Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800-162, USA
Smari W, Clemente P, Lalande J (2014) An extended attribute based access control model with trust and privacy: application to a collaborative crisis management system. Future Gener Comput Syst 31(1):147–168
Almutairi A, Sarfraz M, Ghafoor A (2015) Risk-aware management of virtual resources in access controlled service-oriented cloud datacenters. IEEE Trans Cloud Comput PP:1
Kandala et al (2011) An attribute based framework for risk-adaptive access control models. In: Sixth international conference on availability, reliability and security (ARES). IEEE, Vienna, pp 236–241
Zhang Z (2008) Scalable role & organization based access control and its administration. Doctoral thesis. George Mason University, USA
Zhao L (2008) A role-based access control security model for workflow management system in an e-healthcare enterprise. Doctoral thesis. The Florida Agricultural and Mechanical University, USA
Toahchoodee M (2010) Access control models for pervasive computing environments. Doctoral thesis. Colorado State University, USA
Kirkpatrick M (2011) Trusted enforcement of contextual access control. Doctoral thesis. Purdue University, USA
Chen L (2011) Analyzing and developing role-based access control models. Doctoral thesis. University of London, United Kingdom
Turkmen F (2012) Exploring dynamic constraint enforcement and efficiency in access control. Doctoral thesis. University of Trento, Canada
Salim F (2012) Approaches to access control under uncertainty. Doctoral thesis. Queensland University of Technology, Australian State
Nistgov (2016) Nistgov. Retrieved 1 April, 2016, from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Nistgov (2016) Nistgov. Retrieved 1 April, 2016, from http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Cisco (2015) Token authentication. In: Cisco (ed) Authentication, authorization, and accounting configuration guide, Cisco IOS Release 15M&T. Cisco Systems, San Jose, pp 321–326
Hastings N, Franklin J (2015) Considerations for identity management in public safety mobile networks. National Institute of Standards and Technology (NIST), Maryland
Isoorg (2016) ISO. Retrieved 13 August, 2016, from http://www.iso.org/iso/catalogue_detail.htm?csnumber=23615
Federal Chief Information Officers Council & The Federal Enterprise Architecture (2011) Federal identity, credential, and access management (FICAM) roadmap and implementation guidance, 2 edn. Federal Chief Information Officers Council and the Federal Enterprise Architecture, USA
ISO/IEC (2014) ISO/IEC 27000:2014, Information technology—security techniques—information security management systems: ISO/IEC
Information Systems Audit and Control Association (2012) COBIT 5 for information security. ISACA, Rolling Meadows
Rezakhani et al (2011) Mapping ITIL services to ontology-based model to more use in enterprises. In: 5thSASTech, Khavaran Higher-education Institute. Khavaran Higher-education Institute Publisher, Mashhad, pp 1–8
Oasis-openorg (2016) Oasis-openorg. Retrieved 1 April, 2016, from http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Jackson D (2011) Application abstractions: logic, language, and analysis (Revised Edition edn). Mit Press
Mankai M, Logrippo L (2005) Access control policies: modeling and validation. In: Proceedings of the 5th NOTERE conference. Notre Dame: University of Notre Dame Press, Gatineau, pp 85–91
Alissa K (2015) BP-XACML an authorisation policy language for business processes. In: Foo E, Stebila D (eds) Information security and privacy. Springer, Berlin, pp 307–325
Nuffel DV, Backer MD (2012) Multi-abstraction layered business process modeling. Comput Ind 63(2):131–147
Boulares S (2015) Information flow-based security levels assessment for access control systems. In: Benyoucef M (ed) E-technologies. Springer, Berlin, pp 105–121
Wikipediaorg (2016) Wikipediaorg. Retrieved 11 July, 2016, from https://en.wikipedia.org/wiki/Insider_threat
United States Government US Army (2015) Field manual FM 3-99 airborne and air assault operations. Army Field Manual, USA
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rezakhani, A., Shirazi, H. & Modiri, N. A novel multilayer AAA model for integrated applications. Neural Comput & Applic 29, 887–901 (2018). https://doi.org/10.1007/s00521-016-2610-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00521-016-2610-3