Abstract
Enterprises collect and use private information for various purposes. Access control can limit who can obtain such data, however, the purpose of their use is not clear. In this paper we focus on the purpose of data access and demonstrate that dynamic role-based access control (RBAC) is not sufficient for enforcement of privacy requirements. We extend RBAC with monitoring capability and describe a formal approach to determining whether access control policies actually implement privacy requirements based on the behaviour of the system. We show how access control fails to detect privacy violations and use small examples to demonstrate how our technique is used to solve such issues. We also describe a prototype implementation of our technique and present two case studies that demonstrate the applicability of our approach in practice.
Highlights
Organisations collect, store and share information with individuals and other organisations
In order to ensure that the access control system can control the behaviour, we introduce a notion of stability
In this paper we have described a formal approach to determining whether access control policies implement privacy requirements given a system’s behaviour
Summary
Organisations collect, store and share information with individuals and other organisations. While access control can limit who can obtain the information, it is not clear (especially to an individual) how an enterprise restricts the use of data. This affects both, individuals (who may be reluctant to transact with an enterprise) and enterprises (which may be inadvertently breaching various privacy guarantees). While technologies, such as encryption, access control and authorisation can be used to implement a policy, it is important to capture the privacy requirements. Facebook’s privacy policy states that they can use the information they receive for any services they provide including making suggestions of new connections.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.