E-Store Management Using Bell-LaPadula Access Control Security Model

— Generally, the existing store management system does not provide any access control mechanism in order to manage resources. All levels of user have the same right to access the store and borrow the equipment. Therefore, the E-Store management system using Bell-LaPadula access control model was proposed. The prototyping methodology was used to develop the system because methodology model is quickly constructed to test or illustrate design features and ideas, in order to gather user feedback. Moreover, the system is built using hypertext processor (PHP) language. The E-Store system has three types of users, which are known as top management of Welding Department, lecturers and students. The user’s access control is divided by high-level privilege to lower-level privilege. Therefore, each user will have different login interface according to their role and access right to the system. Through the system, high-level user manages in and out equipment flow, manages authorization, view history log in activity and verify complaint report. Lower-level user can view list of equipment, report complaint and damage equipment and borrow equipment. The E-Store management system is expected to manage the store effectively and reduced redundancy issues of equipment requested. The user access right has been assigned based on their access level.


I. INTRODUCTION
Currently the store management system does not provide any access control mechanism to borrow and view the equipment.Therefore, all users will have the same rights to access the store.The user has to search the equipment manually based on the tag located on the shelf.Hence, this method is time consuming and the user will face problem to find the equipment.Moreover, the existing store management system record the asset manually in logbook which can cause errors such as overlook the data or document misplaced.
In order to overcome this problem, the E-Store system using Bell-LaPadula access control security model was proposed.The objective of this project is to design and develop an E-store system using Bell-LaPadula access control model for e-store system.Then, the proposed e-store management system was tested in terms of functionality and user acceptance to fulfill the objective and defined scope.
E-store System using Bell-LaPadula is developed to assist the company to manage the store equipment such as by adding new equipment, updating equipment, borrowing equipment and dealing with the broken equipment complaint.Besides, the E-Store management system manages to assist the user to search equipment easier.The proposed E-store system offers detail information about the equipment such as location in store and quantity of equipment.
The E-store management system's user divided into three levels that are administrator, lecturer and student.The access control levels are organized using Bell-LaPadula access control model, which are classified by top-secret, secret and confidential level.According to the Bell-LaPadula access control model [1], each user has its own task and role based on the security level.Each level allows the user to view the lower level and control specific task, but disallow to control and view the higher level document.
The E-Store management system provides secure session for users to log into the system.Each user level will have different log-in interface based on their priority.The system also provides users with the right interface and functional task based on their access level to ensure the integrity and confidentiality of system.Moreover, the E-Store management system can reduce redundancy of requested equipment and paper usage if the user wants to borrow the equipment.
The E-store management system main objectives are as follows: i. To design the E-store management system with Bell-LaPadula access control security model.ii.To develop E-store management system with access control mechanism of multiple user level.iii.To test the functionality and user acceptance towards E-store system to ensure that the system run properly.The paper is organized as follows: Section II will discuss the literature review towards existing system of store management, asset management and proposed system.Section III discuss methodology that has been used to develop the Estore management system with Bell-LaPadula access control security model.Section IV discusses the result and discussion.Finally, Section V concludes the work.

II. RELATED WORKS
This section discusses the literature review of access control security model and explains in detail the difference between current systems with the proposed system.We consider analyzing three systems which are ABC Inventory system [3], Odoo Inventory Management system [4] and TradeGecko system [5].We compare the system function, technique and algorithm, specification and security used.

Access Control Model
Access control is the collection of mechanism that has permission from managers of the system to exercise a directing or restraining influence over the behavior, use and content of system [9].Access control identifies a people doing a specific job and authenticating users by looking at their identification [7] [8].There are various access control model such as Bell-LaPadula , Biba and Clark Wilson.
Bell-LaPadula model [10] is a state machine model that addresses the confidentiality of information.The data confidentiality model is developed to formalize and explain the Department of Defend (DOD) multilevel security policy.In the Bell-LaPadula model, subject can read all documents below subject's security level.However, subject cannot read any document that is higher than the subject's security level.This is called no read-up.Then, subject can write (create or modify) the document that is higher than the subject level.Therefore, subject cannot write the document that is below than the subject level [2].
Biba Model is an improvement of the Bell-LaPadula model [7].Biba consider the integrity model because it prevents data modifications by unauthorized user.The Biba model's properties are the subject cannot read the document that is below than the subject's level (no read-down) and the subject also cannot write documents that are above the subject's level (no write-up).
Clark-Wilson is data integrity model that is opposite to Bell-LaPadula and Biba models.The Clark-Wilson model was suited for confidentiality model.The Clark-Wilson model consists of two principles, which are authenticated users and transformation procedures.The model has two sets of rule, which are certificates rule and enforcements rule [2].
Our proposed E-store management system used Bell-LaPadula access control model because it provides discretionary security, which specific subject is authorized to particular capability of access [12].This security element is appropriate to implement for multiple user with different level of access.Even though Biba security model consider the system integrity, which is to prevent unauthorized subject from modifying object and Clark-Wilson security model prevent unauthorized subject from making improper modification of object, both models are not appropriate to be implemented because they do not consider the confidentiality issues in E-store management system.

