Presentation is loading. Please wait.

Presentation is loading. Please wait.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004."— Presentation transcript:

1 “A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004

2 IBHIS - 2 - Overview  The IBHIS Project  Data as a Service  Access Control  Introduction  Domain/Technical Challenges  Service-enabled Data Access Control Model  Reference/Architectural Models  Implementation  Future Work  Inference  Conclusions

3 IBHIS - 3 - IBHIS – Data as a Service  Use SaaS concepts but expose Data as a Service (DaaS)  Modified ‘Web services’ known as Data Access Services (DAS)  Allow service-based access to complex heterogeneous data sources  DAS/data source are autonomous and owned by the data provider  May be dynamically discovered at run-time, with little prior knowledge  Located on the basis of the data rather than their functionality DB Data Access Service Description

4 IBHIS - 4 - Research Area – Access Control  How to control access to distributed data within a dynamic broker environment?  Dynamic access to distributed autonomous data  Data sensitivity and ethical requirements of the domain  Role-Based Access Control (RBAC) model frequently used in Health & Social Care domain Users  Models hierarchy within domain, easy administration Roles Sessions Permissions

5 IBHIS - 5 - Domain Challenges  RBAC has limitations for the healthcare domain  Access to data in emergency situations  Fine-grained, content-based rules  Access depends upon individual identities and teams  Contextual and environmental constraints  Transfer of authority by mandate  A number of these issues havebeen solved  A number of these issues have been solved  But not in any one access control model  Solution: Create new model by integrating features from existing models

6 IBHIS - 6 - Service-enabled Data Access Control  A new access control model to meet our requirements :  S-DAC (Service-enabled Data Access Control)  Integrates important features from existing models:  Role-based Access Control [Ferraiolo et al., 2001]  NIST Standard – Activation, Dynamic Separation of Duties  Team-based access control [Georgiadis et al., 2001]  Teams of users  Tees Confidentiality Model [Longstaff et al., 2003]  Emergency overrides  OASIS [Bacon & Moody, 2002]  Appointment paradigm

7 IBHIS - 7 - S-DAC Reference Model

8 IBHIS - 8 - Technical Challenges  Autonomy  Each data source will have individual access control concepts, and subjects (Roles, Teams)  Requires a Mapping between global and local concepts  Dynamic, run-time enforcement  Data access policies are unknown at design time  Data Access Services  Service Descriptions must allow for discovery of DAS policies  Existing technologies are lacking  Service Description – WSDL  Partial authorisations of queries, Attribute/content level

9 IBHIS - 9 - S-DAC Architectural Model

10 IBHIS - 10 - Future Work  Investigation into general applicability of model  Criminology  Administrative interface  Evaluation  Review against Domain and Technical requirements  Evaluation by experts in Health domain  Complexity of administration  Evaluate prototype implementation [Kitchenham et al., 2003]  Inference…

11 IBHIS - 11 - What is Inference ?  Take a database where determining someone's salary is restricted.  Now consider the following queries (which are unrestricted ) : NameDepartment BobSales JenMarketingDepartmentSalaryMarketing30K Sales40K

12 IBHIS - 12 - Research  Papers considered the inference problem in single multilevel databases.  Web-based inference has received little attention.  Integration of data from heterogeneous sources  Dynamic integration - unknown schemas  Autonomous data sources  Possible to use IBHIS as a platform for developing an inference detection system?  Links with access control models

13 IBHIS - 13 - Conclusion  IBHIS Access Control Model – S-DAC  Roles, Teams, Identities, Contexts, Emergency overrides  Transfer of Authority  Successfully implemented as part of IBHIS prototype  Web Services technologies  Dynamic authorisation of content of SOAP documents  Policies built using existing XML languages, with extensions  Inference  Dynamic broker environment, heterogeneous distributed sources

14 IBHIS - 14 - References ► Bacon, J. and Moody, K., “Toward open, secure, widely distributed services”, CACM, 45(6), June 2002, pp. 59-64 ► Georgiadis C., Mavridis I., Pangalos G. and Thomas, R., “Flexible Team-based Access Control Using Contexts”, in Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT 2001), ACM SIGSAC, Chantilly, VA, U.S.A, May 2001 ► D F Ferraiolo, R Sandhu, S Gavrila, D R Kuhn, R Chandramouli (2001) “Proposed NIST Standard for Role-Based Access Control”, ACM TISSEC, Vol. 4, No 3. ► Kitchenham, B., Linkman, S., and Linkman, S., ‘Evaluating Novel Software Engineering Tools’, In Proceedings of EASE 2003, Keele University, 8th-10th April 2003 ► Kudo, M., and Hada, S., "Access Control Model with Provisional Actions", IEICE Trans. Fundamentals, Vol. E84-A, 2001 ► Longstaff, J.J, Lockyer, M.A., and Nicholas, J., “The Tees Confidentiality Model: an authorisation model for identities and roles”, ACM SACMAT 2003, Como, Italy ► Turner et al., “Using Web Services to create an Information Broker”, to appear in Proceedings of ICSE 2004, IEEE Computer Society Press ► UK NHS Patient Confidentiality process; Details: http://www.nhsia.nhs.uk/confidentiality/pages/consultation/ http://www.nhsia.nhs.uk/confidentiality/pages/consultation/ ► XACML Profile for Role-based Access Control (RBAC); Details: http://docs.oasis- open.org/xacml/cd-xacml-rbac-profile-01.pdf http://docs.oasis- open.org/xacml/cd-xacml-rbac-profile-01.pdfhttp://docs.oasis- open.org/xacml/cd-xacml-rbac-profile-01.pdf

Download ppt "“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Exploiting the WWW: Lessons from a UK Research Project on a Health Record BrokerExploiting the WWW: Lessons from a UK Research Project on a Health Record.

Exploiting the WWW: Lessons from a UK Research Project on a Health Record BrokerExploiting the WWW: Lessons from a UK Research Project on a Health Record.
Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Embedded Web Hyung-min Koo. 2 Table of Contents Introduction of Embedded Web Introduction of Embedded Web Advantages of Embedded Web Advantages of Embedded.

Embedded Web Hyung-min Koo. 2 Table of Contents Introduction of Embedded Web Introduction of Embedded Web Advantages of Embedded Web Advantages of Embedded.
ICS 541 - 01 (072)Database Systems: A Review1 Database Systems: A Review Dr. Muhammad Shafique.

ICS (072)Database Systems: A Review1 Database Systems: A Review Dr. Muhammad Shafique.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Software Engineering Techniques for the Development of System of Systems Seminar of “Component Base Software Engineering” course By : Marzieh Khalouzadeh.

Software Engineering Techniques for the Development of System of Systems Seminar of “Component Base Software Engineering” course By : Marzieh Khalouzadeh.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.

CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Software Architecture for Mobile Distributed Computing Presented by: Deepak N Lakshminarayanan The University of Texas at Dallas Under the Guidance of.

Software Architecture for Mobile Distributed Computing Presented by: Deepak N Lakshminarayanan The University of Texas at Dallas Under the Guidance of.
1 Web services for the management of persistent online game factions Author: François Deliège Advisor: Professor Esteban Zimányi Co-Advisor: Jehan Snyers.

1 Web services for the management of persistent online game factions Author: François Deliège Advisor: Professor Esteban Zimányi Co-Advisor: Jehan Snyers.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Building Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Semantic web technologies for secure interoperability and.

Building Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Semantic web technologies for secure interoperability and.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google