Table 1 Support of NIST access control metrics by fine-grained authorization service of the proposed system
From: DB-SECaaS: a cloud-based protection system for document-oriented NoSQL databases
Metric | Description | Fine-grained authorization service |
|---|---|---|
Administration properties | ||
Privileges/capabilities discovery | Query or graphic display for discovering the subjects, objects, or capabilities from assigned privileges. | Our system provides a complete interface which is provided to authorize users (administrators, data owners) to view the database subjects (data users), objects (database columns), and capabilities (actions). |
Ease of privilege assignments | Steps required to 1. Assign, change, or remove privilege from a subject.2. Assign, change, or remove the capabilities of a subject.3. Create, change, or remove a subject. | The fine-grained authorization service requires less steps for assigning, changing, managing, and removing privileges, capabilities, objects, and subjects Usability of a system is increased through friendly interface and less turnaround steps. |
Syntactic support for specifying AC rules | Authorization system must be capable of providing logical expression for the specification of policies and rules. | FG authorization service is based on the architecture of XACML; therefore, full support is provided for complex expressions such as AND, OR, <, and >. |
Policy management | Authorization system must provide the ability to resolve policy conflicts, policy revocation, and policy identification functions. | The proposed system provides policy management features to administrators via PAP. |
Flexibilities of configuration into existing systems | Access control needs to be enforced by application and client/service protocol in order to provide more flexibility and security. | FG authorization service is based on application and client-service model. PAP acts like an application for administrators to create and manage policies. This will provide ease in installation and configuration. |
The horizontal scope | Authorization system for unstructured databases should be supported by multiple hosts via network. Moreover, access control should be defined across database records and fields of database records. | Distribution ability in FG authorization service is provided by hosting each service of the system in different services. In addition, multiple services can be used to host replicas of the single service. Vertical scope is provided by defining policies across database records and fields. |
Enforcement properties | ||
Bypass | Authorization system can be designed in a way to bypass the policy rules for exceptional access control decisions. | The FG authorization service of our system does not allow request to bypass PEP or PDP to access database resources. There is no method defined that can ignore policy service in exceptional or critical situations. |
Least privilege principle | An effective authorization system supports least privilege principle. For databases, least privilege needs to be defined at the cell level or column level. | FG authorization service specifies policies at cell, column, and table levels of the database. Access to every cell requires permission from policy service. |
Separation of duty (SoD) | Authorization system can either implement static or dynamic separation of duties. | In order to prevent data from excessive privilege abuse, the proposed system permits authorized users to access duty-related resources. However, fine-grained authorization only provides static SoD where privileges assign to subjects need to be defined before practical execution of the system. |
Conflict resolution or prevention | Authorization system must be capable to prevent and resolve policy rule conflicts. | Use of XACML ensures the prevention of policy and rule conflicts. Conflict-avoiding algorithms are provided to resolve the conflicts automatically. |
Operational/situational awareness | An effective authorization system must provide situational awareness (environmental constraints and conditions). | FG authorization service has the ability to take into account environmental variables such as time, threshold values, and behavior for making access decisions. XACML provides the environmental functions and conditions to restrict access to particular domains. |
Granularity of control | Authorization system must be capable to provide control up to granularity of cell or column (objects). Same data needs to be protected at different levels of granularity. | Architecture of FG authorization model is based on granularity of objects. Therefore, the proposed system also provides privacy control for the data with different classifications of the fields in database. |
Expression (policy/model) properties | Authorization system needs to support existing access control standards or rule specification language. | XACML, a standard policy language for access control systems, is used for the representation of policies and rules to protect the data. |