Policies for Composed Emergencies in Support of Disaster Management
Recently, some proposals have appeared to achieve timely and flexible information sharing in support of emergency management. This is obtained by means of an emergency description language able to specify both emergency situations and temporary access control policies/obligations that have to be activated during emergencies. In this paper, we show that these languages have some limitations in capturing more critical emergency situations, which might arise when atomic emergency events are combined. Moreover, we show that such critical situations might require a new response plan (i.e., new temporary access control policies and obligations), with respect to those already in place for atomic emergencies. Therefore, we introduce the concept of composed emergency and related emergency policies. We also propose some overriding strategies to determine how temporary access control policies and obligations associated with a composed emergency have to be combined with those associated with atomic emergencies. Finally, we propose a tree-data structure in support of efficient emergency policy enforcement.
Unable to display preview. Download preview PDF.
- 1.The 9/11 commission report. Technical report, National Commission on Terrorist Attacks Upon the United States (July 2004)Google Scholar
- 2.Break-glass: An approach to granting emergency access to healthcare systems. White paper, Joint NEMA/COCIR/JIRA Security and Privacy Committee, SPC (2004)Google Scholar
- 3.Federal response to hurricane Katrina: Lessons learned. Technical report, Assistant to the President for Homeland Security and Counter Terrorism (February 2006)Google Scholar
- 7.Bertolissi, C., Fernández, M.: A rewriting framework for the composition of access control policies. In: Proceedings of the 10th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, PPDP 2008, pp. 217–225. ACM, New York (2008)Google Scholar
- 10.Carminati, B., Ferrari, E., Guglielmi, M.: Secure information sharing on support of emergency management. In: Proceeding of the Third IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 988–995 (October 2011)Google Scholar
- 11.Ferreira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R., Antunes, L.: How to securely break into RBAC: The BTG-RBAC model. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 23–31. IEEE Computer Society, Washington, DC (2009)Google Scholar
- 12.Ferreira, A., Cruz-Correia, R., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D.W., Costa-Pereira, A.: How to break access control in a controlled manner. In: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, pp. 847–854. IEEE Computer Society, Washington, DC (2006)CrossRefGoogle Scholar
- 13.Dantas, D., Bruns, G., Huth, M.: A simple and expressive semantic framework for policy composition in access control. In: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, FMSE 2007, pp. 12–21. ACM, New York (2007)Google Scholar
- 16.Lockhart, H., Marinovic, P.B.: Extensible access control markup language (XACML) specification 3.0 (August 2010)Google Scholar
- 18.Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 298–309. ACM, New York (2009)Google Scholar
- 21.Warner, J., Atluri, V.I., Mukkamala, R., Vaidya, J.: Using semantics for automatic enforcement of access control policies among dynamic coalitions. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 235–244. ACM, New York (2007)CrossRefGoogle Scholar