Abstract
Nations development depends heavily on the proper functioning of their Critical Infrastructures (CIs). Their security requirements are very important since small dysfunctions can deeply affect nation stability. We focus on their integrity need because Critical Information Infrastructures (CIIs) manipulate data that must be correct. The differentiation of their various elements security needs is essential to their protection. Unfortunately, existent access control models do not completely meet the CIIs requirements for many reasons. The Organization-Based Access Control (OrBAC) model, however, presents several strengths but it does neither consider the differentiation concept nor cope with integrity issues. In this paper, we work to enrich OrBAC with integrity mechanisms and means of differentiation. Integrity-OrBAC (I-OrBAC) is our extension and it is a proactive model. I-OrBAC is a multi-integrity level model that enables quantifying the integrity needs of each CII element, in term of credibility or criticality, to take optimal access control decisions. Given a triple (context, view and activity), we propose a way to determine the best subjects of the role selected to perform the activity through the calculation of integrity level thresholds. This idea is illustrated by a security policy example. We also propose a role priority concept and an algorithm that make security policies more flexible. The algorithm is described by an inference system. Regarding the implementation, we extend XACML to reflect the properties of our entities. Steps for access decision-making are detailed and scenarios used to test the implementation are presented.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Public Law 107–56-Oct. 26, 2001, Uniting and Srenghtening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) ACT of 2001 (2011)
United States Government Accountability Office: critical infrastructure protection—cybersecurity guidance is available, but more can be done to promote its use. Report to congressional requesters, Washington, DC (2011)
Massoud, A.: North America’s electricity infrastructure: are we ready for more perfect storms? IEEE Secur. Priv. 1, 19–25 (2003)
Moteff, J., Parfomak, P.: CRS report for congress—critical infrastructure and key assets: definition and identification (2004)
ISO/IEC 15408—Common criteria for information technology security evaluation—Part 1: introduction and general model, Version 3.1, Revision 4 (2012)
Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI): EBIOS—expression des besoins et identification des objectifs de Sécurité. http://www.ssi.gouv.fr/fr/guides-et-bonnes-pratiques/outils-methodologiques/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite.html. Accessed 25 Feb 2014
MEHARI, Club de la Sécurité de l’Information Français (CLUSIF). http://www.clusif.asso.fr/fr/production/mehari/. Accessed 25 Aug 2013
International Standard ISO/IEC 27005:2008, Information technology—security techniques—information security risk management (2008)
Lampson, B.: Protection. In: \(5^{th}\) Princeton symposium on information sciences and systems, pp. 437–443 (1971)
Bell, D., LaPadula, L.: Secure computer systems: unified exposition and multics interpretation. Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, MA, USA (1975)
Biba, K.: Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA, USA (1977)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Thomas, R.K.: TMAC: a primitive for Applying RBAC in collaborative environment. In: \(2^{nd}\) ACM workshop on RBAC, pp. 13–19 (1997)
Thomas, R.K., Sandhu, R.: Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: \(11^{th}\) IFIP working conference on database security, Lake Tahoe, California (1997)
Fink, T., Koch, M., Oancea, C.: Specification and enforcement of access control in heterogeneous distributed applications. In: Proceedings of the international conference on web services, pp. 88–100 (2003)
Sandhu, R., Park, J.: Usage control: a vision for next generation access control. MMM-ACNS, pp. 17–31 (2003)
Benferhat, S., El Baida, R., Cuppens, F.: A stratification-based approach for handling conflicts in access control. In: \(8^{th}\) ACM symposium on access control models and technologies (SACMAT’03), pp. 189–195 (2003)
Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization based access control. In: \(4^{th}\) international workshop on policies for distributed systems and networks (POLICY 2003), pp. 120–131 (2003)
Krause, M., Tipton, H.F.: Handbook of information security management. Auerbach Publications/CRC Press LLC, Boca Raton, FL, USA (1998)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE symposium on security and privacy, pp. 11–20 (1982)
