Flexible Access Control for Dynamic Collaborative Environments

M.A.C. Dekker

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    85 Downloads (Pure)

    Abstract

    Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.
    Original languageUndefined
    Awarding Institution
    • University of Twente
    Supervisors/Advisors
    • Etalle, Sandro , Supervisor
    • Hartel, Pieter Hendrik, Supervisor
    Thesis sponsors
    Award date2 Dec 2009
    Place of PublicationEnschede
    Publisher
    Print ISBNs978-90-365-2950-1
    DOIs
    Publication statusPublished - 2 Dec 2009

    Keywords

    • IR-68610
    • METIS-264186
    • EWI-16909

    Cite this

    Dekker, M. A. C. (2009). Flexible Access Control for Dynamic Collaborative Environments. Enschede: Centre for Telematics and Information Technology (CTIT). https://doi.org/10.3990/1.9789036529501
    Dekker, M.A.C.. / Flexible Access Control for Dynamic Collaborative Environments. Enschede : Centre for Telematics and Information Technology (CTIT), 2009. 151 p.
    @phdthesis{d0bfa9e5ccc54b2ab00b81c2d85b9965,
    title = "Flexible Access Control for Dynamic Collaborative Environments",
    abstract = "Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.",
    keywords = "IR-68610, METIS-264186, EWI-16909",
    author = "M.A.C. Dekker",
    note = "Also published in: IPA Dissertation series, Number 2009-26",
    year = "2009",
    month = "12",
    day = "2",
    doi = "10.3990/1.9789036529501",
    language = "Undefined",
    isbn = "978-90-365-2950-1",
    publisher = "Centre for Telematics and Information Technology (CTIT)",
    address = "Netherlands",
    school = "University of Twente",

    }

    Flexible Access Control for Dynamic Collaborative Environments. / Dekker, M.A.C.

    Enschede : Centre for Telematics and Information Technology (CTIT), 2009. 151 p.

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    TY - THES

    T1 - Flexible Access Control for Dynamic Collaborative Environments

    AU - Dekker, M.A.C.

    N1 - Also published in: IPA Dissertation series, Number 2009-26

    PY - 2009/12/2

    Y1 - 2009/12/2

    N2 - Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.

    AB - Access control is used in computer systems to control access to confidential data. In this thesis we focus on access control for dynamic collaborative environments where multiple users and systems access and exchange data in an ad hoc manner. In such environments it is difficult to protect confidential data using conventional access control systems, because users act in unpredictable ways. In this thesis we propose a new access control framework, called Auditbased Compliance Control (AC2). In AC2 user actions are not checked immediately (a-priori), like in conventional access control, but users must account for their actions at a later time (a-posteriori), by providing machinecheckable justification proofs to auditors. The logical proofs are based on policies received from other users, and other logged actions. AC2 has a rich policy language based on first-order logics, and it features an automated audit procedure. AC2 allows users to exchange and access confidential data in an ad hoc manner, and thus collaborate more easily. Applied in a medical setting, for example, doctors would be able to continue their work, regardless of authorization issues such as missing patient consent, and missing or outdated policies. Doctors can deal with these issues at a later time. Although this unconventional approach may seem, at first sight, inappropriate for practical applications, recently a similar design choice has been made for the Dutch national infrastructure for the exchange of electronic health records (AORTA). At the same time we are aware of the fact that it is a big step for organizations to change from a conventional access control mechanism (apriori) to a new mechanism. In this thesis we also take a more conventional approach by proposing two extensions to Role-based Access Control (RBAC) - an existing and widely used access control model. These extensions give users more ways of authorizing and deploying RBAC policy changes, thus favoring dynamic collaboration between users.

    KW - IR-68610

    KW - METIS-264186

    KW - EWI-16909

    U2 - 10.3990/1.9789036529501

    DO - 10.3990/1.9789036529501

    M3 - PhD Thesis - Research UT, graduation UT

    SN - 978-90-365-2950-1

    PB - Centre for Telematics and Information Technology (CTIT)

    CY - Enschede

    ER -

    Dekker MAC. Flexible Access Control for Dynamic Collaborative Environments. Enschede: Centre for Telematics and Information Technology (CTIT), 2009. 151 p. https://doi.org/10.3990/1.9789036529501