Abstract
Ubiquitous social systems encompass ubiquitous computing, enterprise mobility and consumerization of IT, amplifying the threats associated to these fields. Context-aware security systems have been proposed as solutions for many of these threats. We argue that policy models used by these systems are not suitable for ubiquitous social systems. They lack of sufficient abstractions for specification and analysis of security policies and unnecessarily burden them with context reasoning rules. This can compromise the correctness of security policies and the performance of security systems. To address these issues, we propose a security policy model for ubiquitous social systems. The model defines all possible contextual information as policy abstractions, enabling clear and precise analysis of how they influence access control. Moreover, it takes into account the social related aspect and introduces an object life cycle. As a result, our model provides more intuitive abstractions and facilitates policy specification and context-aware security provisioning.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Security property is a quality that describes a resource or its usage, with respect to the objectives of security, i.e., confidentiality, integrity and availability.
- 2.
Examples of social domains are family or research department, whereas examples of social groups are their particular realization.
- 3.
Participant is an entity involved in an activity by consuming or generating resources, whereas observer is an entity that can monitor an activity which is being performed.
- 4.
Asset is a resource assigned to a social group, or an entity defined as its member. Entities are assets as they are responsible for achieving the social group goals.
- 5.
Since continuous activities and current security contexts are activities and security contexts, respectively, they are represented through these abstractions on the figure.
- 6.
Since activating applications has different security implications than activating data and channels, we use two activity types in order to control them separately.
- 7.
Since subjects are objects, this implies that Org also includes origins of subjects.
- 8.
Destroy activity as not continuous, because its effect over the involved object does not exist, as the object is destroyed after its execution.
- 9.
One entity acts both as user and participant in an activity. In the former case, it initiates the activity, whereas in the latter it participates in it.
- 10.
Since people are often part of a single social group from a social domain, we refer to social groups by their domains, e.g., work is ACME1 and home is Alice’s family.
- 11.
As explained in [8], the public social group is default and contains all entities.
- 12.
The values of the association and setting will also change, since there are public group members around.
References
Bai, G., Gu, L., Feng, T., Guo, Y., Chen, X.: Context-aware usage control for Android. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICSSITE, vol. 50, pp. 326–343. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16161-2_19
Bettini, C., Brdiczka, O., Henricksen, K., Indulska, J., Nicklas, D., Ranganathan, A., Riboni, D.: A survey of context modelling and reasoning techniques. Pervasive Mob. Comput. 6(2), 161–180 (2010)
Bonatti, P., Galdi, C., Torres, D.: ERBAC: Event-driven RBAC. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, pp. 125–136. ACM (2013)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT 2001, pp. 10–20. ACM (2001)
Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2008)
Dey, A.K.: Understanding and using context. Pers. Ubiquit. Comput. 5(1), 4–7 (2001)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Jovanovikj, V., Gabrijelčič, D., Klobučar, T.: A conceptual model of security context. Int. J. Inf. Secur. 13(6), 571–581 (2014)
Kulkarni, D., Tripathi, A.: Context-aware role-based access control in pervasive computing systems. In: Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT 2008, pp. 113–122. ACM (2008)
Mostefaoui, G.K.: Towards a conceptual and software framework for integrating context-based security in pervasive environments. Ph.D. thesis, University of Fribourg (2004)
Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)
Toninelli, A., Montanari, R., Kagal, L., Lassila, O.: Proteus: A semantic context-aware adaptive policy model. In: Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2007, pp. 129–140. IEEE Computer Society (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Jovanovikj, V., Gabrijelčič, D., Klobučar, T. (2017). Security Policy Model for Ubiquitous Social Systems. In: Brézillon, P., Turner, R., Penco, C. (eds) Modeling and Using Context. CONTEXT 2017. Lecture Notes in Computer Science(), vol 10257. Springer, Cham. https://doi.org/10.1007/978-3-319-57837-8_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-57837-8_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57836-1
Online ISBN: 978-3-319-57837-8
eBook Packages: Computer ScienceComputer Science (R0)