185,004 research outputs found
Credential purpose-based access control for personal data protection in web-based applications
Web-based applications enable users to carry out their business transactions virtually at any time and place whereby users are required to disclose almost all their personal information which result in greater risks of information disclosure. Therefore, protecting personal information is of utmost importance. Enforcing personal information protection in databases requires controlled access to systems and resources and granted only to authorized users. Traditional access control systems cannot be used in achieving full personal data protection. Current purposebased access control systems provide insufficient protection of personal data especially in web-based applications. This is mainly due to the absence of user authentication in these systems and the fact that data subjects have less control over their information. This research is an effort to overcome this problem in which the Credential Purpose-Based Access Control (CrePBAC) system is introduced. This system implements a two-phase security and an access control mechanism with a model and security policy implementation. The two-phase security model involves user authentication using personal credential and data authorization based on purpose. The organization’s security and privacy policies are implemented using metadata technique in Hippocratic Databases. The metadata technique utilizes a data labeling scheme based on purpose and control data access through query modification. The model and mechanism were successfully implemented. The results from the two types of case studies tested showed that the access control mechanism provides users with more rights and control over their data. In conclusion, this research has introduced a new approach in purpose-based access control with a two-phase security model and mechanism that provides greater control for personal data protection in web-based applications
Blockchain-based access control management for Decentralized Online Social Networks
Online Social Networks (OSNs) represent today a big communication channel where users spend a lot of time to share personal data. Unfortunately, the big popularity of OSNs can be compared with their big privacy issues. Indeed, several recent scandals have demonstrated their vulnerability. Decentralized Online Social Networks (DOSNs) have been proposed as an alternative solution to the current centralized OSNs. DOSNs do not have a service provider that acts as central authority and users have more control over their information. Several DOSNs have been proposed during the last years. However, the decentralization of the social services requires efficient distributed solutions for protecting the privacy of users. During the last years the blockchain technology has been applied to Social Networks in order to overcome the privacy issues and to offer a real solution to the privacy issues in a decentralized system. However, in these platforms the blockchain is usually used as a storage, and content is public. In this paper, we propose a manageable and auditable access control framework for DOSNs using blockchain technology for the definition of privacy policies. The resource owner uses the public key of the subject to define auditable access control policies using Access Control List (ACL), while the private key associated with the subject's Ethereum account is used to decrypt the private data once access permission is validated on the blockchain. We provide an evaluation of our approach by exploiting the Rinkeby Ethereum testnet to deploy the smart contracts. Experimental results clearly show that our proposed ACL-based access control outperforms the Attribute-based access control (ABAC) in terms of gas cost. Indeed, a simple ABAC evaluation function requires 280,000 gas, instead our scheme requires 61,648 gas to evaluate ACL rules
State of The Art and Hot Aspects in Cloud Data Storage Security
Along with the evolution of cloud computing and cloud storage towards matu-
rity, researchers have analyzed an increasing range of cloud computing security
aspects, data security being an important topic in this area. In this paper, we
examine the state of the art in cloud storage security through an overview of
selected peer reviewed publications. We address the question of defining cloud
storage security and its different aspects, as well as enumerate the main vec-
tors of attack on cloud storage. The reviewed papers present techniques for key
management and controlled disclosure of encrypted data in cloud storage, while
novel ideas regarding secure operations on encrypted data and methods for pro-
tection of data in fully virtualized environments provide a glimpse of the toolbox
available for securing cloud storage. Finally, new challenges such as emergent
government regulation call for solutions to problems that did not receive enough
attention in earlier stages of cloud computing, such as for example geographical
location of data. The methods presented in the papers selected for this review
represent only a small fraction of the wide research effort within cloud storage
security. Nevertheless, they serve as an indication of the diversity of problems
that are being addressed
The RFID PIA – developed by industry, agreed by regulators
This chapter discusses the privacy impact assessment (PIA) framework endorsed
by the European Commission on February 11th, 2011. This PIA, the first to receive the
Commission's endorsement, was developed to deal with privacy challenges associated with
the deployment of radio frequency identification (RFID) technology, a key building block of
the Internet of Things. The goal of this chapter is to present the methodology and key
constructs of the RFID PIA Framework in more detail than was possible in the official text.
RFID operators can use this article as a support document when they conduct PIAs and need
to interpret the PIA Framework. The chapter begins with a history of why and how the PIA
Framework for RFID came about. It then proceeds with a description of the endorsed PIA
process for RFID applications and explains in detail how this process is supposed to function.
It provides examples discussed during the development of the PIA Framework. These
examples reflect the rationale behind and evolution of the text's methods and definitions. The
chapter also provides insight into the stakeholder debates and compromises that have
important implications for PIAs in general.Series: Working Papers on Information Systems, Information Business and Operation
Routes for breaching and protecting genetic privacy
We are entering the era of ubiquitous genetic information for research,
clinical care, and personal curiosity. Sharing these datasets is vital for
rapid progress in understanding the genetic basis of human diseases. However,
one growing concern is the ability to protect the genetic privacy of the data
originators. Here, we technically map threats to genetic privacy and discuss
potential mitigation strategies for privacy-preserving dissemination of genetic
data.Comment: Draft for comment
- …