Abstract
Telework is an important alternative to work that seeks to enhance employees’ safety and well-being while reducing the company costs. Employees can work anytime, any where and under high mobility conditions using new devices. Therefore, the access control of remote exchanges of Enterprise Content Management systems (ECM) have to take into consideration the diversity of users’ devices and context conditions in a telework open network. Different access control models were proposed in the literature to deal with the dynamic nature of users’ context and devices. However, most access control models rely on a centralized management of permissions by an authorization entity which can reduce its performance with the increase of number of users and requests in an open network. Moreover, they often depend on the administrator’s intervention to add new devices’ authorization and to set permissions on resources. In this paper, we suggest a distributed management of access control for telework open networks that focuses on an agent-based access control framework. The framework uses a multi-level rule engine to dynamically generate policies. We conducted a usability test and an experiment to evaluate the security performance of the proposed framework. The result of the experiment shows that the ability to resist deny of service attacks over time increased in the proposed distributed access control management compared with the centralized approach.
Introduction
With the evolution of technologies and business models, telework continues to be an increasingly popular alternative to work [1]. It makes it possible to relocate work in order to reduce costs while increasing the well-being and the safety of employees, especially in the case of epidemics. Telework may also be an alternative solution for employees with different profiles such as: partial time work, high mobility and/or specific needs related to disabilities such as handicap.
Among the main challenges when considering a telework business model is the management and security of remote exchanges by users who can work anytime and anywhere. The access control should be adapted to the dynamic context information as well as user’s profile. In fact, the difficulty of managing enterprise resources and their access can be significant when employees work with their personal devices, under mobility condition (such as home, airport and train) and with particular disabilities. Therefore, the access control model should take into account not only the context and the device capabilities of users but also their profile in terms of work and health conditions to enhance the usability of the access control applications.
With the large adoption of telework business model, the number of distributed applications has increased in most companies and institutions and has bring up various issues related to the distributed access control management. Many users try to get access to services and resources and communicate with the other users of the network with various devices. The system has to be able to authenticate the unfamiliar devices and determine the kind of access authorization they may have. The development of an access control model can facilitate cooperation and collaboration in distributed, heterogeneous, and autonomous open organization environments.
Various dynamic access control strategies have been proposed to deal with the dynamic nature of user’s contexts [2, 3, 4]. However, these strategies are often stand on a centralized management of permissions by an authorization entity which can reduce its performance with the increase of number of users and requests. In addition, most strategies require the human administrator intervention [5] which can be a challenging task, especially in the case of variability of devices and users’ profile.
In this paper, we suggest an access control model that relies on a distributed dynamic policy and permission management. The objective of this model is to enhance the management of access control permissions while resisting malicious attacks. The proposed access control model relies on an agent-based system that is founded on the dynamic policy generation for enterprise content management systems. An agent-based system can improve not only the management of contextual data for access control in a lightweight decentralized infrastructure [6, 7], but also allows more personalized access control that deal with usability issues.
With their capability to think and decide, software agents can control the dynamic context information and help in making decision on resources access authorization. To get the ability to think, agents may use rule-based systems that can help in controlling the permissions on resources. In fact, an access control system depends on the expert’s decisions on knowledge constituted from various data on users and their context information. Among the simple forms to express this knowledge is to use rules to make decision on access control [8]. However, a rule-based system may require a high level computing performance with a large number of rules, known as the redundancy issue [8]. To deal with this issue, our proposed framework considers multi-level rules that depend on resources’ sensibility to select only a set of rules used to generate dynamically a policy.
The rest of this paper is organized as follows: Section 2 discusses related works on dynamic access control models and their distributed management methods. In Section 3, we introduce our proposed agent-based access control framework. We describe in this section the architecture of the proposed framework as well as the policy specification and generation. Section 4 describes the evaluation method. We present in this section the implementation and simulation details of the proposed framework, the usability study, the experiment as well as the obtained results. We conclude this paper by discussing our contribution and outlining our future works.
Literature review
Access control is the verification of whether user’s actions on resources are authorized according to a security policy [9]. It allows controlling the users’ access to sensitive resources [10]. Various access control models were proposed in the literature that depend on the system architecture and environment. In this section, we first review the common access control models and then we highlight related works on distributed management of access privileges.
Access control models
Different access control models have been proposed in the literature for various systems [11, 12]. Among the most common access control models are: discretionary access control model, role-based access control model, organization-based access control model and attribute-based access control model.
