Conference Paper

A general obligation model and continuity-enhanced policy enforcement engine for usage control

DOI: 10.1145/1377836.1377856 Conference: SACMAT 2008, 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, June 11-13, 2008, Proceedings
Source: DBLP


The usage control model (UCON) has been proposed to aug- ment traditional access control models by integrating au- thorizations, obligations, and conditions and providing the properties of decision continuity and attribute mutability. Several recent work have applied UCON to support secu- rity requirements in dierent computing environments such as resource sharing in collaborative computing systems and data control in remote platforms. In this paper we iden- tify two individual but interrelated problems of the origi- nal UCON model and recent implementations: oversimpli- fying the concept of usage session of the model, and the lack of comprehensive ongoing enforcement mechanism of imple- mentations. We extend the core UCON model with con- tinuous usage sessions thus extensively augment the expres- siveness of obligations in UCON, and then propose a gen- eral, continuity-enhanced and configurable usage control en- forcement engine. Finally we explain how our approach can satisfy flexible security requirements with an implemented prototype for a healthcare information system.

Download full-text


Available from: Basel Katt, Oct 13, 2014
  • Source
    • "Previous usage control solutions addressing data distribution and sticky policies [7], [8] do not cope with the complexity of today's distributed systems, as they allow for uni-directional data distribution only. Also, these solutions are specific to particular application(-layer protocol)s and thus lack generality. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Despite the increasing adoption of cloud-based services, concerns regarding the proper future usage and storage of data given to such services remain: Once sensitive data has been released to a cloud service, users often do not know which other organizations or services get access and may store, use or redistribute their data. The research field of usage control tackles such problems by enforcing requirements on the usage of data after it has been given away and is thus particularly important in the cloud ecosystem. So far, research has mainly focused on enforcing such requirements within single systems. This PhD thesis investigates the distributed aspects of usage control, with the goal to enforce usage control requirements on data that flows between systems, services and applications that may be distributed logically, physically and organizationally. To this end, this thesis contributes by tackling four related subproblems: (1) tracking data flows across systems and propagating corresponding data usage policies, (2) taking distributed policy decisions, (3) investigating adaptivity of today's systems and services, and (4) providing appropriate guarantees. The conceptual results of this PhD thesis will be implemented and instantiated to cloud services, thus contributing to their trustworthiness and acceptance by providing security guarantees for the future usage of sensitive data. The results will be evaluated w.r.t. provided security guarantees, practicability, usability, and performance.
    Full-text · Article · May 2013
  • Source
    • "1) Enforcement of oBligation of ucon With the increasing use of modern communication technologies in both the public and commercial sectors, adequate handing of personal data is of a serious concern. This is due to the fact that, data is distributed across many public and commercial databases and stored in many applications.[2] [3] [4] In order to ensure, controlled usage of data, usage control in its core model introduced oBligations which must be fulfilled during usage decisions in order to determine the continuity or termination of access to a digital resource as mentioned previously. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Computer and information technology has evaded our every aspect of life. Information technology is seen in all aspect of the individual from banking and investing to shopping and communicating through the use of the internet services such as emails and chat rooms. Organizations and industries also utilize computer and information technology to collect information on individuals leading to the creation of warehouse of databases that enable them to achieve their objectives. In a distributed network environment today, information security is a very important issue in ensuring a safe computing environment.
    Full-text · Article · Mar 2013
    • "The access decision is done by checking authorization are synonyms, sometimes named in the literature as UCON ABC core models. 6 Note, we omit post-obligations in the UCON policy metainformation , since post-obligations were not presented in the original UCON model and appeared afterwards [22]. Fig. 1 – UCON usage scenarios. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Protecting access to digital resources is one of the fundamental problems recognized in computer security. As yet it remains a challenging problem to work out, starting from the design of a system until its implementation. Access control is defined as the ability to permit or deny access to a particular resource (object) by a particular entity (subject). Three most widely used traditional access control models are: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC).Traditional access control solutions do not respond adequately to new challenges addressed by modern computer systems. Today highly distributed, network-connected, heterogeneous and open computing environment requires a fine-grained, flexible, persistent and continuous model for protecting the access and usage of digital resources.This paper surveys the literature on Usage Control (UCON) model proposed by Park and Sandhu (2002) [1], Park (2003) [2] and Zhang (2006) [3]. Usage control is a novel and promising approach for access control in open, distributed, heterogeneous and network-connected computer environments. It encompasses and enhances traditional access control models, Trust Management (TM) and Digital Rights Management (DRM), and its main novelties are mutability of attributes and continuity of access decision evaluation.
    No preview · Article · May 2010 · Computer Science Review
Show more