Clark, D., Wilson, D.: A comparison of commercial and military computer security policies. In: IEEE symposium on security and privacy, pp. 184–194 (1987)
Brewer, D.F.C., Nash, M.J.: The Chinese wall security policy. In: IEEE symposium on security and privacy, pp. 206–214 (1988)
Totel, E., Blanquart, J.P., Deswarte, Y., Powell, D.: Supporting multiple levels of criticality. In: \(28^{th}\) IEEE fault tolerant computing symposium, pp. 70–79 (1998)
Ameziane El Hassani, A., Abou El Kalam, A., Ait Ouahman, A.: Integrity-organization based access control for critical infrastructure systems. In: \(6^{th}\) Annual IFIP working group 11.10 international conference on critical infrastructure protection, Washington, DC, IFIP AICT 390, pp. 31–42 (2012)
Abou El Kalam A.A., Ameziane El Hassani, A., Ait Ouahman, A.: Integrity-OrBAC: an OrBAC enhancement that takes into account integrity. In: \(8^{th}\) international conference on intelligent systems: theories and applications, Rabat, Morocco (2013)
Abou El Kalam, A., Deswarte, Y., Baina, A., Kaaniche, M.: PolyOrBAC: a security framework for critical infrastructures. Int. J. Crit. Infrastruct. Prot. 2(4), 154–169 (2009)
Neves Bessani, A., Sousa, P., Correia, M., Verissimo, P.: The CRUTIAL way of critical infrastructure protection. IEEE Secur. Priv. 6, 44–51 (2008)
Dunn, M., Mauer, V.: International CIIP handbook: vol. Analyzing issues, challenges, and prospects. Center for Security Studies, ETH Zurich, II (2006)
Deswarte, Y., Mé, L.: Sécurité des réseaux et systèmes répartis. Hermes Science Publications (2003)
Amoroso, E., Merritt, M.: Composing system integrity using I/O automata. In: \(10^{th}\) annual computer security applications conference, pp. 34–43 (1994)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Bishop, M.: Computer security : art and science. Addison-Wesley, Boston, MA (2003)
Cuppens, F., Miège, A.: Modeling contexts in the Or-BAC model. In: \(19^{th}\) annual computer security applications conference, Las Vegas, (2003)
Cuppens, F., CuppensBoulahia, N., Ghorbel, M.B.: High level conflict management strategies in advanced access control models. Electron. Notes Theor. Comput. Sci. 186, 3–26 (2007)
Cuppens, F., CuppensBoulahia, N., Miège, A.: Inheritance hierarchies in the OrBAC model and application in a network environment. In: \(2^{nd}\) foundations of computer security workshop (FCS’04), Turku, Finland (2004)
Cuppens, F., Miège, A.: Administration model for OrBAC. In: Workshops of OTM 2003, on the move to meaningful internet systems, lecture notes in computer science, Springer, Vol. 2889, pp. 754–768, Italy (2003)
Abou El Kalam, A., Deswarte, Y.: MultiOrBAC: a new access control model for distributed, heterogeneous and collaborative systems. In: IEEE symposium on systems and information security, Sao Paulo, Brazil (2006)
Baina, A., Abou El Kalam, A., Deswarte, Y., Kaaniche, M.: A collaborative access control framework for critical infrastructures. In: \(2^{nd}\) annual IFIP working group 11.10 international conference on critical infrastructure protection, Arlington, VA, USA (2008)
Cuppens, F., CuppensBoulahia, N., Coma, C.: O2O: virtual private organizations to manage security policy interoperability. In: \(2^{nd}\) international conference on information systems security, ICISS 2006, India (2006)
Essaouini, N., Abou El Kalam, A., Ait Ouahman, A.: Access control policy: a framework to enforce recommendations. Int. J. Comput. Sci. Inf. Technol. 2(5), 2452–2463 (2011)
eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS standard (2013). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html. Accessed 1 Sept 2013
Core and hierarchical role based access control (RBAC) profile of XACML v2.0, OASIS standard (2005). http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os. Accessed 5 Sept 2013
Verissimo, P., Neves, N.F., Correia, M., Deswarte, Y., Abou El Kalam, A., Bondavalli, A., Daidone, A.: The CRUTIAL architecture for critical information infrastructures. Architecting dependable systems V, LNCS, Vol. 5135, Springer, pp. 1–27 (2008)
Anderson, M., Montague, P., Long, B.: A context-based integrity framework. In: \(19^{th}\) Asia-Pacific software engineering conference, pp. 1–9 (2012)
Xu, Q., Liu, G.: Configuring Clark-Wilson integrity model to enforce flexible protection. In: International conference on computational intelligence and security, pp. 15–20 (2009)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ameziane El Hassani, A., Abou El Kalam, A., Bouhoula, A. et al. Integrity-OrBAC: a new model to preserve Critical Infrastructures integrity. Int. J. Inf. Secur. 14, 367–385 (2015). https://doi.org/10.1007/s10207-014-0254-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-014-0254-9