Advanced Access Control Research Articles

Task-role-based Access Control Model in Smart Health-care System

As the development of computer science and smart health-care technology, there is a trend for patients to enjoy medical care at home. Taking enormous users in the Smart Health-care System into consideration, access control is an important issue. Traditional access control models, discretionary access control, mandatory access control, and role-based access control, do not properly reflect the characteristics of Smart Health-care System. This paper proposes an advanced access control model for the medical health-care environment, task-role-based access control model, which overcomes the disadvantages of traditional access control models. The task-role-based access control (T-RBAC) model introduces a task concept, dividing tasks into four categories. It also supports supervision role hierarchy. T-RBAC is a proper access control model for Smart Health-care System, and it improves the management of access rights. This paper also proposes an implementation of T-RBAC, a binary two-key-lock pair access control scheme using prime factorization.

A patient privacy centric access control model for EHR systems

The EHR systems consist of very sensitive data originated by the interaction of the patients with the healthcare system. In order to control who can do what on the data in the system, it is necessary to use a security mechanism that is the access control (AC). In this paper, an innovative AC model is defined. It meets the main features that have to be satisfied by an EHR. Our proposal is an advanced access control model that combines access control models known in the literature. It adds the characteristics of modularity and easiness in the management of access policies, focusing attention on patient's privacy and consent (patient privacy centric). The proposed model presents the following characteristics: attribute-based, multi-level, modular and with a dynamic and temporal management of the users' lists. Besides, we have defined support functionalities that allow patients, organisations and physicians to take advantage of the AC potential.

Security-Aware Service Composition with Fine-Grained Information Flow Control

Enforcing access control in composite services is essential in distributed multidomain environment. Many advanced access control models have been developed to secure web services at execution time. However, they do not consider access control validation at composition time, resulting in high execution-time failure rate of composite services due to access control violations. Performing composition-time access control validation is not straightforward. First, many candidate compositions need to be considered and validating them can be costly. Second, some service composers may not be trusted to access protected policies and validation has to be done remotely. Another major issue with existing models is that they do not consider information flow control in composite services, which may result in undesirable information leakage. To resolve all these problems, we develop a novel three-phase composition protocol integrating information flow control. To reduce the policy evaluation cost, we use historical information to efficiently evaluate and prune candidate compositions and perform local/remote policy evaluation only on top candidates. To achieve effective and efficient information flow control, we introduce the novel concept of transformation factor to model the computation effect of intermediate services. Experimental studies show significant performance benefit of the proposed mechanism.

Enhancing the Security Framework Securecloud with the Swift Identity Management Framework

SecureCloud is a comprehensive security framework for cloud computing environments consisting of different modules that handle the security and trust issues of key components. One of the modules is responsible for authentication and identity management (IDM). In SecureCloud, the author suggest, to implement the security solution for the Authentication and IDM module, it is important to ensure IDM services in the cloud can be integrated with the existing IDM framework. Existing techniques for use of pseudonyms and accommodating multiple identities to protect users’ privacy can help build a desired usercentric federated IDM for clouds. Motivated by attempting to find a solution from the suggestion, this paper proposes the integration of SWIFT identity management framework into the module using the existing trust relationships in SecureCloud to enhance the security of the SecureCloud framework. SWIFT provides a set of advanced security features such as identity aggregation, privacy protection, advanced access control and single sign-on (SSO) to help enhance the security of IDM module in SecureCloud.

The design and implementation of a novel security model for HealthAgents

AbstractIn this paper, we analyze the special security requirements for software support in health care and the HealthAgents system in particular. Our security solution consists of a link-anonymized data scheme, a secure data transportation service, a secure data sharing and collection service, and a more advanced access control mechanism. The novel security service architecture, as part of the integrated system architecture, provides a secure health-care infrastructure for HealthAgents and can be easily adapted for other health-care applications.

Active access control (AAC) with fine‐granularity and scalability

AbstractStrong access control mechanisms become most critical when we need security services in large‐scale computing environments of sensitive organizations. Furthermore, if users join or leave such computing environment frequently, requiring different access control decisions based on their current job responsibilities and contexts, the need for advanced access control is pressing. Although the currently available access control approaches have a great potential for providing reliable service, there are still critical obstacles to be solved, especially in large‐scale, dynamic computing environments. In this paper we introduce an advanced access control mechanism, Active Access Control (AAC), which accounts for the ability to make dynamic access control decisions based not only on pre‐defined privileges, but also on the current situation of the user. The framework of the proposed AAC approach provides fine‐grained access control, by considering a variety of attributes about the user and the current computing environment, especially, when the users contexts are frequently changed. Although the outputs of the AAC approach can be integrated with any other existing access control mechanisms and improve the overall fine‐granularity, as a full demonstration of our approach for fine‐granularity as well as scalability, in this particular paper we focus on large‐scale computing environments and integrate the AAC results with the role‐based approach. Finally, in order to prove the feasibility of our proposed idea we implement the AAC approach with roles and discuss the evaluation results with existing approaches. Copyright © 2010 John Wiley & Sons, Ltd.

