On Usage Control for GRID Systems

This paper introduces a formal model, an architecture and a prototype implementation for usage control on GRID systems. The usage control model (UCON) is a new access control paradigm proposed by Park and Sandhu that encompasses and extends several existing models (e.g. MAC, DAC, Bell-Lapadula, RBAC, etc). Its main novelty is based on continuity of the access monitoring and mutability of attributes of subjects and objects. We identified this model as a perfect candidate for managing access/usage control in GRID systems due to their peculiarities, where continuity of control is a central issue. Here we adapt the original UCON model to develop a full model for usage control in GRID systems. We use as policy specification language a process description language and show how this is suitable to model the usage policy models of the original UCON model. We also describe a possible architecture to implement the usage control model. Moreover, we describe a prototype implementation for usage control of GRID computational services, and we show how our language can be used to define a security policy that regulates the usage of network communications to protect the local computational service from the applications that are executed on behalf of remote GRID users

Usage control in SIP-based multimedia delivery

The Session Initiation Protocol (SIP) is an application layer signaling protocol for the creation, modification and termination of multimedia sessions and VoIP calls with one or more participants.SIP is widely accepted as the protocol that will dominate multimedia communications in the future and one of the reasons is that it can inherently support multidomain heterogeneous networks.While SIP operates in highly dynamic environments, in the current version its authorization support is based on traditional access control models.The main problem these models face is that they were designed many years ago, and under some circumstances tend to be inadequate in modern highly dynamic environments.Usage Control (UCON), instead, is a model that supports the same operations as traditional access control models do, but it further enhances them with novel ones.In previous work, an architecture supporting continuous authorizations on SIP, based on the UCON model, was presented.In this paper, an authorization support implementing the whole UCON model, including authorizations, obligations and conditions, has been integrated in a SIP system.Moreover, a testbed has been set up to experimentally evaluate the performance of the proposed security mechanism

A Privacy-Aware Framework for Decentralized Online Social Networks

Online social networks based on a single service provider suffer several drawbacks, first of all the privacy issues arising from the delegation of user data to a single entity. Distributed online social networks (DOSN) have been recently proposed as an alternative solution allowing users to keep control of theirprivate data. However, the lack of a centralized entity introduces new problems, like the need of defining proper privacy policies for data access and of guaranteeing the availability of user\u27s data when the user disconnects from the social network. This paper introduces a privacy-aware support for DOSN enabling users to define a set of privacy policies which describe who is entitled to access the data in their social profile. These policies are exploited by the DOSN support to decide the re-allocation of the profile when the user disconnects from the socialnetwork.The proposed approach is validated through a set of simulations performed on real traces logged from Facebook

Fine Grained Access Control for Computational Services

Grid environment concerns the sharing of a large set of resources among entities that belong to Virtual Organizations. To this aim, the environment instantiates interactions among entities that belong to distinct administrative domains, that are potentially unknown, and among which no trust relationships exist a priori. For instance, a grid user that provides a computational service, executes unknown applications on its local computational resources on behalf on unknown grid users. In this context, the environment must provide an adequate support to guarantee security in these interactions. To improve the security of the grid environment, this paper proposes to adopt a continuous usage control model to monitor accesses to grid computational services, i.e. to monitor the behaviour of the applications executed on these services on behalf of grid users. This approach requires the definition of a security policy that describes the admitted application behaviour, and the integration in the grid security infrastructure of a component that monitors the application behaviour and that enforces this security policy. This paper also presents the architecture of the prototype of computational service monitor we have developed, along with some performance figures and its integration into the Globus framework

Distributed Access Control through Blockchain Technology

We defined a distributed access control system on top of blockchain technology. The underlying idea is to properly represent the access rights of the subjects in the blockchain in order to easily allow their enforcement at access request time. By leveraging blockchain advantages we can add new desired properties, such as auditability, to the access control system. To prove the feasibility and validate the proposed approach we developed a proof of concept implementation and performed some relevant experiments

Ciclo político presupuestal y gobiernos con y sin mayoría en México, 1994 y 2006

En este documento se analiza el gasto público federal ejercido antes y después de las elecciones presidenciales de 1994 y 2006 en México, para identificar la existencia de un ciclo político presupuestal (cpp). Se extienden los estudios previos al incorporar los efectos de la existencia o no de mayoría del partido del presidente en la Cámara de Diputados en la determinación del presupuesto de egresos. Específicamente, se examinan las reasignaciones que la Cámara de Diputados ha realizado al proyecto de presupuesto enviado por el Ejecutivo federal, así como la presencia de ciclos presupuestales en el gasto propuesto y ejercido por el Ejecutivo y aprobado por la misma Cámara. Se encontró que en un gobierno con mayoría, la composición de la Cámara de Diputados facilita la configuración de un cpp, en tanto que uno sin mayoría no puede evitarlo plenamente

Definition of Data Sharing Agreements (The case of Spanish Data Protection Law)

Electronic sharing of data among different parties, includ- ing groups of organizations and/or individuals, while protecting their legitimate rights on these data, is a key both for business and societal transactions. However, data sharing clauses are usually specified in legal documents that are far from being amenable of automated processing by the electronic platform that should enforce them. Furthermore, different parties usually pursue different interests. This may lead to conflicts that need to be solved for the agreements to succeed. Addressing this prob- lem, in this paper we i) discuss a proposal for the definition of a machine processable electronic data sharing multilateral contract (e-DSA); ii) re- call a controlled natural language (CNL4DSA) developed for expressing e-DSA clauses, in particular, authorizations and obligations policies on data; iii) instantiate a resolution process that can solve potential con- flicts posed by different stakeholders? clauses, e.g., legal, organizational, and end-users? clauses, according to specific criteria. We illustrate our approach on a realistic e-Health scenario derived from one described by a Spanish medical institution. The main novelty of this paper are the ref- erence to the Spanish Data Protection Law (S)DPL as the basic source of policies regulating data exchange and the idea of a multi-step e-DSA definition phase that incrementally increases the contract granularity. To the best of our knowledge, this is one of the first attempts to investi- gate how a real DPL can be translated into privacy rules electronically manageable by a devoted e-DSA-based infrastructure.?