6533b7d6fe1ef96bd126702c
RESEARCH PRODUCT
Decision-cache based XACML authorisation and anonymisation for XML documents
Vladimir A. OleshchukNils Ulltveit-moesubject
authorisationSoftware_OPERATINGSYSTEMSMarkup languageComputer sciencecomputer.internet_protocolXACMLAccess controlIntrusion detection systemcomputer.software_genrecachingXACMLcomputer.programming_languageanonymisationVDP::Mathematics and natural science: 400::Information and communication science: 420::Security and vulnerability: 424AuthenticationDatabasebusiness.industryComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMSHardware and ArchitectureCacheprivacy policyWeb servicebusinessLawcomputerSoftwareXMLdescription
Author's version of an article in the journal: Computer Standards and Interfaces. Also available from the publisher at: http://dx.doi.org/10.1016/j.csi.2011.10.007 This paper describes a decision cache for the eXtensible Access Control Markup Language (XACML) that supports fine-grained authorisation and anonymisation of XML based messages and documents down to XML attribute and element level. The decision cache is implemented as an XACML obligation service, where a specification of the XML elements to be authorised and anonymised is sent to the Policy Enforcement Point (PEP) during initial authorisation. Further authorisation of individual XML elements according to the authorisation specification is then performed on all matching XML resources, and decisions are stored in the decision cache. This makes it possible to cache fine-grained XACML authorisation and anonymisation decisions, which reduces the authorisation load on the Policy Decision Point (PDP). The theoretical solution is related to a practical case study consisting of a privacy-enhanced intrusion detection system that needs to perform anonymisation of Intrusion Detection Message Exchange Format (IDMEF) XML messages before they are sent to a security operations centre that operates in privacy-preserving mode. The solution increases the scalability of XACML based authorisation significantly, and may be instrumental in implementing federated authorisation and anonymisation based on XACML in several areas, including intrusion detection systems, web services, content management systems and GRID based authentication and authorisation.
year | journal | country | edition | language |
---|---|---|---|---|
2012-11-01 | Computer Standards & Interfaces |