This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Identity Management Solution of Metropolitan Police Service
This paper demonstrates and investigates the factors of dedicated identity Management System for large organization where involving a huge number of personnel requires to access different level of access in consideration of real time circumstances of the organization(in this case - MPS). Security in enterprise systems places a high value on confidentiality, integrity and availability. Security administration of large organization (e.g-MPS) is complex but it can be simplified by using number of technology such as a role-based access control (RBAC) approach, advance cryptography ciper, bio-metric identification, and two-factor RSA authentication. The solution also analysis the trust perception or trust worthiness of user's authentication, access control and security issues of automated systems which will be used over internet or Virtual Private Network (VPN).
The MPS case study has shown that it has different staff with different job assignment, their job title and responsibilities are different. The staffs move from one location to another with assigned responsibilities because its nature of job. MPS staff frequently has multiple identities on different assignment of work or its activity. Therefore, system administrators and software developers focused on different kinds of access control to ensure that only authorized users were given access to certain data or resource or criminal data records.
One of the best access controls that emerged is Role based access control (RBAC), With RBAC the system administrators create roles according the job function at any organization (e.g- MPS), grants permission to those roles and then assign users to the roles on the basis of their specific job responsibilities and qualifications. The RBAC features range from simple to complex entrepreneur's environment. The RBAC consists of four models - core RBAC, hierarchical RBAC, static constrained RBAC, dynamic constrained RBAC. The core RBAC are organizes five administrative tasks: (1) users (2) roles (3) permissions where permissions are composed of (4) operations applied to (5) object .
USER and ROLES: user is a human being, who uses the resources of the system. A role is a named job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on a user of the role .
PERMISSION, OPERATION and OBJECT: Permission is an authorization to a user to access one or more object in operation of the system. Object are data those are stored in the system (e.g- Case No, Criminal record etc).
The second element of RBAC model is hierarchical RBAC. In any organization (In this case MPS) staffs frequently has multiple job responsibilities and privileges and nonspecific operations exist that all staffs should be able to perform. This kind of role distribution is extremely difficult and administrative overhead; in order to avoid such unpleasant event role hierarchies are used. It defines that it have unique attributes and that may contain some other roles and that is "One role may include the operations, constrains, and objects those are associated with another role".
Users establish a session during they access to a role or a subset of role those user is permitted. In fig 1.2 users has a unidirectional symbol which indicate user has one to many relation, and session to role bidirectional means it has many to many relation.
Static constrained RBAC:
Constraints are an important part of role-based access control policies. The safety or security of a system is maintained by enforcing constraints that are specified in the policy. . Constrained RBAC adds separation of duty (SoD) relation to the RBAC model. SoD is a universally practiced principle that helps to prevent fraud and errors by ensuring that "no individual is given sufficient authority within the system to perpetrate fraud on his own" (Sandhu 1990) .
Static separation of duty (SSD) is a specific role may only be allowed to be filled with a finite number of users at any given time for example, the MPS would only have one head of police and this user may only allowed to hold a finite number of roles .
Dynamic constrained RBAC:
DSD allows a user to hold two roles that would conflict if they activated at the same time but it should ensure that roles are not activated during the same session .
RBAC is fully dedicated identity management system which enables to ensure all access control to particular operation to the objects in the system. How ever, its security policy has trusted issues which can be encapsulated with some other technique of identity management such as bio-metric identity, smart or e-card solution which uses PKI integrated RSA technology. Therefore, MPS should have a RBAC solution in order to provide best performance of the system of it members or staffs to access system's records and role which has authentication enable.
A biometric characteristic can be used in order to recognize human identification which is a biological phenomenon's physical or behavioral characteristic. Biometric physical characteristics are genetically implied (mostly environmental influence) characteristics (e.g. human face, finger, vascular structure, iris, retina etc). Behavioral characteristics are those people learn during their life (e.g. a person gait, voice, hand written signature etc) .
A finger print is the pattern of minutiae, ridges and furrows on exterior of a fingertip. These patterns are unique and permanent unless it cuts or buries  . Each and every finger is having different print tips. Finger print is one of the mature technologies used in identification since 20th century in forensic . A fingerprint based personal authentication system operated in two different modes: Enrollment and authentication (fig.1). During enrollment, authorized user seeks for an authentication by using a "fingerprint sensor" which acquired a fingerprint and relevant information are extracted by the feature of extractor. These features are stored in a database, alone with user information those are necessary for granting the service; after providing information (input) system attempts to match it with the information which is already stored in the database. If calculated similarity score between provided input and database information is greater than threshold, system determines that the subject is who claim to be and offer the service otherwise will discard the request. On the authentication mode, the user presents his fingerprint only without his ID and the system may either be able to determine the identity for the subject or decide the person is not enrolled in the database .
