An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system
Introduction
Collaboration environments use distributed software and technologies that allow a group of people to interact virtually over a network. The multiplicity of platforms leads to several design requirements such as environments that take into account the context of the user and situation. Some platforms may use powerful desktop clients whereas others could be evolving “on the field” using smartphones, or even simple sensors. Some users would be strongly authenticated whereas others may be anonymous contributors. Moreover, the collaboration environment deals with the current situation that could evolve over time. If the situation changes too much, the way the users collaborate may have to change.
Such collaboration environments should be strongly adaptable and support dynamic reconfiguration. For a dynamic system, good fault tolerance properties are required to guarantee a good quality of service. To obtain such properties, the manipulated data should be distributed or replicated between servers or clients. The used algorithms should take into account the specificities of the contexts. For example, a user context could include the device capabilities: a user participating with a smartphone will not be able to store large quantities of data. A second example, related to network context, could be the network bandwidth that restricts the streaming of the users’ data.
Using these environments will help an organization to be more efficient or competitive. For a company, employing such tools should help to reduce operational costs for tasks that involve a lot of participants, especially if they are geographically distributed. The goal of a collaboration tool is to aggregate local contribution of users in order to achieve a more general task deserving the need of multiple users. For example, the Google Crisis Response is a representative example of a tool where a very large community of users is involved in a global process that helps to solve a crisis [1]. It allows the free exchange of information about emergencies, humanitarian crises, all the way to the individual level such as helping with missing people (Google Person Finder).
The difficulty in the design of such a distribute tool, is to clearly state the distributed workflow of information and operations to achieve the expected general tasks. If the collaborative context can evolve, the workflow of information is more complex and the definition of the software operations may also be more dynamic. For example, the data manipulated by the Google Crisis Response clients are readable by all users. Nevertheless, the policy to delete or update the data is not really formalized as each user is supposed to manage the data he entered. In such a system, a community of administrators may decide to give updating rights to some users, especially when the crisis is ongoing. Those rights may be revoked later when the crisis is partially solved or over.
Collaboration and shared environments entail many security issues and concerns that cover prevention, protection, and response. Depending on the general collaborative task that the system intends to achieve, malicious users may abuse the system. For all collaboration systems, some users that do not share the goal of the collaborative task may exist. For example, in a crisis that involves terrorists, the attackers may introduce wrong information in an open crisis management tool in order to disrupt the rescue teams. For these reasons, security mechanisms should be introduced to control the information access and flows and the allowed local operations list, particularly with regard to unexpected usages.
The integration of security mechanisms in a collaboration environment can have different goals. The first classical mechanism is the authentication of users that helps control who can access the system and helps implement the users’ authorized actions in the system. The authorized actions are usually controlled by access control models such as role based ones (i.e., RBAC [2]) and their derivative models such as OrBAC (Organization Based Access Control) [3], [4] and ABAC (Attribute Based Access Control) [5]. It is a difficult challenge to adapt such models to a collaboration environment because they suppose that a strong authentication mechanism is available which can be very difficult to set up in a totally distributed system. Moreover, the deployed access control policy should be distributed in the system and enforced, which is not straightforward. In such dynamic environments, the guarantee of security relies on collaborative access control mechanisms [6]. If such mechanisms cannot be implemented, for example because the target operating system cannot be trusted or because no central authority has the right to install security components, the security should rely on the evaluation of the participants and their actions in order to evaluate the trust that a participant can put in each transaction.
Trust metrics [7], [8], [9], [10] can help to build an opinion about other participants in a totally distributed system. The measure can be built using the reputation of a participant in the system or the recommendations a participant can have before negotiating a transaction. The difficulty with trust metrics is to link the evaluation of trust with access control decisions which originally relies on policies and known information, e.g., credentials. In a highly dynamic environment, the users, resources and collaboration contexts may be heterogeneous and evolve quickly. Users can gain or lose communication capabilities, privileges, security components; the resources may appear/disappear, or be modified by trusted or untrusted users; the collaboration context may require that each transaction has a high level of trust or, on the contrary, may accept that transactions contain possibly wrong data.
In order to illustrate such situations, we choose to present a user case scenario that shows the difficulties of these environments and will be the base of the implementation of our proposal. This paper presents an extended attribute based access control model that can be used in collaboration systems. It also presents newly devised crisis management tools that can be employed in real world crisis, in a totally distributed way. The tools should deal with managing the crisis-involved elements (events, users, actions), the contexts (localization, emergency level, type of crisis), and the exchanged messages (information, orders, reports). In such tools, the survivability and the security of the data are serious challenges. The proposed solution should rely on a fine-grained security policy combined with trust mechanisms in order to guarantee some privacy in an efficient collaboration environment.
