Policy decomposition for collaborative access control

Lin, Dan; Rao, P. Venkateswara; Bertino, Elisa; Li, Ninghui; Lobo, Jorge

doi:10.1145/1377836.1377853

Cited by 41 publications

(36 citation statements)

References 17 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Collaborative access control aims to balance the competing goals of collaboration and security [14]: collaborative systems aim to facilitate the sharing of information, while security aims to protect the same information. A number of collaborative access control models have been proposed in the literature [15]- [19]. For instance, Lin et al [19] propose an access control model for collaborative environments based on the notion of policy decomposition.…”

Section: Related Workmentioning

confidence: 99%

CollAC: Collaborative access control

Damen

Hartog

Zannone

2014

2014 International Conference on Collaboration Technologies and Systems (CTS)

View full text Add to dashboard Cite

Abstract-Recent years have seen an increasing number of collaborative systems and platforms available online. As the importance of online collaboration grows, so does the need to protect the information used in these systems. In collaborative environments different users may be related to the information in different capacities. This means that traditional access control mechanisms are usually not suitable for collaborative environments as they assume that a single entity is in control of information. Moreover, when different entities can concurrently specify policies for the same resources, the decision making process is not transparent to the users who expect their policies to be enforced by the system. In this paper, we introduce a novel access control framework for collaborative systems. The framework is based on a notion of control which goes beyond the notion of ownership by accounting for the relation of a user with an object. We also make access control decisions transparent by showing where and why collaborative decisions deviate from the policies of single users.

show abstract

Section: Related Workmentioning

confidence: 99%

CollAC: Collaborative access control

Damen

Hartog

Zannone

2014

2014 International Conference on Collaboration Technologies and Systems (CTS)

View full text Add to dashboard Cite

show abstract

“…Therefore, their approach does not maintain policy equivalence and does not directly apply to our goal. Finally, the work of Lin et al [22] sketches a theoretical framework for policy decomposition and distribution based on performance and confidentiality requirements. Their goal is similar to ours and their work has been an important influence.…”

Section: Related Workmentioning

confidence: 99%

Middleware for efficient and confidentiality-aware federation of access control policies

Decat

Lagaisse

Joosen

2014

J Internet Serv Appl

View full text Add to dashboard Cite

Software-as-a-Service (SaaS) is a type of cloud computing in which a tenant rents access to a shared, typically web-based application hosted by a provider. Access control for SaaS should enable the tenant to control access to data that are located at the provider side, based on tenant-specific access control policies. Moreover, with the growing adoption of SaaS by large enterprises, access control for SaaS has to integrate with on-premise applications, inherently leading to a federated set-up. However, in the state of the art, the provider completely evaluates all policies, including the tenant policies. This (i) forces the tenant to disclose sensitive access control data and (ii) limits policy evaluation performance by having to fetch this policy-specific data. To address these challenges, we propose to decompose the tenant policies and evaluate the resulting parts near the data they require as much as possible while keeping sensitive tenant data local to the tenant environment. We call this concept policy federation. In this paper, we motivate the need for policy federation using an in-depth case study analysis in the domain of e-health and present a policy federation algorithm based on a widely-applicable attribute-based policy model. Furthermore, we show the impact of policy federation on policy evaluation time using the policies from the case study and a prototype implementation of supporting middleware. As shown, policy federation effectively succeeds in keeping the sensitive tenant data confidential and at the same time improves policy evaluation time in most cases.

show abstract

“…Various approaches [8,12,14] have been proposed to address performance issues in systems interacting with access control policies. Jahid et al [8] focus on XACML policy verification for database access control.…”

Section: Related Workmentioning

confidence: 99%

“…Lin et al [12] decomposed a global XACML policy into local policies related to collaborating parties, and the local policies are sent to corresponding PDPs. The request evaluation is based on local policies by considering the relationships among local policies.…”

Section: Related Workmentioning

confidence: 99%

Refactoring access control policies for performance improvement

Kateb¹,

Mouelhi²,

Traon³

et al. 2012

Proceedings of the 3rd ACM/SPEC International Conference on Performance Engineering

View full text Add to dashboard Cite

In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of reallife Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

show abstract

Policy decomposition for collaborative access control

Cited by 41 publications

References 17 publications

CollAC: Collaborative access control

CollAC: Collaborative access control

Middleware for efficient and confidentiality-aware federation of access control policies

Refactoring access control policies for performance improvement

Contact Info

Product

Resources

About