Discretionary Access Control (DAC) is an access control model that restricts access to objects following the identity of the subjects and/or the groups to which they belong. Each user request is evaluated with the permissions specified in the access control matrix. A subject with an access permission is able to pass that permission to any other subject. To provide this discretionary control, DAC policies include a concept of object ownership. The object owner grants permissions to their object for other subjects [12]. This model does not consider the user’ s context. It focuses on users’ management of their resources which can be challenging in large networks.
Role-Based Access Control (RBAC) has been adopted in various institutions and companies due to its simplicity in large-scale authorization management [13]. This approach uses a model that considers three concepts: users, roles and permissions. Roles are users’ job functions within the organizations and permissions are the approvals to perform certain operations on resources. The access permissions are assigned to roles in order to manage easily permissions [14]. Despite its simplicity, the role based policy model does not consider the user’s context.
Organization Based Access Control (OrBAC): is proposed to specify permissions that depend on a given context using an abstraction of the access control policy. OrBAC depends on two levels with different entities: a concrete level that consists of subject, action and object as well as an abstract level that consists of role, activity and view. The context is used to express the relationship between the previous entities through dynamic rules [15]. OrBAC model depends on the organization semantic model and lacks flexibility in defining dynamic context related to location and time constraints.
Attribute-Based Access Control (ABAC): in this model, the access control decision from a subject to an object is determined by the evaluation of the attributes associated to the subject, object, required operations or in some cases environmental conditions [16, 17]. Different attributes can be used to determine dynamically permissions in resources such as the user’s location and time constraints [4].
Moreover, other hybrid models were proposed in the literature to deal with the dynamic nature of users’ environments and contexts. For instance, user’s roles and context information such as the IP addresses and times of the day were used to determine resources’ authorization [18]. In addition to temporal and spatial constraints, access control can also consider real-time user’s situations related to the semantic of the system [19].
Most traditional access control models are founded on a centralized management of permissions. However, with technology development, network environments become more open and adaptive and the users may use various unauthenticated devices. Therefore, centralized management of access control through an authorization entity can reduce the performance of the access control system with the increase of the number of users and requests. Moreover, most access control frameworks become difficult to execute in distributed systems that have a large number of users and/or resources. The centralized management of permissions in distributed systems may cause access delay or unauthorized access because of the server overload. Moreover, due to its centralized nature, it can become easily the target of network malicious attacks. To deal with the previous issues, different studies were focused on distributed management of access privileges in the network. Next, we review recent methods of distributed management of access control that are proposed in the literature.
Distributed management of access control
A distributed management of access control consists in allowing each node of the network system, or some nodes, to control the dynamic mapping between users and permissions to improve the access control management performance. Among the most common approaches in the literature that deal with the distribution of the access control management are: cloud computing based access control, device-based access control and agent-based access control approaches.
Distributed management of access control for cloud computing
Only few access control models were proposed in the literature to deal with the distributed management of access privileges according to the system architecture and context constraints [20, 21]. For instance, Ding et al. suggested a data repository by securing the storage with the decentralized access control mechanism. They used a distributed ledger technology to endow the access control mechanism with trustworthy properties [22]. To deal with critical security issues related to the centralized access control mechanism in cloud, Yang et al. [23] proposed a blockchain-based access control framework with privacy protection called AuthPrivacyChain. Authorization-related transactions are posted by the user to blockchain.
Device-based management of access control
With the technological advancement of devices and their embedded sensors, other approaches were proposed to give the possibility to users’ devices to control their own access to resources. For instance, Verma et al. suggested a framework in which the manager uses an interaction graph to define the roles that devices may play in the system [24]. Each device uses on a template to generate access control policies following the roles assigned to it. This approach may be useful when devices generate their own policies in small environments and with limited resources. However, the device security may depend not just on its own state, but also on the state of other devices in the environment.
Agent-based management of access control
Agent-based approach has been considered as a promising approach to build more flexible access control models for distributed systems [25, 26]. It consists in defining software entities, called agents, that control autonomously the network nodes while collaborating with the other agents of the network.
Only few works proposed agent-based systems for distributed management of access control. For instance, Antonopoulos et al. proposed an agent-based system that allows entities to manage their own authorization in a cloud computing network [25]. However, the architecture lacks the management of dynamic security policy when various users in the organization access the cloud resources simultaneously [20].
Abdelkrim et al. presented an agent-based access control model for dynamic coalitions [27] that extended OrBAC model [15]. In OrBAC, the security policy is centered on the organization concept, therefore roles and activities depend on the organization domain semantic. The proposed architecture in this work is an extended OrBAC model that considers resources coalition which consists in sharing resource by the distribution of access permissions to members under a negotiation process. The model used a multi-agent systems implemented in JADE platform. It has been explained through a case study for Smart-X platforms. This framework supports coalitions and access control management. However, each platform has to specify policies governing the shared resources [27].
