Attribute-based accesscontrol (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XacmL. ABAC policies written in languages like XacmL have a t...
详细信息
ISBN:
(纸本)9781450347020
Attribute-based accesscontrol (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XacmL. ABAC policies written in languages like XacmL have a tree-like structure, where leaf nodes are associated with authorization decisions and non-leaf nodes are associated with decision-combining algorithms. However, it may be difficult in XacmL to construct a given policy due to the tree-structured nature of XacmL and the way in which combining algorithms are defined. Furthermore, there is limited control over how requests are evaluated with respect to targets. In this paper, we introduce the notion of an attribute expression, which generalizes the notion of a target, and show how attribute expressions are used to specify policies in tabular form. We demonstrate why representing policies in this manner is convenient, intuitive and flexible for policy authors, and provide a method for automatically compiling policy tables into machine-enforceable policies. Thus, we bridge the gap between a policy representation that is convenient for end-users and a policy that can be enforced by a PDP. We then describe various methods to reduce the size of policy tables. In addition, we compare our language with XacmL, highlighting various shortcomings of XacmL and demonstrating how to express XacmL policies in a tabular form. We then show how policy tables can be used as leaf nodes in a tree-structured language, providing a modular method for constructing enterprise-wide policies. Finally, we show how attribute expressions and policy tables can be used to make role-based accesscontrol andaccesscontrol lists "attribute-aware".
Personal health records (PHR) are an emerging health information exchange model, which facilitates PHR owners to efficiently manage their health data. Typically, PHRs are outsourced and stored in third-party cloud pla...
详细信息
ISBN:
(纸本)9781450347020
Personal health records (PHR) are an emerging health information exchange model, which facilitates PHR owners to efficiently manage their health data. Typically, PHRs are outsourced and stored in third-party cloud platforms. Although, outsourcing private health data to third party platforms is an appealing solution for PHR owners, it may lead to significant privacy concerns, because there is a higher risk of leaking private data to unauthorized parties. As a way of ensuring PHR owners' control of their outsourced PHR data, attribute based encryption (ABE) mechanisms have been considered due to the fact that such schemes facilitate a mechanism of sharing encrypted data among a set of intended recipients. However, such existing PHR solutions suffer from inflexibility and scalability issues due to the limitations associated with the adopted ABE mechanisms. To address these issues, we propose a distributed multi-authority ABE scheme and thereby we show how a patient-centric, attribute based PHR sharing scheme which can provide flexible access for both professional users such as doctors as well as personal users such as family and friends is realized. We have shown that the proposed scheme supports on-demand user revocation as well as secure under standard security assumptions. In addition, the simulation results provide evidence for the fact that our scheme can function efficiently in practice. Furthermore, we have shown that the proposed scheme can cater the access requirements associated with distributed multi-user PHR sharing environments as well as more realistic and scalable compared with similar existing PHR sharing schemes.
We introduce two approaches for improving privacy policy management in online social networks. First, we introduce a mechanism using proven clustering techniques that assists users in grouping their friends for group ...
详细信息
ISBN:
(纸本)9781450312950
We introduce two approaches for improving privacy policy management in online social networks. First, we introduce a mechanism using proven clustering techniques that assists users in grouping their friends for group based policy management approaches. Second, we introduce a policy management approach that leverages a user's memory and opinion of their friends to set policies for other similar friends. We refer to this new approach as Same-As Policy Management. To demonstrate the effectiveness of our policy management improvements, we implemented a prototype Facebook application and conducted an extensive user study. Leveraging proven clustering techniques, we demonstrated a 23% reduction in friend grouping time. In addition, we demonstrated considerable reductions in policy authoring time using Same-As Policy Management over traditional group based policy management approaches. Finally, we presented user perceptions of both improvements, which are very encouraging. Copyright 2012 acm.
The current desktop metaphor is unsuitable for the coming age of cloud-based applications. The desktop was developed in an era that was focused on local resources, and consequently its gestures, semantics, and securit...
详细信息
ISBN:
(纸本)9781605588438
The current desktop metaphor is unsuitable for the coming age of cloud-based applications. The desktop was developed in an era that was focused on local resources, and consequently its gestures, semantics, and security model reflect heavy reliance on hierarchy and physical locations. This paper proposes a new user interface model that accounts for cloud applications, incorporating representations of people and new gestures for sharing andaccess, while minimizing the prominence of location. The model's key feature is a lightweight mechanism to group objects for resource organization, sharing, andaccesscontrol, towards the goal of providing simple semantics for a wide range of tasks, while also achieving security through greater usability.
Administration of large-scale RBAC systems is a challenging open problem. We propose a principled approach in designing and analyzing administrative models for RBAC. We identify six design requirements for administrat...
详细信息
ISBN:
(纸本)1595935746
Administration of large-scale RBAC systems is a challenging open problem. We propose a principled approach in designing and analyzing administrative models for RBAC. We identify six design requirements for administrative models of RBAC. These design requirements are motivated by three principles for designing security mechanisms: (1) flexibility and scalability, (2) psychological acceptability, and (3) economy of mechanism. We then use these requirements to analyze several approaches to RBAC administration, including ARBAC97 [21, 23, 22], SARBAC [4, 5], and the RBAC system in the Oracle DBMS. Based on these requirements and the lessons learned in analyzing existing approaches, we design UARBAC, a new family of administrative models for RBAC that has significant advantages over existing models. Copyright 2007 acm.
The proceedings contains 23 papers. Topics discussed include enterprise role administration, contraints, role based accesscontrol for collaborative environments, accesscontrolmodels and mechanisms, role engineering...
详细信息
The proceedings contains 23 papers. Topics discussed include enterprise role administration, contraints, role based accesscontrol for collaborative environments, accesscontrolmodels and mechanisms, role engineering, verification and dynamic accesscontrol.
In this paper we describe the work devising a new technique for role-finding to implement Role-Based Security Administration. Our results stem from industrial projects, where large-scale customers wanted to migrate to...
详细信息
ISBN:
(纸本)9781581136814
In this paper we describe the work devising a new technique for role-finding to implement Role-Based Security Administration. Our results stem from industrial projects, where large-scale customers wanted to migrate to Role-Based accesscontrol (RBAC) based on already existing access rights patterns in their production IT-systems.
暂无评论