Policies for Composed Emergencies in Support of Disaster Management

  • Barbara Carminati
  • Elena Ferrari
  • Michele Guglielmi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7482)

Abstract

Recently, some proposals have appeared to achieve timely and flexible information sharing in support of emergency management. This is obtained by means of an emergency description language able to specify both emergency situations and temporary access control policies/obligations that have to be activated during emergencies. In this paper, we show that these languages have some limitations in capturing more critical emergency situations, which might arise when atomic emergency events are combined. Moreover, we show that such critical situations might require a new response plan (i.e., new temporary access control policies and obligations), with respect to those already in place for atomic emergencies. Therefore, we introduce the concept of composed emergency and related emergency policies. We also propose some overriding strategies to determine how temporary access control policies and obligations associated with a composed emergency have to be combined with those associated with atomic emergencies. Finally, we propose a tree-data structure in support of efficient emergency policy enforcement.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    The 9/11 commission report. Technical report, National Commission on Terrorist Attacks Upon the United States (July 2004)Google Scholar
  2. 2.
    Break-glass: An approach to granting emergency access to healthcare systems. White paper, Joint NEMA/COCIR/JIRA Security and Privacy Committee, SPC (2004)Google Scholar
  3. 3.
    Federal response to hurricane Katrina: Lessons learned. Technical report, Assistant to the President for Homeland Security and Counter Terrorism (February 2006)Google Scholar
  4. 4.
    Brucker, A.D., Petritsch, H., Weber, S.G.: Attribute-Based Encryption with Break-Glass. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 237–244. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Alghathbar, K., Wijesekera, D.: Consistent and Complete Access Control Policies in Use Cases. In: Stevens, P., Whittle, J., Booch, G. (eds.) UML 2003. LNCS, vol. 2863, pp. 373–387. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Ardagna, C.A., De Capitani di Vimercati, S., Foresti, S., Grandison, T., Jajodia, S., Samarati, P.: Access control for smarter healthcare using policy spaces. Computers and Security 29(8), 848–858 (2010)CrossRefGoogle Scholar
  7. 7.
    Bertolissi, C., Fernández, M.: A rewriting framework for the composition of access control policies. In: Proceedings of the 10th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, PPDP 2008, pp. 217–225. ACM, New York (2008)Google Scholar
  8. 8.
    Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, pp. 197–206. ACM, New York (2009)CrossRefGoogle Scholar
  9. 9.
    Bruns, G., Huth, M.: Access control via belnap logic: Intuitive, expressive, and analyzable policy composition. ACM Trans. Inf. Syst. Secur. 14(1), 9:1–9:27 (2011)CrossRefGoogle Scholar
  10. 10.
    Carminati, B., Ferrari, E., Guglielmi, M.: Secure information sharing on support of emergency management. In: Proceeding of the Third IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 988–995 (October 2011)Google Scholar
  11. 11.
    Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into RBAC: The BTG-RBAC model. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 23–31. IEEE Computer Society, Washington, DC (2009)Google Scholar
  12. 12.
    Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D.W., Costa-Pereira, A.: How to break access control in a controlled manner. In: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, pp. 847–854. IEEE Computer Society, Washington, DC (2006)CrossRefGoogle Scholar
  13. 13.
    Dantas, D., Bruns, G., Huth, M.: A simple and expressive semantic framework for policy composition in access control. In: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, FMSE 2007, pp. 12–21. ACM, New York (2007)Google Scholar
  14. 14.
    Kohler, M., Brucker, A.D.: Access control caching strategies: an empirical evaluation. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec 2010, pp. 8:1–8:8. ACM, New York (2010)CrossRefGoogle Scholar
  15. 15.
    Krishnan, R., Niu, J., Sandhu, R., Winsborough, W.H.: Group-centric secure information-sharing models for isolated groups. ACM Trans. Inf. Syst. Secur. 14(3), 23:1–23:29 (2011)CrossRefGoogle Scholar
  16. 16.
    Lockhart, H., Marinovic, P.B.: Extensible access control markup language (XACML) specification 3.0 (August 2010)Google Scholar
  17. 17.
    Marinovic, S., Craven, R., Ma, J., Dulay, N.: Rumpole: a flexible break-glass access control model. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, pp. 73–82. ACM, New York (2011)CrossRefGoogle Scholar
  18. 18.
    Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 298–309. ACM, New York (2009)Google Scholar
  19. 19.
    De Capitani di Vimercati, S., Bonatti, P., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002)CrossRefGoogle Scholar
  20. 20.
    Phillips Jr., C.E., Ting, T.C., Demurjian, S.A.: Information sharing and security in dynamic coalitions. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT 2002, pp. 87–96. ACM, New York (2002)CrossRefGoogle Scholar
  21. 21.
    Warner, J., Atluri, V.I., Mukkamala, R., Vaidya, J.: Using semantics for automatic enforcement of access control policies among dynamic coalitions. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 235–244. ACM, New York (2007)CrossRefGoogle Scholar
  22. 22.
    Wei, Q., Crampton, J., Beznosov, K., Ripeanu, M.: Authorization recycling in hierarchical rbac systems. ACM Trans. Inf. Syst. Secur. 14(1), 3:1–3:29 (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Barbara Carminati
    • 1
  • Elena Ferrari
    • 1
  • Michele Guglielmi
    • 1
  1. 1.Department of Theoretical and Applied ScienceUniversity of InsubriaVareseItaly

Personalised recommendations