Attribute Based Access Control for Big Data Applications by Query Modification

We present concepts which can be used for the efficient implementation of Attribute Based Access Control (ABAC) in large applications using maybe several data storage technologies, including Hadoop, NoSQL and relational database systems. The ABAC authorization process takes place in two main stages. Firstly a sequence of permissions is derived which specifies permitted data to be retrieved for the user's transaction. Secondly, query modification is used to augment the user's transaction with code which implements the ABAC controls. This requires the storage technologies to support a high-level language such as SQL or similar. The modified user transactions are then optimized and processed using the full functionality of the underlying storage systems. We use an extended ABAC model (TCM2) which handles negative permissions and overrides in a single permissions processing mechanism. We illustrate these concepts using a compelling electronic health records scenario

Modelling, validating, and ranking of secure service compositions

This is the author accepted manuscript. The final version is available from the publisher via the DOI in this recordIn the world of large-scale applications, software as a service (SaaS) in general and use of microservices, in particular, is bringing service-oriented architectures to a new level: Systems in general and systems that interact with human users (eg, sociotechnical systems) in particular are built by composing microservices that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore, providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely is still an unsolved problem. In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As a unique feature, our approach for ranking services integrates validated properties (eg, based on the result of formally analysing the source code of a service implementation) as well as contractual properties that are part of the service level agreement and, thus, not necessarily ensured on a technical level

AN OBLIGATION MODEL FOR USAGE CONTROL

ABSTRACT How to control the access and usage of digital resources is one of the most important issues in computer security nowadays. Among them, how to control the resources when they have been passed to the client-side is a research hot spot. The Usage Control Model (UCON) has been proposed to solve this problem. In this research, we focus on one core component of the UCON model, the obligation. We propose a new obligation model to solve the problems the current ones can not deal with, especially for post-obligation. We also offer two testing scenarios, propose an architecture for a prototype based on the proposed model and apply the scenarios to the prototype architecture for proof-of-concept

Cybersecurity and medical devices: Are the ISO/IEC 80001-2-2 technical controls up to the challenge?

This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/ This author accepted manuscript is made available following 24 month embargo from date of publication (Oct 2017) in accordance with the publisher’s archiving policyMedical devices, in the case of malfunction, can have tangible impact on patient safety. Their security, in a world where the Internet of Things has become a reality, is paramount to the continued safety of patients that are dependent upon these devices. The international standard ISO/IEC 80001 – Application of risk management for IT-networks incorporating medical devices presents a unified and amalgamated approach to the safety of medical devices connected to IT networks. Whilst this standard presents a guide for security and risk management in health delivery organisations, its effectiveness with regard to contemporary cybersecurity is unknown. This research employed a structured review process to compare and analyse the ISO/IEC 80001 technical controls standards (ISO/IEC 80001-2-2 and ISO/IEC 80001-2-8), with contemporary cybersecurity best practice, guidelines and standards. The research deconstructed the technical controls and drew links between these standards and cybersecurity best practice to assess the level of harmonisation. Subsequently, a deeper analysis identified the areas of omission, coverage, addition or improvement that may impact the effectiveness of ISO/IEC 80001 to provide effective cybersecurity protection. ISO/IEC 80001 aims to provide a minimal level of cybersecurity however this research demonstrates that there are deficiencies in the standard and identifies the important aspects of cybersecurity that could be improved. This situation has arisen due to the rapidly evolving nature of the cybersecurity environment and the protracted time to revise and republish international standards. This research identified several areas that require urgent consideration, including Emergency Access, Health Data De-Identification, Physical Locks on Devices, Data Backup, Disaster Recovery, Third-Party Components in Product Lifecycle Roadmap, Transmission Confidentiality, and Transmission Integrity. The research will provide health delivery organisations implementing ISO/IEC 80001, assurance as to the level of protection supplied by the ISO/IEC 80001 standard, and the areas that may need enhancement to increase cybersecurity protection and consequently increase in patient safety. Further, the outcomes are expected to influence development of the related international standard, as the findings from this research are being provided to the International Organisations for Standardisation, TC215 Health Informatics, Joint Working Group 7, to inform the review of ISO/IEC 80001 currently in progress

Security and privacy issues in implantable medical devices: A comprehensive survey

Bioengineering is a field in expansion. New technologies are appearing to provide a more efficient treatment of diseases or human deficiencies. Implantable Medical Devices (IMDs) constitute one example, these being devices with more computing, decision making and communication capabilities. Several research works in the computer security field have identified serious security and privacy risks in IMDs that could compromise the implant and even the health of the patient who carries it. This article surveys the main security goals for the next generation of IMDs and analyzes the most relevant protection mechanisms proposed so far. On the one hand, the security proposals must have into consideration the inherent constraints of these small and implanted devices: energy, storage and computing power. On the other hand, proposed solutions must achieve an adequate balance between the safety of the patient and the security level offered, with the battery lifetime being another critical parameter in the design phase