A goal of this paper is to demonstrate that a fine-grained privacy protection can be obtained using an ABAC policy. This assurance is obtained by designing access control rules that take into account the entities’ attributes of the system, the general context in which the system evolves, and the purpose of the requests. As the presented model is formally described, the paper illustrates the achieved privacy in a tool dedicated to the management of a crisis, which is a good example of a situation where a collaboration platform needs security requirements. Another objective of the paper is to integrate trust into the ABAC decisions to further protect the system elements. This is a very useful contribution as collaboration software often rely on non-fully-trusted users in totally distributed networks. The crisis management software then implements a basic version of the trust evaluation. Lastly, this paper presents a newly extended version of the models first introduced in [11], [12] and includes further developments and implementations applied to the domain of disaster management systems.
The paper is organized as follows. Section 2 gives a brief introduction to different access control models and shores up our choice of ABAC in collaboration systems. Section 3 introduces the proposed extended attribute-based access control model. Sections 4 Toward incorporating trust and privacy preserving, 5 Calculating trust and privacy preserving values discuss the incorporation of trust and privacy in the model in two different ways. Section 6 presents a case study that illustrates the proposed introduction of privacy and trust into ABAC. This case study describes a crisis management scenario that leads to the implementation of a platform described in Section 7. Section 8 presents the details of the policies that are incorporated into the proposed platform for a preliminary implementation of the proposed extended ABAC model, before concluding the paper in Section 9.
Section snippets
Access control and security in collaboration environments: a state of the art
The security of a collaboration system relies on several aspects that are summed up in Fig. 1. Accountability and (security) policies are traditional security concepts of the TCSEC [13]. Nowadays, most systems that incorporate security commonly use authentication and access control mechanisms [14]. The description of legitimate access and operations are modeled using security policies. For systems in which unknown users may enter, trust has been introduced, in order to evaluate users’
An extended attribute-based access control model
Prevention is evidently the most effective security measure since it can keep a system from being compromised to start with. One prevention aspect, which we focus on in this work, is access control. The access control model presented here is based on the attributes of the different entities involved in making the access control decision. Compared with the models mentioned before, our model is more flexible in the sense that it can be reduced to almost all the previously described ones.
As we
Toward incorporating trust and privacy preserving
Trust and privacy preserving issues have been well-investigated and will remain as focal points for security research in the foreseen future. However, more often than not, they are addressed separately despite the fact that organizations involved in collaboration face the challenges of both subjects simultaneously when making their access control policies and decisions. In this section, we describe our efforts to integrate trust and privacy together with access control in collaboration
Calculating trust and privacy preserving values
As mentioned before, there are two ways to include trust and privacy preserving in the ABAC model. The direct way requires that every access control decision is made based on a specified trust level. We therefore have four trust-related parameters for access control decision-making: subject attributes, object attributes, contexts, and the trust level. In the case of indirect incorporation of trust, the parameters are the first three. The trust level is used to assign subject attributes. We
A case study: crisis management scenario
In this section we provide a real world scenario on which we apply our extended ABAC model and use it. The scenario is on crisis management. Our goal is to demonstrate how to implement ABAC policies in a collaborative software platform to guarantee a fine-grained level of privacy. The second objective is to show how to introduce trust computation for collaborative users who are not authenticated into the system but may gain trust by performing new tasks during a crisis situation.
The conceived
The crisis management software
In our case study, we consider the case of a natural disaster crisis. Our collaborative crisis management software allows military, policemen, firefighters, federal agents, medical staff, and ordinary people to collaborate in helping efforts during crisis management, to rescue people and to solve problems.
We assume that the system is available and always runs in the background, with a minimal set of privileged users connected. For the system, a decentralized service provider stores static
Implementation of the extended ABAC model
In our implementation of the CMS presented in the previous section, we showed how some access control decisions are made. In this section, we explain how these decisions are made based on attributes, trust and privacy preserving concerns, following some aspects of the models given in Section 5. In the following sections, we first describe how we take trust into account. Then, we focus on privacy preserving. Lastly, we discuss some of the details regarding the decision engine implemented along
Discussion, concluding remarks and future work
This paper presents the integration of trust and privacy into an extended Attribute-Based Access Control (ABAC) model. The model associates the subjects and objects defined with sets of respective attributes. Those attributes represent the various properties of the considered entities, such as name, role, type, location, purpose, etc. The model facilities the development of an access control policy that consists of a set of access control rules between subjects and objects in a particular
Acknowledgments
This work is based on a preliminary version developed in [12] and to which partly contributed the following ENSI de Bourges engineering students: Fabien Dupré for his work on the Peer-To-Peer implementation of the communication layers with JXTA, Sophie Merouani for her work on the primary user interface, and finally Sonia Rateau, for her work on the trust model and the development of the preliminary ABAC decision engine.
Waleed W. Smari is a Senior Research Scientist at Ball Aerospace & Technologies Corp and a Professor of Electrical and Computer Engineering. His technical interests and specialties include Collaboration Sciences and Technologies, Human Centered Computing, High Performance Parallel and Distributed Processing and Networking, Performance Evaluation Methods and Modeling Techniques of Computing Systems, Information Systems and Engineering, Reconfigurable Computing and Digital Systems Design, and
References (95)
- Google Crisis Response,...
- et al.
Role-based access control models
IEEE Computer
(1996) - F. Innerhofer-Oberperfler, M. Hafner, R. Breu, Living security-collaborative security management in a changing world,...