Full-Service MAC Protocol for Metro-Reach GPONs

An advanced medium access control protocol is presented demonstrating dynamic bandwidth allocation for long-reach gigabit-capable passive optical networks (GPONs). The protocol enables the optical line terminal to overlap the idle time slots in each packet transmission cycle with a virtual polling cycle to increase the effective transmission bandwidth. Contrasting the new scheme with developed algorithms, network modeling has exhibited significant improvement in channel throughput, mean packet delay, and packet loss rate in the presence of class-of-service and service-level differentiation. In particular, the displayed 34% increase in the overall channel throughput and 30 times reduction in mean packet delay for service-level 1 and service-level 2 optical network units (ONUs) at accustomed 50% ONU load constitutes the highest extended-reach GPON performance reported up to date.

Validation of Temporary Delegation and Revocation of Roles with UML and OCL

Organizations having a large number of employees face several difficulties to separate job assignments to individual users. The situation becomes more complex when job assignments are delegated to those users who fulfill some explicit conditions. The delegation models developed so far discuss various issues regarding delegation of roles, but no mechanism has been developed to specify and validate constraints which are applied in course of temporary delegating (temporal delegation) and revoking a role to and from a user. This paper proposes a validation mechanism for flexible delegation and revocation of job roles to and from users with specific conditions. Also, we attempt to specify and validate n-level delegation and cascading/non-cascading revocation processes in an organization. I. INTRODUCTION Security has been a major issue in the development of software for networked organizations. As the number of employees of an organization may vary with variable job assignments, therefore it becomes complicated to manage job assignments to various users. To cope with such situations Role Based Access Control Model (RBAC) (1) was proposed for advanced access control as it reduces complexity and cost of security administration in specifically those applications which are networked and are accessed by large number of users with variable job assignments. In various organizations, users have permissions to delegate their job rights to other users at specific time periods with some restrictions. In the same way users can revoke the delegated rights after some time period. Almost all major organizations facilitate their users to delegate their job assignments to other users when work load of users cross certain limits or when the authorized user is unavailable. Therefore, delegation of rights and roles are followed by certain constraints which must be accomplished and only after that, job assignments be delegated to other users. For example, Ahmed delegates task review voucher to Mariam on wednesdays during a staff meeting or Dr. Sohail delegates treat patient task to a nurse when he is at home. The delegation models developed by (3), (4), (5) deal with on delegation of rights to other users, but have not specified any constraint in a formal language which limit temporal delegation of rights of one user to others. Therefore, it is required to develop a mechanism to specify and validate constraints applied on temporary delegation of roles and revocation of roles, that is, for short period of time when the actual user is engaged in some other activity or not available, with the help of a formal language so as to ensure that job assignments are granted and revoked accurately. In this article, we propose a delegation/revocation mechanism with the help of pre conditions and post conditions applied on delegation and revocation methods of an organization. In addition, the reason behind this paper is to specify constraints on delegation in a formal language and validate them with the help of a tool. We use the Unified Modeling language (UML) and the Object Constraint Language (OCL) for the specification of delegation and revocation schemes. We validate the delegation constraints with the help of the USE tool (UML-based specification environment), a validation tool for UML models and OCL constraints (2).

XeNA: an access negotiation framework using XACML

XeNA is a new model for the negotiation of access within an extended eXtensible Access Control Markup Language (XACML) architecture. We bring together trust management through a negotiation process and access control management within the same architecture. The negotiation process based on resource classification methodology occurs before the access control management. A negotiation module at the core of this negotiation process is in charge of collecting resources required to establish a level of trust and to insure a successful evaluation of access. The access control management is based on an extended Role-Based Access Control (RBAC) profile of XACML. This extended profile responds to advanced access control requirements and allows the expression of several access control models within XACML.

サーバ型放送におけるコンテンツのアクセス制御方式

This paper presents an RMP (Rights Management and Protection) system for Digital Broadcasting Based on Home Servers to be used with receivers and home storage devices. We clarified the requirements required for rights protection of contents in Digital Broadcasting Based on Home Servers, and developed an RMP system that meets those requirements. This RMP system enables rights protection and advanced access control (term of validity, usage and charge condition, etc.) of content stored on home storage devices. We have also proposed a method for multiplexing scramble keys synchronous with MPEG-2 TS video packets, to achieve a non-linear playback function of contents encrypted by the developed RMP system. We confirmed that non-linear playback and trick-play function of contents encrypted by the developed RMP system can be processed in real time.