An overall flow chart (fig2.2) has given which mainly consist of the segments (a) Orientation field estimation, (b) ridge extraction and (c) minutiae extraction and post processing
Developing a computational model of face recognition is quite difficult, because faces are complex, multidimensional and meaningful visual stimuli. They are a natural class of objects and stand in stark contrast to sine wave gratings . Face recognition research has increased in last a decade because of its application demand such as identification for law enforcement and authentication for access in security channel such as bank, insurance, financial organization and government service . One of the world renowned face recognition techniques is eigenface.
The following process follows the recognition process in eigenface method :
- Acquire the set of images and calculate the eigenfaces, which define the face space.
- When a new image (face) is identified, calculate a set of weight based on the image (input) and eigenfaces by projecting the input onto each of the eigenfaces.
- Determine if the image is a face (its known or unknown) by checking weight pattern of the image (input), if the image is on threshold to facespace.
- If it is face identify it by checking weight pattern of the image is it stored on the system (database) .
- Finally give access to the user (or person) to the system or seeking authentication information such as ID card.
A generic flow chart is given as follows for face recognition:
Typical Application for face recognition in the following table :
The biometric identification uses all these strong identification method which in generally in unique very exceptional is rare. Therefore, any of organization such as MPS, banking, and insurance scan implements these methodologies in order to identify only authenticated access.
Distinguish between Biological and multiple Digital Identities:
According to our MPS case study we have seen that current MPS is using multiple digital identity management system, which is an overhead for system administrator and high risk involve in access control for each individual operation of access to keep account. Since Police staffs move from one place to another location by assigning special task. However, By using multiple identity it is very important concern of internal security risk if any staff is off the duty and access the system (of course external risk high). I will demonstrate few technical and security issue of using multiple and biological identity.
In generally multiple digital identity users mostly use traditional security systems such as passwords, PINs, Keys, cards or combination of both. A general problem with PINs, password is, it is complex and this complexity makes it difficult to remember by users, another problem with it is, its identify the card rather than a user. In other words, if a person knows the PIN associated with card or password associated with card, that person may not be the actual person of the card owner. The following table 2. Shows some characteristic of traditional identity approaches :
Biometric brought a major role in security and identification of authorized user, its mainly emphasis on authentication and identification. Today's organization mostly using approaching to biometric, However, this technique can make some mistake (not frequently). Sometimes it makes false match and accept and unknown user as an authorized and vise-versa.
There are some advantage and disadvantage in using biometric technique and that is listed in the following :
In all e-technology spoofing is a great thread and biometric couldn't get ride of it. A list of spoofing attacks and its migration is given in the following table:
However, after analyzing of the technology difference and drawback of each technology, biometric solution can be an ideal solution for identification and authentication of any system.
The current business or organizational management's primary key point in concern is security which determines the adoption of internet technology.
- Towards a general definition of Biometric systems, Mark SCHATTEN, Miroslav BACA and Mirko CUBRILO, International Journal of Computer science Issues, Vol2, 2009.
- Anil Jain, Linltong, Sarath Pankati and Puud Bolle,An identification system using fingerprints, pp-3, 29-32
- Enhancing security and privacy in biometric based authentication systems, N>K Ratha, J.H. Connell, R.M. Bolle, pp-616, IBM system journal VOL 40, No 3, 2001
- Detection and Reorganization Technologies Fingerprint Identification, Kaoru UCHIDA pp-20, NEC Journal of Advanced Technology, VOL.2, No 1.
- J. Canny, A Computational Approach to Edge Detection, IEEE Transaction on PAMI, Vol.8, No.6, pp.679-698
- A.R.Roa, A Taxonomy for Texture Description and Identification, Springer-Verlog, New York, 1990.
- Anil Jain, Sarath Pankati , Fingerprint classification and matching, pp.10-11
- Matthew A. Turk , Alex P. Pentland, Face Recognition using Eigenface, CH 2983-5/91/0000/0586/$1.00©1991 IEEEE, pp.586.
- J.ZHANG, Y.YAN, M. LADES, Face Recognition: Eigenface, Elastic, Matching and Neural Nets, Proceeding of IEEE VOL.85, NO.9, Sepember 1997, pp.1423.
- W.ZHAO, R.CHELLAPPA, P.J. PHILLIPS and A.ROSENFELD, Face Recognition: A Literature Survey, ACM Computing surveys, VOL.35, NO.4, December 2003, pp.400-4001
- D.F.Ferraiolo, D.R.Kuhn, R.Chandramouli, Role-Based Access Control, Artech House, Computer Security Series, 2003. ISBN 1 - 58053-370-1.
- J.Crampton, H.Khambhammettu, A Framework for Enforcing Constrained RBAC Policies, Vancouver, Canada, ISBN: 978-0-7695-3823-5.
- Harold F. Tipton, Micki Krause, Information Security Management Handbook, pp.755-757.
- Sarchar Paulus, Norbert Pohlmann, Helmut Reimer, Securing Electronic Business Process Highlights of the Information, pp.177.
- S. Boukhonine, V.Krotov, B.Rupert, Future Security approaches and biometrics, VOL.16,2005,pp.936-946