- et al.
Organization based access control
- et al.
Attributed based access control (ABAC) for web services
- et al.
Access control in collaborative systems
ACM Computing Surveys
(2005) - et al.
Trustlet, open research on trust metrics
Scalable Computing: Practice and Experience
(2001) - Z.M. Aljazzaf, M. Perry, M.A.M. Capretz, Trust metrics for services and service providers, in: CIW 2011: The Sixth...
An authentication trust metric for federated identity management systems
Attack-resistant trust metrics
Context-dependent authentication and access control
Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management
SecureFlow: a secure web-enabled workflow management system
Administration model for Or-BAC
International Journal of Computer Systems Science and Engineering (CSSE)
TRBAC: a temporal role-based access control model
ACM Transactions on Information and System Security (TISSEC)
CTTE: support for developing and analyzing task models for interactive system design
IEEE Transactions on Software Engineering
Task-adaptive information distribution for dynamic collaborative emergency response
The International Journal of Intelligent Control and Systems
Specification of secure distributed collaboration systems
Flexible team-based access control using contexts
Free riding on Gnutella revisited: the bell tolls?
IEEE Distributed Systems Online
PET: a personalized trust model with reputation and risk evaluation for p2p resource sharing
Peertrust: supporting reputation-based trust for peer-to- peer electronic communities
The IEEE Transactions on Knowledge and Data Engineering
Collaborative virtual organisation trust measurement: leveraging corporate governance metrics
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security
Cited by (82)
Performance analysis of the dynamic trust model algorithm using the fuzzy inference system for access control
2021, Computers and Electrical EngineeringCitation Excerpt :Chen et al. [21] proposed a fuzzy inference trust model for a Peer to Peer (p2p) network environment and discussed the Mamdani type fuzzy inference technique in peer trust. Samari et al. [22,23] provided a collaboration graphical tool for ABAC policies for dynamic trust and privacy evaluation. Zhao et al. [24] provided a method for the assessment of recommendation trust and have given a solution to the problem of weight assignment to decision attributes by using relevant theories in expert investigation, fuzzy analysis and gray correlation analysis.
Known unknowns: Indeterminacy in authentication in IoT
2020, Future Generation Computer SystemsCitation Excerpt :Finally, it is not clear how the method identifies roles and assigns them, and nor has the work considered how RBAC can be adapted in the context of IoT. Waleed et al. [11] proposed an access control model based on ABAC that incorporates trust and privacy into access policy to make it reliable in a collaborative environment. This model supports the privacy of subjects by authorizing certain access requests so that the purposes of access for both the subject and the object are the same.
A resilient inter-organizational workflow assignment plan selection approach: Application to a digital health use case
2024, International Journal of Engineering Business ManagementA Smart Contract-Based Access Control Framework For Smart Healthcare Systems
2024, Computer JournalMitigating Risks in the Cloud-Based Metaverse Access Control Strategies and Techniques
2023, International Journal of Cloud Applications and ComputingAttribute-based encryption with enforceable obligations
2023, Journal of Cryptographic Engineering
Waleed W. Smari is a Senior Research Scientist at Ball Aerospace & Technologies Corp and a Professor of Electrical and Computer Engineering. His technical interests and specialties include Collaboration Sciences and Technologies, Human Centered Computing, High Performance Parallel and Distributed Processing and Networking, Performance Evaluation Methods and Modeling Techniques of Computing Systems, Information Systems and Engineering, Reconfigurable Computing and Digital Systems Design, and Computer Engineering Education. He has served as PI on several research projects sponsored by government agencies and industry. He was a Visiting Fellow at government labs as well as at a number of universities around the World. He has been a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE) and the Association for Computing Machinery (ACM), a Member of the American Society for Engineering Education (ASEE), the International Society of Computers and Their Applications (ISCA), the International Association of Science and Technology for Development (IASTED), The Society for Computer Simulation International (SCS), and The European Council on Modelling and Simulation (ECMS).
Patrice Clemente is currently an Associate Professor at the ENSI of Bourges (Ecole Nationale Superieure d’Ingenieurs of Bourges), France. He is also a member of the SDS team (Security of Distributed Systems) of the Laboratoire d’Informatique Fondamentale d’Orleans (LIFO), France. Patrice Clemente received a Ph.D. degree in Computer Science in 2004 from University of Franche-Comte and France Telecom R&D (previously aka CNET).
His main research interests at SDS are focused on OS security, meta-policies of security, correlation for host intrusion detection, host intrusion detection for Mandatory Access Control, and many Access Control mechanisms, security properties enforcement, information flow prevention and security visualization: visualization of security policies and visualization of session logs.
Jean-Francois Lalande is an Associate Professor at ENSI de Bourges, in the Laboratoire d’Informatique Fondamentale d’Orléans (LIFO) since 2005. His research domains are the security of operating systems and embedded software. He obtained his Ph.D. in Computer Sciences from University of Nice. Before 2005, he has worked on dimensioning network telecommunication in the Mascotte team (INRIA/I3S/CNRS/UNS).