Access Control Mechanisms in E-commerce

Environments
MADHUSMITA ROUT1,2 , ER MIR MOHAMMAD YOUSUF1,3
1
Department of computer science and engineering, lovely professional university, phagwara, Punjab
2
(msrout77@gmail.com)
3
(mir.23383@lpu.co.in)

ABSTRACT
The efficient management of a huge numbers of applications and providing user access has
become a challenge for each organization at present day. E commerce is used in every
industry for providing a better service with an availability for 24 hours to their customers [1]
but protecting the data security and privacy is a great issue. New technologies are being
implemented to deal with the emerging security threats. Authentication and access control are
a great way to keep system and data secure. Access Control minimizes the risk of
unauthorized access to physical and logical systems. It validates each request before granting
any access to a user i.e. based on the type of request to services and data. Different types of
security policies are used to implement an access control system. It differs on the requirement
of allowance of user access [9,10]. From small scale to large scale industries, each prefers to
deploy various types of access control mechanisms which helps them to maintain a secure
system and user access on the basis of requirements and individual roles. In this paper we
will discuss how it has become important to maintain a secure access management in
different type of organizations and the issues regarding the configuration and management
with solutions. finally, we will analyze how different mechanisms affects e commerce.

KEYWORDS
access control, business roles, role engineering, role mining, security and privacy

1. INTRODUCTION
Many industries and business are at peak of competition to dominate each other in market but
developing a e commerce in a business is the hardest part. The main goal is to maximize
benefits and turnover of an industry. As in e commerce all the business activities involve an
electronic media so the main concern is about to deliver a best transmission of product and
service. Hence for building a reliable and efficient system, a computer administrator has to
analyze different parameter for a better and convenient system with security policies provided
by a security analyst [1,3].
e commerce environment is quite different from the traditional ones. Different frameworks
are introduced for developing an ecommerce application as per the requirements of various
platforms. A better secure and confidential database is concerned as everything here is digital
, safeguarding the business assets is most important thing [2]. choosing an access control
mechanism by taking the above scenario is a challenge as it involves cost and effort
requirement for an abundant resource and an optimization method mostly in a large
distributed system and internet. In access control users are given privileges according to their
roles and responsibilities by validating their ids to the requests. it is established with various
access control policies. If hierarchical access is implemented in an organization the problem
becomes more complex [4].
so, choosing an access control policy depends on the environmental requirements of an
organization as it differs from system to system.
There are three main types of access control policies i.e. Discretionary access control (DAC),
Mandatory access control (MAC) and Role based access control (RBAC) [8,9].
Discretionary access control (DAC), is a type of access control where a user can only control
access to his data i.e. owner of the resource determines the access. It is mostly used in the
desktop operating system but it also increases the chance of risk. one user cannot change the
access controls owned by anther user.
Mandatory access control (MAC), is an access control method that provides access to the
resources depending on the clearance level of the user. The system administrator can control
or change the access to resources. Mandatory Access Control (MAC) is the strictest of all
levels of control. it uses a hierarchical approach to access resources. Mac has two security
labels assigned to all resource objects on the system with information - a classification and a
category. Both the classification and categories must match.
it has the most secure access control environment. a good planning and effective
implementation with a high system management is required to implement it. This mechanism
associate’s information with such labels as TOP SECRET, SECRET, and CONFIDENTIAL.
mostly government sectors use macs for strict security [9].
Role based access control (RBAC)- RBAC is an access control mechanism defined by roles
and privileges. Access permissions are managed based on individual users. In RBAC the
users are assigned to roles (job functions), roles are assigned with permissions (approval to
perform an operation on an object) and users acquire permissions by being assigned to roles.
A user can perform an operation depends on the roles activated and permissions associated
with those roles[8,9].
RBAC implements authorization account management across various organizations. Many
government and commercial sectors rely upon rbac as it meets their security policies. Roles
are decided by organizational responsibilities and qualifications of users. Access decisions
are always based on roles. Roles are created for various job functions. Three primary rules
are defined for RBAC i.e. role assignment, role authorization and permission authorization.
Reassigning roles and granting new permissions to users is easier using rbac.
Over time users access rights tend to compound themselves i.e. users may be granted some
temporary access for a special project or adjusted to other works in absence of someone to
complete the task. Owners can review about the security and distribution groups on a periodic
basis. RBAC has good administrative capabilities. User rights management is
implemented through rbac. RBAC is currently used in database management systems and
security management and network operating system [8,9].

2. AUTHORIZATION POLICIES, ACCESS AND USAGE CONTROL

There are many issues while configuring an access control mostly in authentication based on
roles of individuals thus preventing access control measures from being effective.

2.1 rbac model, role engineering and issues

Many organizations implement access control without understanding the basic requirement of
them and neglecting the low-level management thus yielding less benefits with a compromise
with security. Defining roles is the most important part before starting a project[16].
Role engineering is a process by which various permissions are combined with required roles.
It helps an organization to develop, define and maintain a role-based access control. Specific
tasks are designed and grouped into various functional roles. It’s a top down approach where
a huge process is analyzed and divided into smaller units[13].
Issues with role mining are follows:
Roles. Defining a set of roles with the minimum cost to get greater flexibility. Access
privileges must be well recognized by an information system. When new employees are
given roles replacing the previous ones, it must be able to revoke all systems without any
delay. Thus, a regular review is needed.
Noise within data. When accidently permissions are granted or denied that creates a
corruption additionally in data.
Risk. A poor design can lead to compromise authorization of an organization. Password
management is the most common mistake done by organizations. Roles must have meaning
with a business activity related to it.

2.2 tools and data sets

Using automated technology Many tools have been proposed to perform role mining process.
It helps to be more reliable and preventing errors that makes rbac configuration more flexible.
Examples of tools are as follows:
Orca. it’s a java-based tool that visualizes the permissions hierarchy and support cluster
hierarchy transformation i.e. grouping similar permissions and forming a cluster hierarchy
based on it[15].
RMiner. it’s based on core of WEKA, an open source data mining tool. It implements most
of the role mining algorithms such as ORCA, anti apriori, graph optimization etc. and allows
an administrator to update role states[16].
2.3 usage control
Traditional access control doesn’t respond well to new security threats. Flexible and efficient
mechanisms are in demand to prevent confidential compromise of network and data. In
today’s highly and distributed environment, usage control models are necessary as it can
monitor the continuous updates in a system. It is mostly suitable for distributed environment
and cloud computing platforms[10,12].

3. METHODS

3.1 cloud computing

Cloud computing infrastructure are very flexible, secure and scalable. It helps a e commerce
business to increase productivity and reduce the operation and maintenance cost. a company
must ensure scalable, reliable, and flexible access to products and services so the customers
can easily get access to it through internet from anywhere anytime. additionally, it secures the
data, backed up [5,6]. it must ensure a differentiate between the sensitive and common data
either can access the sensitive data that leads to data breach so the algorithms used in a cloud
environment should be efficient [7,11]. Sensitive data must be given access only through
certain restrictions.

3.2 social networks relationship-based access control (rebac)

Large number of users are now active on social platforms using online services on a regular
basis and exchanging information for various purposes. access control policies are
characterized by the interpersonal relationships among users and the access control
mechanisms are known as Relationship-Based Access Control (REBAC) models. It monitors
the access to data by users on various networks[17].

4 CONCLUSION-FUTURE WORK
We have reviewed all previous methods and limitations of access control mechanisms in
different environments. Different approaches with new designs introduced for developing
more flexible models. A feature-based approach can be made to meet the changing
requirements of e commerce environments. Policies and Real datasets can be used with
different tool to improve access control methods.

REFERENCES
[1] Turban, E., King, D. R., Lang, J., & Lai, L. (2009). Introduction to electronic commerce.
[2] Todor, R. D. (2016). Blending traditional and digital marketing. Bulletin of the
Transilvania University of Brasov. Economic Sciences. Series V, 9(1), 51.
[3] Abadi, S., Huda, M., Hehsan, A., Mohamad, A. M., Basiron, B., Ihwani, S. S., ... & Noor,
S. S. M. (2018). Design of online transaction model on traditional industry in order to
increase turnover and benefits. Int. J. Eng. Technol, 7, 231-237.
[4] Reddy, S. P., Jayakumar, M., Viltard, A., & Meenakshisundaram, R. (2018). U.S. Patent
Application No. 10/122,717.
[5] Langaliya, C., & Aluvalu, R. (2015). Enhancing cloud security through access control
models: A survey. International Journal of Computer Applications, 112(7).
[6] Goel, K., & Goel, M. (2016, May). Cloud computing based e-commerce model. In 2016
IEEE International Conference on Recent Trends in Electronics, Information &
Communication Technology (RTEICT) (pp. 27-30). IEEE.
[7] Bhardwaj, A., Subrahmanyam, G. V. B., Avasthi, V., & Sastry, H. (2016). Security
algorithms for cloud computing. Procedia Computer Science, 85, 535-542.
[8] Ferraiolo, D., Cugini, J., & Kuhn, D. R. (1995, December). Role-based access control
(RBAC): Features and motivations. In Proceedings of 11th annual computer security
application conference (pp. 241-48).
[9] Jin, X., Krishnan, R., & Sandhu, R. (2012, July). A unified attribute-based access control
model covering DAC, MAC and RBAC. In IFIP Annual Conference on Data and
Applications Security and Privacy (pp. 41-55). Springer, Berlin, Heidelberg.
[10] Huh, J. H., Bobba, R. B., Markham, T., Nicol, D. M., Hull, J., Chernoguzov, A., ... &
Huang, J. (2016). Next-generation access control for distributed control systems. IEEE
Internet Computing, 20(5), 28-37.
[11] Indu, I., Anand, P. R., & Bhaskar, V. (2018). Identity and access management in cloud
environment: Mechanisms and challenges. Engineering science and technology, an
international journal.
[12] Sandhu, R., & Park, J. (2003, September). Usage control: A vision for next generation
access control. In International Workshop on Mathematical Methods, Models, and
Architectures for Computer Network Security (pp. 17-31). Springer, Berlin, Heidelberg.
[13] Alessandro Colantonio, Roberto Di Pietro, Alberto Ocello. 2011. Role mining in
business: Taming Role-Based Access Control Administration. World Scientific.
[15] Liang Wang, Xin Geng, James Bezdek, Christopher Leckie, Ramamohanaro
Kotagiri.2008. SpecVAT: Enhanced visual cluster analysis. In Data Mining, 2008. ICDM'08.
Eighth IEEE International Conference on. IEEE, Pisa, Italy, 638647. DOI: http://dx.doi.org/
10.1109/ICDM.2008.18
[16] Barsha Mitra, Shamik Sural Jaideep Vaidya, Vijayalakshmi Atluri. 2016. A Survey of
Role Mining.ACM Computing surveys (CSUR), ACM 48, 4(May 2016). DOI:
http://dx.doi.org/ 10.1145/2871148
[17] Phillip Fong. 2015. ReBAC2015: Interoperability of Relationship and Rolle-Based
Access Control. Master’s thesis. University of Calgary, Alberta