Sharing information allows businesses to take advantage of hidden knowledge, improve work processes and cooperation both within and across organisations. Thus there is a need for improved information protection capable of restricting how information is used, as opposed to only accessed. Usage Control has been proposed to achieve this by combining and extending traditional access control, Digital Rights Management and various encryption schemes. Advances in usage control enforcement has received considerable attention from the research community and we therefore believe there is a need to synthesise these efforts to minimise the potential for overlap. This paper surveys the previous efforts on providing usage control enforcement and analyses the general strengths and weaknesses of these approaches. In this paper we demonstrate that there are several promising mechanisms for enforcing usage control, but that reliable empirical evidence is required in order to ensure the appropriateness and usability of the enforcement mechanisms.


Usage Control Enforcement Mechanism Trusted Platform Module Access Control Model Trust Computing 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abie, H., Spilling, P., Foyn, B.: A distributed digital rights management model for secure information-distribution systems. International Journal of Information Security 3(2), 113–128 (2004)CrossRefGoogle Scholar
  2. 2.
    Abie, H., Spilling, P., Foyn, B.: Rights-carrying and self-enforcing information objects for information distribution systems. Information and Communications Security, 546–561 (2004)Google Scholar
  3. 3.
    Alam, M., Seifert, J., Li, Q., Zhang, X.: Usage control platformization via trustworthy SELinux. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 245–248 (2008)Google Scholar
  4. 4.
    Alam, M., Zhang, X., Nauman, M., Ali, T.: Behavioral attestation for web services (BA4WS). In: Proceedings of the 2008 ACM workshop on Secure Web Services, pp. 21–28 (2008)Google Scholar
  5. 5.
    Brunel, J., Cuppens, F., Cuppens, N., Sans, T., Bodeveix, J.: Security policy compliance with violation management. In: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, pp. 31–40 (2007)Google Scholar
  6. 6.
    Brustoloni, J.C., Villamarín-Salomón, R., Djalaliev, P., Kyle, D.: Evaluating the usability of usage controls in electronic collaboration. In: Proceedings of the 4th Symposium on Usable Privacy and Security, pp. 85–92 (2008)Google Scholar
  7. 7.
    Cederquist, J., Corin, R., Dekker, M., Etalle, S., den Hartog, J., Lenzini, G.: Auditbased compliance control. International Journal of Information Security 6(2), 133–151 (2007)CrossRefGoogle Scholar
  8. 8.
    Corin, R., Galindo, D., Hoepman, J.H.: Securing data accountability in decentralized systems. In: On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops, pp. 626–635 (2006)Google Scholar
  9. 9.
    Djalaliev, P., Brustoloni, J.C.: Secure web-based retrieval of documents with usage controls. In: Proceedings of the 2009 ACM Symposium on Applied Computing, pp. 2062–2069 (2009)Google Scholar
  10. 10.
    Etalle, S., Winsborough, W.H.: A posteriori compliance control. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 11–20 (2007)Google Scholar
  11. 11.
    Gheorghe, G., Mori, P., Crispo, B., Martinelli, F.: Enforcing ucon policies on the enterprise service bus. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2010. LNCS, vol. 6427, pp. 876–893. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: Monitors for usage control. In: Trust Management, pp. 411–414 (2007)Google Scholar
  13. 13.
    Hu, H., Li, H., Feng, D.: L-ucon: Towards layered access control with ucon. In: Proceedings of the International Conference on Computational Science and Engineering, vol. 2, pp. 823–829 (August 2009)Google Scholar
  14. 14.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.: A general obligation model and continuity: enhanced policy enforcement engine for usage control. In: The ACM Symposium on Access Control Models and Technologies, pp. 123–132 (2008)Google Scholar
  15. 15.
    Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. EBSE Technical Report EBSE-2007-01, Keele University and University of Durham (2007)Google Scholar
  16. 16.
    Korthaus, R., Sadeghi, A., Stüble, C., Zhan, J.: A practical property-based bootstrap architecture. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 29–38 (2009); ACM ID: 1655114Google Scholar
  17. 17.
    Krautsevich, L., Lazouski, A., Martinelli, F., Mori, P., Yautsiukhin, A.: Usage control, risk and trust. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 1–12. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Kumari, P., Pretschner, A., Peschla, J., Kuhn, J.: Distributed data usage control for web applications: a social network implementation. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 85–96 (2011)Google Scholar
  19. 19.
    Kyle, D., Brustoloni, J.: Uclinux: a linux security module for trusted-computingbased usage controls enforcement, pp. 63–70 (2007)Google Scholar
  20. 20.
    Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: A survey. Computer Science Review 4(2), 81–99 (2010)CrossRefGoogle Scholar
  21. 21.
    Liu, Q., Safavi-Naini, R., Sheppard, N.P.: Digital rights management for content distribution. In: Proceedings of the Australasian Information Security Workshop Conference on ACSW Frontiers 2003, vol. 21, pp. 49–58 (2003)Google Scholar
  22. 22.
    Lopez, J., Oppliger, R., Pernul, G.: Why have public key infrastructures failed so far? Internet Research 15(5), 544–556 (2005)CrossRefGoogle Scholar
  23. 23.
    Massacci, F.: Infringo ergo sum: when will software engineering support infringements? In: Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, pp. 233–238 (2010)Google Scholar
  24. 24.
    Matson, M., Ulieru, M.: The ’how’ and ’why’ of persistent information security. In: Proceedings of the International Conference on Privacy, Security and Trust, pp. 1–4 (2006)Google Scholar
  25. 25.
    Nauman, M., Ali, T.: Hue: A hardware ucon engine for _ne-grained continuous usage control. In: The IEEE International Multitopic Conference, pp. 59–64 (2008)Google Scholar
  26. 26.
    Nyre, A.A., Jaatun, M.G.: A probabilistic approach to information control. Journal of Internet Technology 11(3), 407–416 (2010)Google Scholar
  27. 27.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Transactions on Information Systems Security 7(1), 128–174 (2004)CrossRefGoogle Scholar
  28. 28.
    Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. Communications of the ACM 49(9), 39–44 (2006)CrossRefGoogle Scholar
  29. 29.
    Pretschner, A., Hilty, M., Schutz, F., Schaefer, C., Walter, T.: Usage control enforcement: Present and future. IEEE Security & Privacy 6(4), 44–53 (2008)CrossRefGoogle Scholar
  30. 30.
    Pretschner, A., Massacci, F., Hilty, M.: Usage control in service-oriented architectures. In: Trust, Privacy and Security in Digital Business pp. 83–93 (2007)Google Scholar
  31. 31.
    Sandhu, R., Zhang, X., Ranganathan, K., Covington, M.J.: Client-side access control enforcement using trusted computing and pei models. Journal of High Speed Networks 15(3), 229–245 (2006)Google Scholar
  32. 32.
    Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical speci_cation for usage control. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 1–10 (2004)Google Scholar
  33. 33.
    Zhang, X., Seifert, J.P., Sandhu, R.: Security enforcement model for distributed usage control. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008, pp. 10–18 (2008)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Åsmund Ahlmann Nyre
    • 1
  1. 1.Department of Computer and Information ScienceNorwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations