Authentication and authorisation in entrusted unions

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two pilot studies in two different domains, viz, Bio-security incident management and Ambient Assisted Living (eHealth). Interim results in terms of security requirements, privacy preserving authentication, and authorisation are reported

Federated Access Management for Collaborative Environments

abstract: Access control has been historically recognized as an effective technique for ensuring that computer systems preserve important security properties. Recently, attribute-based access control (ABAC) has emerged as a new paradigm to provide access mediation by leveraging the concept of attributes: observable properties that become relevant under a certain security context and are exhibited by the entities normally involved in the mediation process, namely, end-users and protected resources. Also recently, independently-run organizations from the private and public sectors have recognized the benefits of engaging in multi-disciplinary research collaborations that involve sharing sensitive proprietary resources such as scientific data, networking capabilities and computation time and have recognized ABAC as the paradigm that suits their needs for restricting the way such resources are to be shared with each other. In such a setting, a robust yet flexible access mediation scheme is crucial to guarantee participants are granted access to such resources in a safe and secure manner. However, no consensus exists either in the literature with respect to a formal model that clearly defines the way the components depicted in ABAC should interact with each other, so that the rigorous study of security properties to be effectively pursued. This dissertation proposes an approach tailored to provide a well-defined and formal definition of ABAC, including a description on how attributes exhibited by different independent organizations are to be leveraged for mediating access to shared resources, by allowing for collaborating parties to engage in federations for the specification, discovery, evaluation and communication of attributes, policies, and access mediation decisions. In addition, a software assurance framework is introduced to support the correct construction of enforcement mechanisms implementing our approach by leveraging validation and verification techniques based on software assertions, namely, design by contract (DBC) and behavioral interface specification languages (BISL). Finally, this dissertation also proposes a distributed trust framework that allows for exchanging recommendations on the perceived reputations of members of our proposed federations, in such a way that the level of trust of previously-unknown participants can be properly assessed for the purposes of access mediation.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Collaborative Privacy Policy Authoring in a Social Networking Context.

Recent years have seen a significant increase in the popularity of social networking services. These online services enable users to construct groups of contacts, referred to as friends, with which they can share digital content and communicate. This sharing is actively encouraged by the social networking services, with users privacy often seen as a secondary concern. In this paper we first propose a privacy-aware social networking service and then introduce a collaborative approach to authoring privacy policies for the service. In addressing user privacy, our approach takes into account the needs of all parties affected by the disclosure of information and digital content. © 2010 Crown

Access control system for the epidemic marketplace

Tese de mestrado em Engenharia Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2013A Epidemic Marketplace (EM) é uma plataforma de integração e partilha de dados epidemiológicos. As questões da privacidade constituem sempre um aspecto muito delicado nos repositórios de plataformas desta natureza, já que envolvem a partilha de dados sensíveis. Os utilizadores requerem que lhes seja assegurado o acesso aos seus dados de acordo com políticas de acesso bem definidas. Para suportar tal requisito, o modelo de controlo de acesso suportado pela EM é baseado em grupos (GBAC). Numa primeira versão da plataforma, os recursos apenas podiam ser partilhados com grupos estáticos, o que limitava a expressividade das especificações. Além disso, a plataforma tinha problemas de desempenho que derivavam de uma implementação inicial, não escalável, do sistema de controlo de acesso. Neste trabalho, apresentam-se as soluções desenvolvidas para aumento da escalabilidade da EM e fornecimento de mecanismos mais expressivos para a partilha de recursos através da especificação de grupos dinâmicos. Dada a popularidade das redes sociais, a utilização dos grupos dinâmicos foi estendida para possibilitar a sua integração com estas redes, permitindo que os utilizadores da EM criem grupos baseados em ligações das redes sociais. A EM foi desenvolvida no âmbito do projecto Europeu Epiwork, que teve como objectivos monitorar surtos epidemiológicos, guardar os dados recolhidos e utilizá-los em modelos matemáticos destinados a simular e a melhor entender a disseminação de doenças.The Epidemic Marketplace (EM) is a platform for integrating and sharing epidemiological data. Privacy issues are always a delicate matter when users intend to store sensitive data in such repositories. The users require assurance that their data access will always be in compliance with defined policies. The access control model of the EM uses Group-Based Access Control (GBAC). However, in an initial version of the platform resources could only be shared with static groups, leading to a lack of expressiveness. In addition, the EM platform had performance limitations that derived from using a nonscalable access control system implementation which could only perform simple access control changes. This work reports how performance issues with the platform have been solved and its scalability improved. In addition, EM users have the possibility of sharing their resources with dynamic groups, which, being rule based, provide more expressive mechanisms to share data. Given the current popularity of Social Networks, dynamic groups have been integrated with Social Networks, enabling EM users to create groups based on Social connections, obtained from Social Networks. Such groups rely on user approval for granting EM access to Social Network data. The EM has been developed in part within the EU-funded Epiwork project, whose main concerns include monitoring epidemiological outbreaks, storing that data and feeding it to mathematical models for simulating and better understanding the dissemination of diseases

Online Social Networks with Message Filtered Policy Administration by Multiparty Access Control

Recently we have studied the Multiparty Access management for Online Social Networks Model and Mechanisms. Online social networks have experienced massive growth in recent years and become a de facto portal for millions of Internet users. These OSNs offer fetching means for digital social interactions and information sharing, but also occurs a number of security and privacy issues. While OSNs allow users to limit access to shared data, they at present do not provide any mechanism to enforce privacy concerns over data related with multiple users. To this end, we propose an approach to enable the security of shared data related with multiple users in OSNs. They make an access control model to capture the spirit of multiparty authorization requirements, along with a multiparty policy requirement scheme and a policy application mechanism. In addition, we access control model that we have various tasks on our model to analyze the features of existing logic solvers allows to take advantage of a logical representation exists. We have more comprehensive privacy approach to conflict resolution and analysis services for collaborative management of shared data in OSNs are proposed. DOI: 10.17762/ijritcc2321-8169.150611

An Access Control Model to Facilitate Healthcare Information Access in Context of Team Collaboration

The delivery of healthcare relies on the sharing of patients information among a group of healthcare professionals (so-called multidisciplinary teams (MDTs)). At present, electronic health records (EHRs) are widely utilized system to create, manage and share patient healthcare information among MDTs. While it is necessary to provide healthcare professionals with privileges to access patient health information, providing too many privileges may backfire when healthcare professionals accidentally or intentionally abuse their privileges. Hence, finding a middle ground, where the necessary privileges are provided and malicious usage are avoided, is necessary. This thesis highlights the access control matters in collaborative healthcare domain. Focus is mainly on the collaborative activities that are best accomplished by organized MDTs within or among healthcare organizations with an objective of accomplishing a specific task (patient treatment). Initially, we investigate the importance and challenges of effective MDTs treatment, the sharing of patient healthcare records in healthcare delivery, patient data confidentiality and the need for flexible access of the MDTs corresponding to the requirements to fulfill their duties. Also, we discuss access control requirements in the collaborative environment with respect to EHRs and usage scenario of MDTs collaboration. Additionally, we provide summary of existing access control models along with their pros and cons pertaining to collaborative health systems. Second, we present a detailed description of the proposed access control model. In this model, the MDTs is classified based on Belbin’s team role theory to ensure that privileges are provided to the actual needs of healthcare professionals and to guarantee confidentiality as well as protect the privacy of sensitive patient information. Finally, evaluation indicates that our access control model has a number of advantages including flexibility in terms of permission management, since roles and team roles can be updated without updating privilege for every user. Moreover, the level of fine-grained control of access to patient EHRs that can be authorized to healthcare providers is managed and controlled based on the job required to meet the minimum necessary standard and need-to-know principle. Additionally, the model does not add significant administrative and performance overhead.publishedVersio

Authentication and authorisation in entrusted unions

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two pilot studies in two different domains, viz, Bio-security incident management and Ambient Assisted Living (eHealth). Interim results in terms of security requirements, privacy preserving authentication, and authorisation are reported