Thomas and Sekaran suggested an agent-based approach for the distributed access control in cloud environments [20]. The approach is used to mediate access requests of cloud consumers, considering cloud computing requirements. However, this work relies on a theoretical model of access control without presenting its possible implementation. The authors have argued the limitation of the approach in terms of the consideration of the dynamic relationship between user domains and various cloud domains to have a proper solution for the distributed access control [20].
Kurtan et al. proposed a privacy recommendation model for images sharing in online social networks using an agent based system [28]. Each user is associated to an agent that analyses the history of privacy settings of images to predict automatically the privacy setting for a future image sharing. Agents use the images’ tags to determine the privacy setting for new images on the basis of a privacy retrieval model. The agent model focuses on images resources type and requires using tags to determine security settings. However, ECM includes various resources types and their settings did not depend on how user evaluated it before, which make the model not appropriate for ECM context.
In this paper, we suggest an agent-based system to manage the access control of enterprise content management systems in an open network. Unlike the previous reviewed works, the access control framework considers the variability of users’ new unauthenticated devices and profile in a telework context. Moreover, the access control model is founded on a decentralized management of permissions to enhance its performance with the increase of number of users and requests. The proposed model named ABACM (Agent-Based Access Control Management) allows a decentralized and dynamic management of authorization in Enterprise Content Management systems (ECM). Nodes of the network, seen as agents, participate in the execution of access control. We believe that agent-based systems can play an important role in building intelligent access control models that take into account various user devices, contexts and profiles. Next, we describe the proposed framework as well as the dynamic policy generation for ECM.
The employee uses a badge based on a Bluetooth 4.0 connexion to obtain access to enterprise content management system.
Enterprise content management system (ECM) consists of processes, procedures, and technologies used in conjunction to manage unstructured content such as documents and files [29]. The employees can work and collaborate remotely by performing actions on the ECM resources. Each employee is therefore considered as a node of this network. Employees may also use the ECM system with the help of various devices.
We suggest an access control framework for ECM network, called ABACM (Agent-Based Access Control Management). As shown in Fig. 1, each employee is provided with a M5STICK access badge. It is used for authentication from his or her own device (such as laptop and phone). The objective of this access badge is to deal with the variability of user devices and their limited capabilities in terms of energy and sensors disposition. M5STICK device includes various features and sensors such as Bluetooth 4.0, Wifi, Accelerometer, etc. We used Bluetooth connection as it makes the system more resilient to malicious attacks especially in mobility conditions [30]. After the authentication, the user can request access to resources of the ECM application server. We used in this paper Alfresco bitnami VM [31] as an example of ECM system. Next, we describe the system internal architecture as well as policy generation.
System architecture
We implemented a distributed management of access control that relies on an agent-based system. According to Russell “An agent is anything that can be viewed as perceiving its environment through sensors and acting upon that environment through effectors” [32]. In the proposed system, the agent controls permissions of a user on resources. As shown is Fig. 2, each node of the network consists of: a user agent, an agent policy generator as well as an authoring tool.
System architecture.
User agent is a software entity responsible on initiating user authentication through the M5STICK access badge. This agent also communicates with other agents of the network to support the management of their access control policies. The user agent perceives the user environment, collects context information from sensors and makes decision about the authentication request. After the authentication step, the user can request access permissions to ECM resources.
Figure 3 illustrates the general access control execution process. The user agent has its own control policy list. Each agent of the network is responsible of the management of its access control and its provides services to other agents of the network. This distributed access control model allows security guarantee compared to centralized model and when an agent is attacked this will not affect the other agents of the network.
The access control is performed by the user agent following the process: perception, deliberation and action. The agent perceives the environment updates. When the agent receives a request of access on resources, it analyzes access request information and makes decision about permission. The agent can requests other neighbor agents of the network about the subject of requests if the requester is unfamiliar using an XML specification language. Then, once the decision is made, the agent generates a policy if the permission is accorded and a denied access response otherwise.
Following the user’s request, the Agent Policy Generator will associate dynamically the user permissions on resources by generating appropriate policy. The Agent Policy Generator uses a rule-based system that can be set to introduce general rules that are related to context, role and user’s profile constraints. In fact, each user of the system is characterized by a profile which represents a set of attributes related to the user such as: age, mobility, disabilities, kind of contract, etc. It is used to personalize access control constraints to user specific conditions.
Access control execution process.
Policy specification may depend on different languages. For example, the role-based access control policy may be expressed using access control lists (ACL) to resources stored in a central or distributed memory [24]. It is a simple way to map resources to permissions while considering resources hierarchy. However, one of the limitations of ACLs is the low expressiveness of regular expressions for dynamic contextual data and meta-data resources identification.
XML (extensible markup language) based policy specification has been largely used due to its extensible nature and simplicity to specify policy expression with different data types. Extensible access control markup language or XACML was proposed initially for role-based approach and has then been extended and used in various works [33]. Using XACML to encode the policy consists in the definition of expressions that return values that reflect the kind of authorization or deny of access.
In this paper, we consider XML-based policy language inspired by the XACML specifications. The policy XML file generation is founded on expert knowledge through a rule based system to infer the decision on resources permission. Using Markup Scheme such as XML also allows the communication between agents and data transfer via a network.
Example of policy specification.
The Agent Policy Generator uses the rule-based system to generate a policy by mapping user-agents to permissions. However, a rule-based system may require high level computing performance due to the large number of rules, known as the redundancy issue. We propose therefore a personalized access control that reduces the number of rules used to generate dynamically a policy. The Agent Policy Generator selects only a small set of eligible rules according to a security level that depends on resources sensibility. For instance, according to the resources low level of sensibility, the agent can exclude for instance rules that consider the context information, such as working time and location.
According to resources sensibility, three evels of rules were considered in our framework:
The first level, consists of role-based rules that represent the constraints that use agent-role mapping without considering context and profile information. The second level relies on user profile data such as availability and health conditions. The third level considers the contextual information through the dynamic environment characteristics mapping with resources classification.
The Policy Generator Agent generates an XML file with the appropriate policy that uses the general specification shown in Fig. 4.
M5StickC device used as an access badge to the telework device (laptop).
Implementation
We used two laptops (represent two teleworkers) and two M5StickC devices as access badges. We implemented the system using Java Spring Boot with Postgres database. The Frontend is implemented using Javascript with React and MaterailUI. To generate policies, rules were introduced through a simple rule engine that we developed.
The employee uses his/her access badge (M5StickC device) to connect to the laptop with the help of Bluetooth 4.0 connexion. M5StickC device is an internet of things development card based on ESP32 micro-controller used in our framework as an access badge (see Fig. 5). It consists of various modules especially: Bluetooth 4.0, Wifi, Gyro-meter, Accelerometer, Microphone, USB, IR Transmitter, LCD 0,96 screen and 3 Buttons. The badge characteristics are stored in a PostgreSQL database of the node. This includes the identifier of the badge and the identifier of the process HID (Holder ID) used to identify the user. Using a Bluetooth 4.0 connection, the user can obtain access from his or her telework device. The server of the badge used GATT protocol and Google Chrome as navigator. We also developed an authoring tool that help administrators easily set and update the rules without requiring high development skills.
Usability test of the framework
We first planned a test with two experts to evaluate the usability of the proposed access control framework. Usability testing is used in user-centered interaction design to evaluate how real users use the system. It depends upon measuring the efficiency and efficacy of the system as well as the user satisfaction.
Using the authoring tool Web interface, each expert set first the possible resources types, category, sensitivity levels and owners for role creation. The resources configuration follows the possible considerations of Alfresco ECM. In this test, the possible resources types were: Web application, business plan, contracts, clients records and financial documents. The category of the resources was administrative or business. In addition four sensitivity levels, were proposed in this test: very sensitive, sensitive, only internal use and business external use. Once the role is created, the expert can add levels that include context and/or profile constraints (see Figs 6 and 7). The expert can also add his or her personalized constraints or uses the default possible constraints.
We evaluated the proposed access control system using M5StickC device and two laptops for two teleworkers (experts), computer with Alfrescro ECM and a second one for the authorization server (see Fig. 8). Using a Bluetooth 4.0 connection of M5StickC, the user can obtain access from his or her telework device.
Level configuration.
Adding a constraint.
The profile constraint that we have considered in our test was:
Health: A list of abstract health conditions of the user such as “Healthy” and “Disability”. The latter determines personalized time and spatial conditions to be considered for specific user’s health conditions.
As for the context data, three constraints have been included in the test:
User Agent location: It is related to the geographical site position that includes values on latitude, longitude and diameter of user location. Gyro: It is a constraint related to user movement data that includes the speed recorded when the user asks access permission. It is represented by six speed values that depend on different axes. Acceleration: we also considered constraints on the acceleration of the agent movement. It is represented by six acceleration values that depend on different axes.
Network architecture in the test.
Example of generated policy in the test.
To generate policies, rules were implemented through a simple rule engine that we developed. An example of generated policy is shown in Fig. 9.
We also developed two simulated access platforms to in order to evaluate the security performance of the framework for large number of agents and requests. We configured the agent-based simulation to run several agents and requests. Each agent perceives the environment as well as data from other agents and follows the access control execution process.
The objective of the experiment was to evaluate the security performance of the proposed distributed access control management model (DAC) compared with the traditional centralized one (CAC). In particular, we evaluated the resistant of the proposed access control management service to DOS (Deny of service) attacks.
Simulation results.
We run the simulation with 100 agents who request random access to a node resources. We assume that the security level of access requests are the same for all agents. Only 50 agents who had access authorization. We analyzed 1000 simulated access requests on two platforms. The first platform is based on the proposed distributed access management access control model. The second platform stands on traditional centralized access control management and used a policy matrix list to make decision about permissions.
The results of the usability test with two experts showed the simplicity of the interface and efficiency of the access badge to get rapid and easy access to the Alfresco server application.
Using the two simulated access platforms, we evaluated the security performance of the framework in the case of DOS attacks. As shown in Fig. 10, the ability to resist DOS attacks over time increased in the proposed distributed management of access control compared with the centralized approach. The distributed management access control model has reduced the overload of the agent who make decision on authorization which has increased the ability to resist DOS attacks. The centralized access control management system can be a target of attackers which can cause delay of time response or failure to accord permission.
Discussion
Agent-based access control management methods
Agent-based access control management methods
The increase of the number of distributed applications in telework business model has bring up various issues related to the distributed access control management. Employees can work anywhere, anytime, under various conditions and with different devices. The system has to be able to authenticate unfamiliar devices and determine the kind of access authorization in an open telework network.
Various dynamic access control strategies have been proposed in the literature to deal with dynamic nature of user environments and contexts [2, 4, 1]. However, most access control models rely on centralized management of permissions. The large number of users and requests in telework may reduce the performance of the authorization entity and its ability to resist DOS attacks. In addition, most traditional access control management strategies require the human administrator intervention [5] which can be challenging with the variability of devices and users’ profiles.
Agent-based approach has got the interest of many researchers who seek to build more flexible access control models for various distributed systems. Table 1 summarizes the analysis of agent-based access control management methods. Most proposed methods in the literature are founded on the type and requirements of the distributed environment such as service oriented architecture and cloud computing [20, 21, 27, 20]. Moreover, access control models did not consider heterogeneous open telework environments. They are also based on security policies that require continuous administrator’s intervention to set permissions according to users’ context and conditions.
In this paper, we suggested ABACM, a distributed management of access control permissions on the basis of an agent-based architecture. The proposed model allows a decentralized and dynamic management of authorization in ECM. It suggests a dynamic generation of access control policies on the basis of users’ context and profile. In addition, the framework includes an authoring tool to help administrators to set general constraints in order to limit their interventions. Unlike the previous reviewed works, the access control framework considers the variability of users’ new unauthenticated devices and profile in a telework context. Moreover, the access control model depends on a decentralized management of permissions to enhance its performance with the increase of number of users and requests in an open network.
We proposed an implementation of the system and we test it with two experts to evaluate the usability of the system. Then, we developed two simulation platforms to study the security performance of the proposed distributed management of access control compared with a centralized one. The results of the test showed the simplicity of the interface and efficiency of the access badge to get rapid and easy access to the Alfresco server application. Moreover, the result of the experiment shows that the ability to resist DOS attacks over time increased in the proposed distributed access control management compared with the centralized approach.
The proposed agent-based system can be promising to create more flexible and intelligent access control model for ECM. The reactivity and adaptability of the agent can help to manage permissions while limiting the human intervention. However, one of the limitation of this work is the simple implementation of the agent-based system and the communication protocol that was based on an XML specification language. In our future work, we will consider the agent cognition model as well as communication protocol that enhances the performance of the access control model.
In this paper, we presented a distributed management of access control for enterprise content management systems that rests on an agent-based architecture. The system uses a rule engine that generates dynamically an access control policy on the basis of users’ conditions and context information obtained with the help of an M5StickC access badge. In our future works, we also plan to test the performance of this system with a large number of employees and administrators through a case study. The objective is to evaluate the efficiency of the system to improve both authoring tool and policy generation. Finally, we plan to test the usability of the system with employees with particular health conditions (such as post-stroke patients) by considering various profile-based rules [34] that include personalized spatial and temporal constraints.
Footnotes
Author’s Bio
