Conference Paper

A general obligation model and continuity-enhanced policy enforcement engine for usage control

DOI: 10.1145/1377836.1377856 Conference: SACMAT 2008, 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, June 11-13, 2008, Proceedings
Source: DBLP


The usage control model (UCON) has been proposed to aug- ment traditional access control models by integrating au- thorizations, obligations, and conditions and providing the properties of decision continuity and attribute mutability. Several recent work have applied UCON to support secu- rity requirements in dierent computing environments such as resource sharing in collaborative computing systems and data control in remote platforms. In this paper we iden- tify two individual but interrelated problems of the origi- nal UCON model and recent implementations: oversimpli- fying the concept of usage session of the model, and the lack of comprehensive ongoing enforcement mechanism of imple- mentations. We extend the core UCON model with con- tinuous usage sessions thus extensively augment the expres- siveness of obligations in UCON, and then propose a gen- eral, continuity-enhanced and configurable usage control en- forcement engine. Finally we explain how our approach can satisfy flexible security requirements with an implemented prototype for a healthcare information system.

Download full-text


Available from: Basel Katt, Oct 13, 2014
15 Reads
  • Source
    • "Previous usage control solutions addressing data distribution and sticky policies [7], [8] do not cope with the complexity of today's distributed systems, as they allow for uni-directional data distribution only. Also, these solutions are specific to particular application(-layer protocol)s and thus lack generality. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Despite the increasing adoption of cloud-based services, concerns regarding the proper future usage and storage of data given to such services remain: Once sensitive data has been released to a cloud service, users often do not know which other organizations or services get access and may store, use or redistribute their data. The research field of usage control tackles such problems by enforcing requirements on the usage of data after it has been given away and is thus particularly important in the cloud ecosystem. So far, research has mainly focused on enforcing such requirements within single systems. This PhD thesis investigates the distributed aspects of usage control, with the goal to enforce usage control requirements on data that flows between systems, services and applications that may be distributed logically, physically and organizationally. To this end, this thesis contributes by tackling four related subproblems: (1) tracking data flows across systems and propagating corresponding data usage policies, (2) taking distributed policy decisions, (3) investigating adaptivity of today's systems and services, and (4) providing appropriate guarantees. The conceptual results of this PhD thesis will be implemented and instantiated to cloud services, thus contributing to their trustworthiness and acceptance by providing security guarantees for the future usage of sensitive data. The results will be evaluated w.r.t. provided security guarantees, practicability, usability, and performance.
  • Source
    • "1) Enforcement of oBligation of ucon With the increasing use of modern communication technologies in both the public and commercial sectors, adequate handing of personal data is of a serious concern. This is due to the fact that, data is distributed across many public and commercial databases and stored in many applications.[2] [3] [4] In order to ensure, controlled usage of data, usage control in its core model introduced oBligations which must be fulfilled during usage decisions in order to determine the continuity or termination of access to a digital resource as mentioned previously. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Computer and information technology has evaded our every aspect of life. Information technology is seen in all aspect of the individual from banking and investing to shopping and communicating through the use of the internet services such as emails and chat rooms. Organizations and industries also utilize computer and information technology to collect information on individuals leading to the creation of warehouse of databases that enable them to achieve their objectives. In a distributed network environment today, information security is a very important issue in ensuring a safe computing environment.
    03/2013; 513-517. DOI:10.2991/iccsee.2013.68
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A B S T R A C T This article presents a survey of authorisation models and considers their 'tness-for-purpo se' in facilitating information sharing. Network-supported information sharing is an important technical capability that underpins collaboration in support of dynamic and unpredictable activities such as emergency response, national security, infrastructure protection, supply chain integration and emerging business models based on the concept of a 'virtual organisation'. The article argues that present authorisation models are inexible and poorly scalable in such dynamic environments due to their assumption that the future needs of the system can be predicted, which in turn justies the
Show more