6 research outputs found

    Privacy Enhanced Access Control for Outsourced Data Sharing

    Get PDF
    Traditional access control models often assume that the entity enforcing access control policies is also the owner of data and resources. This assumption no longer holds when data is outsourced to a third-party storage provider, such as the cloud. Existing access control solutions mainly focus on preserving confidentiality of stored data from unauthorized access and the storage provider. However, in this setting, access control policies as well as users' access patterns also become privacy sensitive information that should be protected from the cloud. We propose a two-level access control scheme that combines coarse-grained access control enforced at the cloud, which allows to get acceptable communication overhead and at the same time limits the information that the cloud learns from his partial view of the access rules and the access patterns, and fine-grained cryptographic access control enforced at the user's side, which provides the desired expressiveness of the access control policies. Our solution handles both read and write access control

    Understanding Web 3.0 - the Semantic Web : how the evolution to a third generation of the Web will impact upon the Internet and media environment within a global and South African context

    Get PDF
    Includes bibliographical references (leaves 158-174).This thesis examines the potential evolution of the current version of the Internet, popularly referred to as Web 2.0, to a third generation of the Web, referred to as the Semantic Web or Web 3.0. The paper provides an overview of the change in architecture and structure that the current version of the Web will need to undergo in the form of a standardised ontology development in order for the Web to evolve. The evolution to a third generation of the Web will ultimately improve the overall user experience both within a global and South African online context, through the innovation and development of Semantic Web technologies and capabilities. The thesis also discusses the role of the political economy of media and how this concept needs to be refreshed in terms of dealing with the advent of 'new' or digital media which are characterised by the Internet. The role of traditional media is also discussed and how, due to the advent of the Internet, there has been a movement away from a model of traditional centralised media to one of a more decentralised model. The challenges of intellectual property rights and copyright are analysed in terms of online users developing their own content online in the form of user generated content and how, through the evolution to a Web 3.0 version of the Internet, these challenges can be potentially solved through the use of Semantic Web innovation and technologies. One of the major challenges which Web 2.0 currently faces is that of privacy infringement, but through the adoption of Semantic Web technology these challenges which currently affect all users on the Web can potentially be solved. Finally, the paper looks at the way that South African online users interact with the Internet and how the potential evolution to a third generation of the Web could potentially impact their user behaviour online

    Adding Privacy Protection to Policy Based Authorisation Systems

    Get PDF
    An authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional authorisation decision system, which is simply called authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an authorisation system that will provide privacy for personal data by including sticky authorisation policies from the issuers and data subjects, to supplement the authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data. A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the authorisation system. Hence, the designed authorisation system also includes the authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable. Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts. As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract. The authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions

    CBAC – a model for conflict-based access control

    Get PDF
    Organisations that seek a competitive advantage cannot afford to compromise their brand reputation or expose it to disrepute. When employees leek information, it is not only the breach of confidentiality that is a problem, but it also causes a major brand reputation problem for the organisation. Any possible breach of confidentiality should be minimised by implementing adequate security within the organisation and among its employees. An important issue to address is the development of suitable access control models that are able to restrict access not only to unauthorised data sets, but also to unauthorised combinations of data sets. Within organisations such as banks, clients may exist that are in conflict with one another. This conflict results from the fact that clients are functioning in the same business domain and that their information should be shielded from one another because they are in competition for various reasons. When information on any of these conflicting clients is extracted from their data sets via a data-mining process and used to their detriment or to the benefit of the guilty party, this is considered a breach of confidentiality. In data-mining environments, access control usually strips the data of any identity so as to concentrate on tendencies and ensure that data cannot be traced back to a respondent. There is an active research field in data mining that focuses specifically on ‘preserving’ the privacy of the data during the data-mining process. However, this approach does not account for those situations when data mining needs to be performed to give answers to specific clients. In such cases, when the clients’ identity cannot be stripped, it is essential to minimise the chances of a possible breach of confidentiality. For this reason, this thesis investigated an environment where conflicting clients’ information can easily be gathered and used or sold, as to justify the inclusion of conflict management in the proposed access control model. This thesis presents the Conflict-based Access Control (CBAC) model. The model makes it possible to manage conflict on different levels of severity among the clients of an organisation – not only as specified by the clients, but also as calculated by the organisation. Both types of conflict have their own cut-off points when the conflict is considered to be of no value any longer. Finally, a proof-of-concept prototype illustrates that the incorporation of conflict management is a viable solution to the problem of access control as it minimises the chances of a breach of confidentialityThesis (PhD)--University of Pretoria, 2012.Computer Scienceunrestricte

    A privacy-enhanced access control

    No full text
    corecore