Comparisons of Existing E-Store System
The study on existing system helps develop the E-Store system by enhancing better understanding on the system function and features.This section describes and elaborates in detail by comparing three similar systems which are ABC Inventory System [3], ODO Inventory Management System [4] and Tradegecko Inventory [5].  1 shows the comparison between existing systems and the proposed system.The comparison is based on selected criteria such as technology used, platform-based, database, security mechanism, backup data and log trail.The proposed E-Store management system provides access control mechanism to the user.The ABC Inventory focuses on control and manages the inventory purchasing.The process includes supplier's detail, record of purchasing and detail of sales that manage by administrator.Next, the Odoo Inventory system is an online systems that allow user to set up any kind of inventory or product.The Odoo Inventory system has multiple function and friendly user with appropriate theme.Then, the TradeGrecko provides management, sales and grow the company inventory.
Our proposed E-Store management system is differing than other system is such a way that we use Bell-LaPadula Access Control Model to manage the control access.Different level of user can access different register and log in interface based their role.This is to ensure that only authorized user can access specific module.In addition, E-Store Management system has audit trail that is used to record all activities occurs in the system.Table 2 shows the access control matrix of E-Store management system using Bell-LaPadula access control security model.There are three users; administrator, lecturer and student.The administrator can manage the authorization access to the system by deleting the lecturer and student information.The administrator managed the equipment flow in and out from the store.The administrator also can view the system's record activities such as history of new registration; borrow equipment application or complaint about broken equipment.Administrator is able to validate the lecturer's complaint and damage application.
The lecturer is capable of viewing list of equipment and equipment damage complaint, application status and validate student borrow equipment information.The student can view list of equipment information, request to borrow the equipment and view the application status.Also, the login module provide encryption password using Advanced Encryption Standard (AES).

III. METHODOLOGY
This section discusses the methodology that has been used to develop the E-Store management system that is prototype methodology.Prototype methodology is an iterative framework, which is trial-and-error process that takes place between the developers and the users.Prototyping model consists of phases in which a model is discussed and refined by the stakeholders.Then, it is implemented by developers.Figure 1 show the prototype methodology [11] which consists of five phases: Planning, Analysis, design, Implementation, System Prototype, and System.Planning phase defined the problem and planning requirement of system.Analysis, design and implement phase are working at the same stage for first version system prototype.User can do assessment and request for improvement after testing the prototype of the system.If the prototype of the system did not fulfill user requirement, the system developer will start again the analysis, design and implement phases [6].After the system has fulfilled all requirements, the system will proceed to the implement phase to develop complete and functional system.
The results of planning phase produce preparation of project proposal and project timeline.Outcome of analysis phase is literature review with study of existing system and proposed system.Design phase produce design of flow chart system, data flow diagram, entity relationship diagram and context diagram.Implementation phase will have two circles on it, based on user satisfaction toward system prototype.Final phase is complete and functional system produced.

IV. RESULT AND DISCUSSION
This section focuses on the implementation of the actual system.There are two main parts that are system design and implementation and testing.We implement the proposed estore management system for Institut Kemahiran Belia Negara (IKBN) Pagoh.

A. System Design
System design explains the overall process and system architecture by illustrating the E-store management system model.The E-store management system design is a sketch of the system interface before the actual system is developed to suit the user needs and requirements.The design of the system should be user-friendly and not too complex.This is crucial in order to ensure users can access the system more easily and faster.Figure 2 shows system users that are administrator, lecturer and student.The administrator is able to add new equipment, update the equipment, control the authorization, view the report activities and view the complaint and damage report.The lecturer can lodge broken equipment report, view all equipments and view the status application.The student can view the equipment, view status loan application and add loan equipment for educational purpose.Table 3 shows seven modules of E-Store management system using Bell-Lapadula access control model are Register, Login, Equipment Management, Record activities, Authorization management, Complaint and damage application management and Borrow application management.

1) Register Page
User need to login the system by choosing three types of roles that are as an admin, lecturer or student.New lecturer and student have to register first by clicking register drop down at the top right of system 2) Login Page Figure 3 shows the login interface for administrator, lecturer and student.All types of user need to login using valid username and password.The administrator has the most privilege tasks to manage equipment, record activities, manage authorization, validate complaint and review damage application.Next, the lecturer can see the equipment list, complaint and damage application, status application, and validate borrow application.Then, the student is able to see the equipment list, borrow the equipment and checking the application status.

B. Implementation and Testing
In this section, the implementation and testing of E-store management system using Bell-LaPadula are made and guided by the objective and scope of the project.

1) Bell-LaPadula Access Control Model
Based on Table 5, administrator has the highest authority to handle the system at top-secret level.Next, secret level is assigned to the lecturer.The lowest level with least authority is known as confidentiality level is set for student.Each level gives different access privilege, as Bell-Lapadula's concept are 'no read up' and 'no write down' between levels.User with lowest level cannot read the highest-level task or document.On the other hand, user with highest-level is not allow to write down the lowest level task or document.Therefore, administrator enable to monitor every activity such as login, status or application request from student to lecturer or vice versa.
Other than that, Bell-LaPadula access control model is implemented to the equipment management where the administrator is capable of setting the equipment's access level either can be seen by student or lecturer.Administrator can control the equipment based on user's level as shown in Table 4. Table 5 shows three types of permission that are Allow to borrow (C), Disallow to borrow (S) and Admin action (TS).The "Allow to borrow (C)" permission consent all users in the welding department to borrow the equipment.Next, the "Disallow to borrow (S)" means some of the equipment can only be accessed by administrator and lecturer.Last permission is "Admin action (TS)" represent the top-secret level where only administrator can access the equipment.Figure 4 shows the equipment management module.The Taper Shank Machine (14mm) is set to access level 'C', which represents confidentiality.So, the student can lend this equipment.However, student disallows to lend the electric shouldering as it is set with 'S' access level.2) System Testing The system testing conducted on the E-Store management system is to ensure all modules function as expected.This is to determine whether the system that has been developed achieved the objectives and user requirement.The test phase was conducted to prove that the design of each phase has been achieved.In addition, the test system is also intended to identify weaknesses in the system that has been developed and find a solution to overcome these weaknesses.A set of questionnaire is prepared and delivered to target user to test the proposed system.This is done to collect user's feedback, comments, bugs, and suggestions for improvement of E-store management system.The questionnaire is done on 10 respondents.The question is about interface, pop-up message, ease of system and layout of system.
Figure 5 shows the percentage of user's acceptance towards the system facilities.The result shows that 30% of the user disagrees about the facilities provided in the system.Most of users disagree on font color and text of system.Furthermore, the pop-up message does not appear for certain button and leak of pop-up alert message.However, 50% of users rate agree on facilities that provide by the E-Store Management system using Bell-LaPadula access control.The remaining 20% of all users strongly agree on the system facilities.Overall, this shows that the acceptance of users towards the E-store management system is good.Figure 6 shows the percentage of user acceptance of E-Store management system using Bell-LaPadula access control.The result shows that 40% of all respondents agree that the record trail and control access of equipment is good security mechanism.Other user vote for moderate and good for the system, which means they agree with the provided module.The modules provided are list of equipment, complaint and damage application, status application and validation of loan application.

V. CONCLUSIONS
The E-store system implements suitable security element to ensure the system confidentiality and integrity.We implemented Bell-Lapadula access control model to protect the multi-level information with no read-up and no writedown rule.The E-store management system is developed through several phases from identifying the problem occurred in Welding Department, analyze the information, design the system and database, and implement system based on user requirement and system's scope.The E-store management system can be accessed by three types of user (administrator, lecturer and student) with different access level: Most of users are satisfy with the system facilities and functionality.As future works, interface and pop-up alert message should be tidy and user-friendly.

Fig. 2 .
Fig.2.E-Store Management System Using Bell-LaPadula Access Control Security Model

TABLE 3 FUNCTION
IN E-STORE MANAGEMENT SYSTEM USING BELL-LAPADULA

TABLE 4 BELL
-LAPADULA ACCESS CONTROL SYSTEM