Abstract
Usage control governs the handling of sensitive data after it has been given away. The enforcement of usage control requirements is a challenge because the service requester in general has no control over the service provider’s information processing devices. We analyze applicable trust models, conclude that observation-based enforcement is often more appropriate than enforcement by direct control over the service provider’s actions, and present a logical architecture that blends both forms of enforcement with the business logics of service-oriented architectures.
This work was done while A. Pretschner was on leave at the universities of Trento and Innsbruck—support by the Bolzano Innsbruck Trento Joint School for Information Technology is gratefully acknowledged. F. Massacci was supported by the EU-funded S3MS project.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Karjoth, G., Pfitzmann, B., Schunter, M., Waidner, M.: Service-oriented Assurance - Comprehensive Security by Explicit Assurances. In: Proc. of QoP 2005 (2005)
Karabulut, Y., Kerschbaum, F., Massacci, F., Robinson, P., Yautsiukhin, A.: Security and Trust in IT Business Outsourcing: a Manifesto. In: Proc. STM. ENTCS (2006)
Goth, G.: The ins and outs of it outsourcing. IT Professional 1, 11–14 (1999)
Schaad, A., Moffett, J.: Delegation of Obligations. In: Proc. POLICY, pp. 25–35 (2002)
Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Provisions and obligations in policy rule management. J. Network and System Mgmt. 11(3), 351–372 (2003)
Park, J., Sandhu, R.: The UCON ABC Usage Control Model. ACM Transactions on Information and Systems Security 7, 128–174 (2004)
Pretschner, A., Hilty, M., Basin, D.: Distributed Usage Control. CACM 49(9), 39–44 (2006)
Hilty, M., Pretschner, A., Schaefer, C., Walter, T.: A System Model and a Policy Language for Distributed Usage Control. Technical Report I-ST-20, DoCoMo (2006)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic DBs. In: VLDB, pp. 143–154 (2002)
Karjoth, G., Schunter, M., Waidner, M.: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. In: Proc. PET, pp. 69–84 (2002)
W3C: The Platform for Privacy Preferences 1.1 (P3P1.1) Spec., Working Draft (2005)
Wang, X., Lao, G., DeMartini, T., Reddy, H., Nguyen, M., Valenzuela, E.: XrML–eXtensible rights Markup Language. In: Proc. XMLSEC, pp. 71–79 (2002)
Iannella, R.: Open Digital Rights Language - Version 1.1 (2002), odrl.net/1.1/ODRL-11.pdf
Ligatti, J., Bauer, L., Walker, D.: Edit Automata: Enforcement Mechanisms for Run-time Security Policies. International Journal of Information Security 4(1-2), 2–16 (2005)
Hilty, M., Pretschner, A., Schaefer, C., Walter, T.: Enforcement for Usage Control—An Overview of Control Mechanisms. Technical Report I-ST-18, DoCoMo EuroLabs (2006)
Filman, R., Elrad, T., Clarke, S., Aksit, M.: Aspect-Oriented SW Development (2004)
Erlingsson, U., Schneider, F.: SASI enforcement of security policies: A retrospective. In: Proc. New Security Paradigms Workshop, pp. 87–95 (1999)
Bauer, L., Ligatti, J., Walker, D.: Composing Security Policies with Polymer. In: Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 305–314. ACM Press, New York (2005)
Zhang, X., Chen, S., Sandhu, R.: Enhancing Data Authentity and Integrity in P2P Systems. IEEE Internet Computing 9(6), 18–25 (2005)
Sandhu, R., Zhang, X.: Peer-to-peer access control architecture using trusted computing technology. In: SACMAT, pp. 147–158 (2005)
van Oorschot, P.: Revisiting software protection. In: Proc. IST, pp. 1–13 (2003)
van Oorschot, P.: SW protection and application security: understanding the battleground. In: State of the art and evolution of computer security and industrial cryptography (2003)
W3C: A P3P Preference Exchange Language 1.0 (APPEL1.0) (2002)
Backes, M., Pfitzmann, B., Schunter, M.: A toolkit for managing enterprise privacy policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)
Povey, D.: Optimistic security: a new access control paradigm. In: Proc. workshop on new security paradigms, pp. 40–45 (1999)
Hilty, M., Basin, D., Pretschner, A.: On obligations. In: Proc. ESORICS, pp. 98–117 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pretschner, A., Massacci, F., Hilty, M. (2007). Usage Control in Service-Oriented Architectures. In: Lambrinoudakis, C., Pernul, G., Tjoa, A.M. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2007. Lecture Notes in Computer Science, vol 4657. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74409-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-74409-2_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74408-5
Online ISBN: 978-3-540-74409-2
eBook Packages: Computer ScienceComputer Science (R0)