Abstract
We propose an audit-based architecture that leverages the Hyperledger Fabric distributed ledger as a means to increase accountability and decentralize the authorization decision process of Attribute-Based Access Control policies by using smart contracts. Our goal is to decrease the trust in administrators and users with privileged accounts, and make the a posteriori verification of access events more reliable. We implement our approach to the use case of Electronic Health Record access control. Preliminary experiments show the viability of the proposed approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Tests were run using Apache JMeter [19] version 5 on a server equipped with Intel Xeon E3-1240 V2 3.40Â GHz CPU and 16Â GB RAM.
References
Alizadeh, M., Lu, X., Fahland, D., Zannone, N., van der Aalst, W.M.: Linking data and process perspectives for conformance analysis. Comput. Secur. 73, 172–193 (2018). https://doi.org/10.1016/j.cose.2017.10.010
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: EuroSys 2018. ACM, New York (2018). https://doi.org/10.1145/3190508.3190538
Azaria, A., Ekblaw, A., Vieira, T., Lippman, A.: MedRec: using blockchain for medical data access and permission management. In: OBD 2016, pp. 25–30. IEEE (2016). https://doi.org/10.1109/OBD.2016.11
Introduction to oracles. Corda online documentation v3.3. https://docs.corda.net/oracles.html
Dekker, M.A., Etalle, S.: Audit-based access control for electronic health records. Electron. Notes Theor. Comput. Sci. 168, 221–236 (2007). https://doi.org/10.1016/j.entcs.2006.08.028
Di Francesco Maesa, D., Mori, P., Ricci, L.: Blockchain based access control. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 206–220. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59665-5_15
ENISA: Distributed Ledger Technology & Cybersecurity (2017). https://doi.org/10.2824/80997. https://www.enisa.europa.eu/publications/blockchain-security
EU: General Data Protection Regulation (GDPR) (2016). https://data.europa.eu/eli/reg/2016/679/2016-05-04
Ferraiolo, D., Chandramouli, R., Hu, V., Kuhn, R.: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). NIST (2016). https://doi.org/10.6028/NIST.SP.800-178
Fisher, B., et al.: Attribute-Based Access Control. NIST (2017). https://nccoe.nist.gov/projects/building-blocks/attribute-based-access-control
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Hyperledger fabric documentation. https://hyperledger-fabric.readthedocs.io/
Hölbl, M., Kompara, M., Kamišalic̀ A., Nemec Zlatolas, L.: A systematic review of the use of blockchain in healthcare. Symmetry 10(10) (2018). https://doi.org/10.3390/sym10100470
Hu, V., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST (2014). https://doi.org/10.6028/NIST.SP.800-162
Hyperledger Performance and Scale Working Group (PSWG): Hyperledger Blockchain Performance Metrics. https://www.hyperledger.org/resources/publications/blockchain-performance-metrics
IETF RFC: JSON Web Token (JWT) (2015). https://tools.ietf.org/html/rfc7519
IETF RFC: Automatic Certificate Management Environment (ACME) (2019). https://tools.ietf.org/html/rfc8555
Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_4
Jmeter. https://jmeter.apache.org/
Lampson, B.: Practical principles for computer security, NATO Security through Science Series - D: Information and Communication Security, vol. 9, pp. 151–195. IOS Press (2007)
Liang, X., Zhao, J., Shetty, S., Liu, J., Li, D.: Integrating blockchain for data sharing and collaboration in mobile healthcare applications. In: PIMRC, pp. 1–5. IEEE (2017). https://doi.org/10.1109/PIMRC.2017.8292361
Glossary of key information security terms. https://csrc.nist.gov/glossary
OASIS: The eXtensible Access Control Markup Language (XACML) (2013). https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
Dias, J.P., Sereno Ferreira, H., Martins, Â.: A blockchain-based scheme for access control in e-health scenarios. In: Madureira, A.M., Abraham, A., Gandhi, N., Silva, C., Antunes, M. (eds.) SoCPaR 2018. AISC, vol. 942, pp. 238–247. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-17065-3_24
Sandhu, R., Samarati, P.: Authentication, access control, and audit. ACM Comput. Surv. (CSUR) 28(1), 241–243 (1996). https://doi.org/10.1145/234313.234412
Thakkar, P., Nathan, S., Viswanathan, B.: Performance benchmarking and optimizing hyperledger fabric blockchain platform. In: MASCOTS 2018, pp. 264–276. IEEE (2018). https://doi.org/10.1109/MASCOTS.2018.00034
Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: S&P 2012, pp. 176–190. IEEE (2012). https://doi.org/10.1109/SP.2012.21
Verizon: Data breach investigations report (2018). https://enterprise.verizon.com/resources/reports/2018/DBIR_2018_Report.pdf
Verizon: Protected health information data breach report (2018). https://enterprise.verizon.com/resources/reports/phi/
Yaga, D., Mell, P., Roby, N., Scarfone, K.: Blockchain Technology Overview. NIST (2018). https://doi.org/10.6028/NIST.IR.8202
Zhang, P., White, J., Schmidt, D.C., Lenz, G., Rosenbloom, S.T.: FHIRChain: applying blockchain to securely and scalably share clinical data. Comput. Struct. Biotechnol. J. 16, 267–278 (2018). https://doi.org/10.1016/j.csbj.2018.07.004
Zyskind, G., Nathan, O., Pentland, A.S.: Decentralizing privacy: using blockchain to protect personal data. In: SPW, pp. 180–184. IEEE (2015). https://doi.org/10.1109/SPW.2015.27
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Morelli, U., Ranise, S., Sartori, D., Sciarretta, G., Tomasi, A. (2019). Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations. In: Mauw, S., Conti, M. (eds) Security and Trust Management. STM 2019. Lecture Notes in Computer Science(), vol 11738. Springer, Cham. https://doi.org/10.1007/978-3-030-31511-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-31511-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31510-8
Online ISBN: 978-3-030-31511-5
eBook Packages: Computer ScienceComputer Science (R0)