Weitere Artikel dieser Ausgabe durch Wischen aufrufen
To protect stored personal information, many organizations and information systems adopt the role-based access control model (RBAC) or the mandatory access control model (MAC). Although individuals want to control their personal information, an individual-needs-based access control system is difficult to adopt in the existing environment. Recent proposals have included privacy-enhancing technologies such as communication anonymizers, shared bogus online accounts, and access to personal data. However, these systems cannot satisfy users’ privacy requirements. In this paper we propose two confidential access control models that apply individually established policy to existing RBAC and MAC technologies. In the SpRBAC model, a user’s right to access would follow organizational policy and accessing personal information would be restricted by subject policy. In the SpMAC model, users would have to satisfy the subject policy established by the provider of information in addition to the requirements of normal MAC policy. In the proposed models, it is possible to restrict access by authorized users according to the subject policy, that is, the policy defined by the subject (or informant—the one providing the personal information), and personal information can thus be protected.
Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten
Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:
Garitano, I., Fayyad, S., & Josef, N. (2015). Multi-metrics approach for security, privacy and dependability in embedded systems. Wireless Personal Communications, 81(4), 1359–1376. CrossRef
Zhang, R., Giunchiglia, F., Crispo, B., & Song, L. (2010). Relation-based access control: An access control model for context-aware computing environment. Wireless Personal Communications, 55(1), 5–17. CrossRef
Memon, I., Hussain, I., Akhtar, R., & Chen, G. (2015). Enhanced privacy and authentication: An efficient and secure anonymous communication for location based service using asymmetric cryptography scheme. Wireless Personal Communications, 84(2), 1487–1508. CrossRef
Zeadally, S., Pathan, A., Alcaraz, C., & Badra, M. (2013). Towards privacy protection in smart grid. Wireless Personal Communications, 73(1), 23–50. CrossRef
BBC News. (2014). S Korea credit card firms punished over data theft. BBC News Business. http://www.bbc.co.uk/news/business-26222283. Accessed August 15, 2015.
Johnny, L. (2004). Google hacking for penetration testers (pp. 127–129). Rockland: Syngress Publishing Inc.
Cavoukian, A. (2009). Privacy by design…take the challenge. Information and privacy commissioner of Ontario (Canada). http://www.ipc.on.ca/images/Resources/PrivacybyDesignBook.pdf. Accessed August 15, 2015.
OECD. (2013). Guidelines on the protection of privacy and transborder flows of personal data. OECD, http://www.oecd.org/internet/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborderflowsofpersonaldata.htm. Accessed August 15, 2015.
WIKIPEDIA. (2015). General data protection regulation. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation. Accessed August 15, 2015.
Mun, H., Um, N., Sun, N., Li, Y., & Lee, S. (2007). Subject-wise policy based access control mechanism for protection of personal information. In International conference on convergence information tech (Iccit2007), Gyeongju, Korea, November 21–23, pp. 2242–2247.
Mun, H., & Suh, J. (2008). Sensitive personal information model for RBAC system. Journal of computer information, 13(5), 103–110.
Ferraiolo, D.F., & Kuhn, D.R. (1992). Role-based access controls. In Proceedings of 15th NIST-NCSC national computer security conference, Baltimore, USA, October 13–16, pp. 554–563.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47. CrossRef
Ferraiolo, D. F., Barkley, J. F., & Kuhn, D. R. (1999). A role based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security (TISSEC), 2(1), 34–64. CrossRef
Park, J. S., Sandhu, R., & Ahn, G. J. (2001). Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC), 4(1), 37–71. CrossRef
Sandhu, R., Bhamidipati, V., & Munawer, Q. (1999). The ARBAC97 model for role-based administration of roles. ACM Transactions Information and System Security (TISSEC), 2(1), 105–135. CrossRef
Sandhu, R., & Munawer, Q. (1999). The ARBAC99 Model for Administrative Roles. In IEEE 15th annual computer security applications conference, Phoenix, AZ, pp. 229–238.
Crampton, J., & Loizou, G. (2003). Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security (TISSEC), 6(2), 201–231. CrossRef
Oh, S., Byun, C., & Park, S. (2006). An organizational structure-based administration model for decentralized access control. Journal of information science and engineering, 22, 1465–1483.
Zhu, Y., Ahn, G.J, Hu, H., & Wang, H. (2010). Cryptographic Role-based Security mechanisms based on role-key hierarchy. In Proceedings of the 5th ACM symposium on information, computer and communication. Security (ASIACCS ‘10), April 1–12.
Wang, J., Yu, J., Li, D., & Jia, Z. (2006). Combining authentication with role-based access control based on IBS. In IEEE international conference on computational intelligence and security, 2, pp. 1475–1480.
Russell, D., & Gangemi, G. T. (1991). Computer security basics (1st ed.). Sebastopol: O’Reilly & Associates Inc.
Pfleeger, C. P., & Pfleeger, S. L. (1997). Security in computing (2nd ed., pp. 361–371). Upper Saddle River, NJ: Prentice-Hall. MATH
Stallings, W. (2003). Cryptography and network security. Upper Saddle River: Prentice Hall Inc.
Mont, M.C., & Pearson, S. (2005). An adaptive privacy management system for data repositories, 2th trust, privacy, and security in digital business (TrustBus2005), Copenhagen, Denmark, LNCS 3592, August 22–26, pp. 236–245.
Sessay, S., Yang, Z., Chen, J., & Xu, D. (2005). A secure database encryption scheme.In 2th IEEE consumer communications and networking conference (CCNC2005), Las, Nevada, January 3–6, pp. 49–53.
Mun, H., Lee, K., & Lee, S. (2006). Person-Wise Privacy Level Access Control for Personal Information Directory Services. In international conference in embedded and ubiquitous computing (EUC2006), Seoul, Korea. Berlin, Heidelberg: Springer (LNCS 4096), August 1–4, pp. 89–98.
Mun, H. (2008). A Role based personal sensitive information protection with subject policy, doctoral dissertation. Cheongju-si: Chungbuk University.
- Injecting Subject Policy into Access Control for Strengthening the Protection of Personal Information
- Springer US
Neuer Inhalt/© Filograph | Getty Images | iStock