Abstract
To protect stored personal information, many organizations and information systems adopt the role-based access control model (RBAC) or the mandatory access control model (MAC). Although individuals want to control their personal information, an individual-needs-based access control system is difficult to adopt in the existing environment. Recent proposals have included privacy-enhancing technologies such as communication anonymizers, shared bogus online accounts, and access to personal data. However, these systems cannot satisfy users’ privacy requirements. In this paper we propose two confidential access control models that apply individually established policy to existing RBAC and MAC technologies. In the SpRBAC model, a user’s right to access would follow organizational policy and accessing personal information would be restricted by subject policy. In the SpMAC model, users would have to satisfy the subject policy established by the provider of information in addition to the requirements of normal MAC policy. In the proposed models, it is possible to restrict access by authorized users according to the subject policy, that is, the policy defined by the subject (or informant—the one providing the personal information), and personal information can thus be protected.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Garitano, I., Fayyad, S., & Josef, N. (2015). Multi-metrics approach for security, privacy and dependability in embedded systems. Wireless Personal Communications, 81(4), 1359–1376.
Zhang, R., Giunchiglia, F., Crispo, B., & Song, L. (2010). Relation-based access control: An access control model for context-aware computing environment. Wireless Personal Communications, 55(1), 5–17.
Memon, I., Hussain, I., Akhtar, R., & Chen, G. (2015). Enhanced privacy and authentication: An efficient and secure anonymous communication for location based service using asymmetric cryptography scheme. Wireless Personal Communications, 84(2), 1487–1508.
Zeadally, S., Pathan, A., Alcaraz, C., & Badra, M. (2013). Towards privacy protection in smart grid. Wireless Personal Communications, 73(1), 23–50.
BBC News. (2014). S Korea credit card firms punished over data theft. BBC News Business. http://www.bbc.co.uk/news/business-26222283. Accessed August 15, 2015.
Johnny, L. (2004). Google hacking for penetration testers (pp. 127–129). Rockland: Syngress Publishing Inc.
Cavoukian, A. (2009). Privacy by design…take the challenge. Information and privacy commissioner of Ontario (Canada). http://www.ipc.on.ca/images/Resources/PrivacybyDesignBook.pdf. Accessed August 15, 2015.
Mun, H. (2010). A study on privacy policy using role based access control of academic affairs information system. Journal of Korean Language Information Science, 12(2), 41–46.
OECD. (2013). Guidelines on the protection of privacy and transborder flows of personal data. OECD, http://www.oecd.org/internet/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborderflowsofpersonaldata.htm. Accessed August 15, 2015.
WIKIPEDIA. (2015). General data protection regulation. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation. Accessed August 15, 2015.
Mun, H., Um, N., Sun, N., Li, Y., & Lee, S. (2007). Subject-wise policy based access control mechanism for protection of personal information. In International conference on convergence information tech (Iccit2007), Gyeongju, Korea, November 21–23, pp. 2242–2247.
Mun, H., & Suh, J. (2008). Sensitive personal information model for RBAC system. Journal of computer information, 13(5), 103–110.
Ferraiolo, D.F., & Kuhn, D.R. (1992). Role-based access controls. In Proceedings of 15th NIST-NCSC national computer security conference, Baltimore, USA, October 13–16, pp. 554–563.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.
Ferraiolo, D. F., Barkley, J. F., & Kuhn, D. R. (1999). A role based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security (TISSEC), 2(1), 34–64.
Park, J. S., Sandhu, R., & Ahn, G. J. (2001). Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC), 4(1), 37–71.
Sandhu, R., Bhamidipati, V., & Munawer, Q. (1999). The ARBAC97 model for role-based administration of roles. ACM Transactions Information and System Security (TISSEC), 2(1), 105–135.
Sandhu, R., & Munawer, Q. (1999). The ARBAC99 Model for Administrative Roles. In IEEE 15th annual computer security applications conference, Phoenix, AZ, pp. 229–238.
Crampton, J., & Loizou, G. (2003). Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security (TISSEC), 6(2), 201–231.
Oh, S., Byun, C., & Park, S. (2006). An organizational structure-based administration model for decentralized access control. Journal of information science and engineering, 22, 1465–1483.
Zhu, Y., Ahn, G.J, Hu, H., & Wang, H. (2010). Cryptographic Role-based Security mechanisms based on role-key hierarchy. In Proceedings of the 5th ACM symposium on information, computer and communication. Security (ASIACCS ‘10), April 1–12.
Wang, J., Yu, J., Li, D., & Jia, Z. (2006). Combining authentication with role-based access control based on IBS. In IEEE international conference on computational intelligence and security, 2, pp. 1475–1480.
Russell, D., & Gangemi, G. T. (1991). Computer security basics (1st ed.). Sebastopol: O’Reilly & Associates Inc.
Pfleeger, C. P., & Pfleeger, S. L. (1997). Security in computing (2nd ed., pp. 361–371). Upper Saddle River, NJ: Prentice-Hall.
Stallings, W. (2003). Cryptography and network security. Upper Saddle River: Prentice Hall Inc.
Mont, M.C., & Pearson, S. (2005). An adaptive privacy management system for data repositories, 2th trust, privacy, and security in digital business (TrustBus2005), Copenhagen, Denmark, LNCS 3592, August 22–26, pp. 236–245.
Sessay, S., Yang, Z., Chen, J., & Xu, D. (2005). A secure database encryption scheme.In 2th IEEE consumer communications and networking conference (CCNC2005), Las, Nevada, January 3–6, pp. 49–53.
Mun, H., Lee, K., & Lee, S. (2006). Person-Wise Privacy Level Access Control for Personal Information Directory Services. In international conference in embedded and ubiquitous computing (EUC2006), Seoul, Korea. Berlin, Heidelberg: Springer (LNCS 4096), August 1–4, pp. 89–98.
Mun, H. (2008). A Role based personal sensitive information protection with subject policy, doctoral dissertation. Cheongju-si: Chungbuk University.
Acknowledgments
The present research was conducted by the research fund of Dankook University in 2014.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mun, HJ., Oh, S. Injecting Subject Policy into Access Control for Strengthening the Protection of Personal Information. Wireless Pers Commun 89, 715–728 (2016). https://doi.org/10.1007/s11277-015-3094-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-015-3094-7