Flexible Access Control for Dynamic Collaborative Environments

M.A.C. Dekker

doi:10.3990/1.9789036529501

Flexible Access Control for Dynamic Collaborative Environments

M.A.C. Dekker

Research output: Thesis › PhD Thesis - Research UT, graduation UT

158 Downloads (Pure)

Abstract

Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.

Original language	Undefined
Awarding Institution	University of Twente
Supervisors/Advisors	Etalle, Sandro , Supervisor Hartel, Pieter Hendrik, Supervisor
Thesis sponsors	SenterNovem
Award date	2 Dec 2009
Place of Publication	Enschede
Publisher	Centre for Telematics and Information Technology (CTIT)
Print ISBNs	978-90-365-2950-1
DOIs	https://doi.org/10.3990/1.9789036529501
Publication status	Published - 2 Dec 2009

Keywords

IR-68610
METIS-264186
EWI-16909

Access to Document

10.3990/1.9789036529501

thesis_M_Dekker
open
thesis
open

Cite this

@phdthesis{d0bfa9e5ccc54b2ab00b81c2d85b9965,

title = "Flexible Access Control for Dynamic Collaborative Environments",

abstract = "Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.",

keywords = "IR-68610, METIS-264186, EWI-16909",

author = "M.A.C. Dekker",

note = "Also published in: IPA Dissertation series, Number 2009-26 ",

year = "2009",

month = dec,

day = "2",

doi = "10.3990/1.9789036529501",

language = "Undefined",

isbn = "978-90-365-2950-1",

publisher = "Centre for Telematics and Information Technology (CTIT)",

address = "Netherlands",

school = "University of Twente",

}

TY - THES

T1 - Flexible Access Control for Dynamic Collaborative Environments

AU - Dekker, M.A.C.

N1 - Also published in: IPA Dissertation series, Number 2009-26

PY - 2009/12/2

Y1 - 2009/12/2

N2 - Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.

AB - Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.

KW - IR-68610

KW - METIS-264186

KW - EWI-16909

U2 - 10.3990/1.9789036529501

DO - 10.3990/1.9789036529501

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-2950-1

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -