Enforcement of CA-UCON Model

A Context-Aware Usage CONtrol (CA- UCON) model is an extension of the traditional UCON model which enable adaptation to environmental changes in the aim of preserving continuity of access. When the authorisations and obligations requirements are met by the subject and the object, and the conditions requirements fail due to changes in the environment or the system con- text, CA-UCON model triggers specific actions to adapt to the new situation. Besides the data protection, CA-UCON model so enhances the quality of services, striving to keep explicit interactions with the user at a minimum. In this paper, we propose an architecture of the reference monitor for the CA-UCON model and investigate a variety of enforcement approaches in ubiquitous computing systems; whether centralised, distributed or hybrid; depending on applications

Advanced access control in support and distributed collaborative working and de-perimeterization

This thesis addresses the problem of achieving fine-grained and sustained control of access to electronic information, shared in distributed collaborative environments. It presents an enhanced approach to distributed information security architecture, driven by the risks, guidelines and legislation emerging due to the growth of collaborative working, and the often associated increase in storage of information outside of a secured information system perimeter. Traditional approaches to access control are based on applying controls at or within the network perimeter of an information system. One issue with this approach when applying it to shared information is that, outside of the perimeterized zone, the owner loses control of their information. This loss of control could dissuade collaborating parties from sharing their information resources. Information resources can be thought of as a collection of related content stored in a container. Another issue with current approaches to access control, particularly to unstructured resources such as text documents, is the coarse granularity of control they provide. That is, controls can only apply to a resource in its entirety. In reality, the content within a resource could have varying levels of security requirements with different levels of control. For example, some of the content may be completely free from any access restriction, while other parts may be too sensitive to share outside of an internal organisation. The consequence being that the entire resource is restricted with the controls relevant to the highest level content. Subsequently, a substantial amount of information that could feasibly be shared in collaborative environments is prevented from being shared, due to being part of a highly restricted resource. The primary focus of this thesis is to address these two issues by investigating the appropriateness and capability of perimeter security, and entire-resource protection, to provide access control for information shared in collaborative distributed environments. To overcome these problems, the thesis develops an access control framework, based on which, several formulae are defined to clarify the problems, and to allow them to be contextualised. The formulae have then been developed and improved, with the problem in mind, to create a potential solution, which has been implemented and tested to demonstrate that it is possible to enhance access control technology to implement the capability to drill down into the content of an information resource and apply more fine-grained controls, based on the security requirements of the content within. Furthermore, it is established that it is possible to shift part of the controls that protect information resources within a secure network perimeter, to the body of the resources themselves so that they become, to some extent, self protecting. This enables the same controls to be enforced outside of the secure perimeter. The implementation is based on the structuring of information and embedding of metadata within the body of an information resource. The metadata effectively wraps sections of content within a resource into containers that define fine-grained levels of access control requirement, to protect its confidentiality and integrity. Examples of the granularity afforded by this approach could be page, paragraph, line or even word level in a text document. Once metadata has been embedded, it is bound to a centrally controlled access control policy for the lifetime of the resource. Information can then be shared, copied, distributed and accessed in support of collaborative working, but a link between the metadata and the centrally controlled policy is sustained, meaning that previously assigned access privileges to different sections of content can be modified or revoked at any time in the future. The result of this research is to allow information sharing to reach a greater level of acceptance and usage due to: i. the enhanced level of access control made possible through finer-grained controls, allowing the content of a single resource to be classified and restricted at different levels, and ii. the ability to retain sustained control over information through modifiable controls, that can be enforced both while the information is stored on local information systems, and after the information has been shared outside the local environment

A Data Protection Architecture for Derived Data Control in Partially Disconnected Networks

Every organisation needs to exchange and disseminate data constantly amongst its employees, members, customers and partners. Disseminated data is often sensitive or confidential and access to it should be restricted to authorised recipients. Several enterprise rights management (ERM) systems and data protection solutions have been proposed by both academia and industry to enable usage control on disseminated data, i.e. to allow data originators to retain control over whom accesses their information, under which circumstances, and how it is used. This is often obtained by means of cryptographic techniques and thus by disseminating encrypted data that only trustworthy recipients can decrypt. Most of these solutions assume data recipients are connected to the network and able to contact remote policy evaluation authorities that can evaluate usage control policies and issue decryption keys. This assumption oversimplifies the problem by neglecting situations where connectivity is not available, as often happens in crisis management scenarios. In such situations, recipients may not be able to access the information they have received. Also, while using data, recipients and their applications can create new derived information, either by aggregating data from several sources or transforming the original data’s content or format. Existing solutions mostly neglect this problem and do not allow originators to retain control over this derived data despite the fact that it may be more sensitive or valuable than the data originally disseminated. In this thesis we propose an ERM architecture that caters for both derived data control and usage control in partially disconnected networks. We propose the use of a novel policy lattice model based on information flow and mandatory access control. Sets of policies controlling the usage of data can be specified and ordered in a lattice according to the level of protection they provide. At the same time, their association with specific data objects is mandated by rules (content verification procedures) defined in a data sharing agreement (DSA) stipulated amongst the organisations sharing information. When data is transformed, the new policies associated with it are automatically determined depending on the transformation used and the policies currently associated with the input data. The solution we propose takes into account transformations that can both increase or reduce the sensitivity of information, thus giving originators a flexible means to control their data and its derivations. When data must be disseminated in disconnected environments, the movement of users and the ad hoc connections they establish can be exploited to distribute information. To allow users to decrypt disseminated data without contacting remote evaluation authorities, we integrate our architecture with a mechanism for authority devolution, so that users moving in the disconnected area can be granted the right to evaluate policies and issue decryption keys. This allows recipients to contact any nearby user that is also a policy evaluation authority to obtain decryption keys. The mechanism has been shown to be efficient so that timely access to data is possible despite the lack of connectivity. Prototypes of the proposed solutions that protect XML documents have been developed. A realistic crisis management scenario has been used to show both the flexibility of the presented approach for derived data control and the efficiency of the authority devolution solution when handling data dissemination in simulated partially disconnected networks. While existing systems do not offer any means to control derived data and only offer partial solutions to the problem of lack of connectivity (e.g. by caching decryption keys), we have defined a set of solutions that help data originators faced with the shortcomings of current proposals to control their data in innovative, problem-oriented ways