The bi-objective workflow satisfiability problem and workflow resiliency

A computerized workflow management system may enforce a security policy, specified in terms of authorized actions and constraints, thereby restricting which users can perform particular steps in a workflow. The existence of a security policy may mean that a workflow is unsatisfiable, in the sense that it is impossible to find a valid plan (an assignment of steps to authorized users such that all constraints are satisfied). Work in the literature focuses on the workflow satisfiability problem, a decision problem that outputs a valid plan if the instance is satisfiable (and a negative result otherwise). In this paper, we introduce the Bi-Objective Workflow Satisfiability Problem (BO-WSP), which enables us to solve optimization problems related to workflows and security policies. In particular, we are able to compute a “least bad” plan when some components of the security policy may be violated. In general, BO-WSP is intractable from both the classical and parameterized complexity point of view (where the parameter is the number of steps). We prove that computing a Pareto front for BO-WSP is fixed-parameter tractable (FPT) if we restrict our attention to user-independent constraints. This result has important practical consequences, since most constraints of practical interest in the literature are user-independent. Our proof is constructive and defines an algorithm, the implementation of which we describe and evaluate. We also present a second algorithm to compute a Pareto front which solves multiples instances of a related problem using mixed integer programming (MIP). We compare the performance of both our algorithms on synthetic instances, and show that the FPT algorithm outperforms the MIP-based one by several orders of magnitude on most instances. Finally, we study the important question of workflow resiliency and prove new results establishing that known decision problems are fixed-parameter tractable when restricted to user-independent constraints. We then propose a new way of modeling the availability of users and demonstrate that many questions related to resiliency in the context of this new model may be reduced to instances of BO-WSP

On the Usability of a Break-the-Glass Annotation Language for Process Models

Business process design for real-world applications often requires modelling languages of a certain complexity, interweaving several process perspectives, such as the data and the organizational one, and taking contextual process information into account. Ensuring that such languages are indeed usable is not trivial. This paper describes a usability study for a modelling language with those characteristics. More specifically, the so-called BTG! language features the security concept Break the Glass (BTG) that allows to specify exceptional access to data. We investigate usability characteristics of BTG! such as learnability, efficiency, errors, and satisfaction. Our study has helped to increase the usability of the language significantly. To illustrate, we have replaced the language terms with more intuitive ones and have extended the language with some frequently desired features. Our experiences can be applied to process modelling languages that are similarly comprehensive

Preventing unauthorized data flows

Trojan Horse attacks can lead to unauthorized data flows and can cause either a confidentiality violation or an integrity violation. Existing solutions to address this problem employ analysis techniques that keep track of all subject accesses to objects, and hence can be expensive. In this paper we show that for an unauthorized flow to exist in an access control matrix, a flow of length one must exist. Thus, to eliminate unauthorized flows, it is sufficient to remove all one-step flows, thereby avoiding the need for expensive transitive closure computations. This new insight allows us to develop an efficient methodology to identify and prevent all unauthorized flows leading to confidentiality and integrity violations. We develop separate solutions for two different environments that occur in real life, and experimentally validate the efficiency and restrictiveness of the proposed approaches using real data sets. © IFIP International Federation for Information Processing 2017

Access Control Within MQTT-based IoT environments

IoT applications, which allow devices, companies, and users to join the IoT ecosystems, are growing in popularity since they increase our lifestyle quality day by day. However, due to the personal nature of the managed data, numerous IoT applications represent a potential threat to user privacy and data confidentiality. Insufficient security protection mechanisms in IoT applications can cause unauthorized users to access data. To solve this security issue, the access control systems, which guarantee only authorized entities to access the resources, are proposed in academic and industrial environments. The main purpose of access control systems is to determine who can access specific resources under which circumstances via the access control policies. An access control model encapsulates the defined set of access control policies. Access control models have been proposed also for IoT environments to protect resources from unauthorized users. Among the existing solutions, the proposals which are based on Attribute-Based Access Control (ABAC) model, have been widely adopted in the last years. In the ABAC model, authorizations are determined by evaluating attributes associated with the subject, object, and environmental properties. ABAC model provides outstanding flexibility and supports fine-grained, context-based access control policies. These characteristics perfectly fit the IoT environments. In this thesis, we employ ABAC to regulate the reception and the publishing of messages exchanged within MQTT-based IoT environments. MQTT is a standard application layer protocol that enables the communication of IoT devices. Even though the current access control systems tailored for IoT environments in the literature handle data sharing among the IoT devices by employing various access control models and mechanisms to address the challenges that have been faced in IoT environments, surprisingly two research challenges have still not been sufficiently examined. The first challenge that we want to address in this thesis is to regulate data sharing among interconnected IoT environments. In interconnected IoT environments, data exchange is carried out by devices connected to different environments. The majority of proposed access control frameworks in the literature aimed at regulating the access to data generated and exchanged within a single IoT environment by adopting centralized enforcement mechanisms. However, currently, most of the IoT applications rely on IoT devices and services distributed in multiple IoT environments to satisfy users’ demands and improve their functionalities. The second challenge that we want to address in this thesis is to regulate data sharing within an IoT environment under ordinary and emergency situations. Recent emergencies, such as the COVID-19 pandemic, have shown that proper emergency management should provide data sharing during an emergency situation to monitor and possibly mitigate the effect of the emergency situation. IoT technologies provide valid support to the development of efficient data sharing and analysis services and appear well suited for building emergency management applications. Additionally, IoT has magnified the possibility of acquiring data from different sensors and employing these data to detect and manage emergencies. An emergency management application in an IoT environment should be complemented with a proper access control approach to control data sharing against unauthorized access. In this thesis, we do a step to address two open research challenges related to data protection in IoT environments which are briefly introduced above. To address these challenges, we propose two access control frameworks rely on ABAC model: the first one regulates data sharing among interconnected MQTT-based IoT environments, whereas the second one regulates data sharing within MQTT-based IoT environment during ordinary and emergency situations.IoT applications, which allow devices, companies, and users to join the IoT ecosystems, are growing in popularity since they increase our lifestyle quality day by day. However, due to the personal nature of the managed data, numerous IoT applications represent a potential threat to user privacy and data confidentiality. Insufficient security protection mechanisms in IoT applications can cause unauthorized users to access data. To solve this security issue, the access control systems, which guarantee only authorized entities to access the resources, are proposed in academic and industrial environments. The main purpose of access control systems is to determine who can access specific resources under which circumstances via the access control policies. An access control model encapsulates the defined set of access control policies. Access control models have been proposed also for IoT environments to protect resources from unauthorized users. Among the existing solutions, the proposals which are based on Attribute-Based Access Control (ABAC) model, have been widely adopted in the last years. In the ABAC model, authorizations are determined by evaluating attributes associated with the subject, object, and environmental properties. ABAC model provides outstanding flexibility and supports fine-grained, context-based access control policies. These characteristics perfectly fit the IoT environments. In this thesis, we employ ABAC to regulate the reception and the publishing of messages exchanged within MQTT-based IoT environments. MQTT is a standard application layer protocol that enables the communication of IoT devices. Even though the current access control systems tailored for IoT environments in the literature handle data sharing among the IoT devices by employing various access control models and mechanisms to address the challenges that have been faced in IoT environments, surprisingly two research challenges have still not been sufficiently examined. The first challenge that we want to address in this thesis is to regulate data sharing among interconnected IoT environments. In interconnected IoT environments, data exchange is carried out by devices connected to different environments. The majority of proposed access control frameworks in the literature aimed at regulating the access to data generated and exchanged within a single IoT environment by adopting centralized enforcement mechanisms. However, currently, most of the IoT applications rely on IoT devices and services distributed in multiple IoT environments to satisfy users’ demands and improve their functionalities. The second challenge that we want to address in this thesis is to regulate data sharing within an IoT environment under ordinary and emergency situations. Recent emergencies, such as the COVID-19 pandemic, have shown that proper emergency management should provide data sharing during an emergency situation to monitor and possibly mitigate the effect of the emergency situation. IoT technologies provide valid support to the development of efficient data sharing and analysis services and appear well suited for building emergency management applications. Additionally, IoT has magnified the possibility of acquiring data from different sensors and employing these data to detect and manage emergencies. An emergency management application in an IoT environment should be complemented with a proper access control approach to control data sharing against unauthorized access. In this thesis, we do a step to address two open research challenges related to data protection in IoT environments which are briefly introduced above. To address these challenges, we propose two access control frameworks rely on ABAC model: the first one regulates data sharing among interconnected MQTT-based IoT environments, whereas the second one regulates data sharing within MQTT-based IoT environment during ordinary and emergency situations

Extending access control models with break-glass

Access control models are usually static, i. e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i. e., the underlying policy, is needed. Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, breakglass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems ’ access control enforcement architecture. We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies