METROPOLITAN POLICE SERVICE

Metropolitan Police Service

Metropolitan Police Service

Introduction

This paper is based on the case study regarding a network security issue faced by the Metropolitan Police Service, the largest organisation of its kind, operationalising in Britain. There are three questions that have to be answered with regards to the situation presented in the case study.

Part A

Biometrics and Role-Based Access Model

Biometric authentication refers to those technologies that are capable of analysing human biological and other characteristics for identification purposes (Peter, 2007). But on the other hand the use of biometrics presents privacy concerns because of (a) the fact that biometric information, by its nature, involves the personal characteristics of people who may not want to share in the first place—especially to a government or other agency that may abuse that information in the future, and (b) biometric information could be as potentially susceptible to identity theft as other kinds of identification methods (Kwok, 2006).

In the last few years, role based access control (RBAC) has been attracting increasing attention. Each user is assigned as one or multiple members of appropriate roles (Kokolakis, 2005). As a result, an organisation (Metropolitan Police Service in this case), not only preserves access control policy appropriate to its characteristics consistently, but it also maintains access control relationships between users and objects independently (Hong, 2006). The roles assigned to a user are determined by the user's responsibilities and qualifications. Moreover, the role assignments can be easily changed without modifying the underlying access structure. RBAC greatly simplifies the management of authorisations while providing an appropriate method for great flexibility in specifying and enforcing enterprise-specific protection policies and reducing the management costs (Guenther, 2007).

In the proposed solution, for the Metropolitan Police Service (in this case), a user is a human being or an autonomous agent, a privilege is an object method that can be exercised on objects, roles are divided into two groups: position roles and task roles. A position role is a collection of privileges performed by a certain position in an enterprise, such as sales manager, sales clerk, vice president of the sales department, etc.

A user (an officer of Metropolitan Police Service in this case) can be assigned a number of position roles, and a position role can be assigned to multiple users. In ORBAC, each position role takes on different tasks according to its responsibility and authority, for instance, a position role such as sales manager may carry out tasks like “approve order” or “grant loan extension”, we define those tasks as task roles because each task has one or multiple privileges. On the other hand, each task can be assigned to one or multiple position roles (Garg, 2006). A task role may have many privileges, and the same privilege can be associated to different task roles. UR establishes the relationships between users and roles, it determines whether or not to assign roles to users. Moreover, a role hierarchy is introduced to reflect inheritances of authority and responsibility among the roles (Belsis, ...