Abstract
With the growth of big data systems and ubiquitous computing, privacy has become a critical issue in security research. Purpose based access control model is a common approach for privacy preserving in data access for database management systems. However, previous works that are based on purposes ranging from the table level to the data cell level and that are extended with role-based access control model inherently suffer from the problem of role explosion and cumbersomeness in context aware policy specification. Besides, NoSQL databases have recently become increasingly popular as data platforms for big data and real-time web applications. Due to the simplicity in design but effectiveness in horizontal scaling and performance, using NoSQL databases are a better alternative approach in comparison with traditional relational databases. However, the lack of a fine-grained access control system with data privacy protection is one of the most important considerations in NoSQL databases. In this paper, we address this issue by proposing and implementing a comprehensive mechanism for enforcing document store attribute-based security policies together with an improved data privacy protection mechanism in the fine-grained level. We use Polish notation for modeling conditional expressions which are the combination of subject, resource, and environment attributes so that privacy policies are flexible, dynamic and fine grained. Furthermore, privacy rules are constrained not only by access and intended purposes but also by subject, resource, and environment attributes as well as levels of data disclosure. The experiments have been carried out to illustrate the execution time of evaluating access control policies and privacy policies in various data sizes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bertino, E., Ghinita, G., Kamra, A.: Access control for databases: concepts and systems. Found. Trends® Databases 3(1–2), 1–148 (2011)
Sandhu, R.: The future of access control: attributes, automation, and adaptation. In: Krishnan, G., Anitha, R., Lekshmi, R., Kumar, M., Bonato, A., Graña, M. (eds.) Computational Intelligence, Cyber Security and Computational Models. AISC, vol. 246, p. 45. Springer, New Delhi (2014). https://doi.org/10.1007/978-81-322-1680-3_5
Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Special Publication 800(162) (2013)
Westin, A.F.: Privacy and freedom. Washington Lee Law Rev. 25(1), 166 (1968)
Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, pp. 102–110. ACM, June 2005
Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008). https://doi.org/10.1007/s00778-006-0023-0
Colombo, P., Ferrari, E.: Enforcement of purpose based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 26(11), 2703–2716 (2014)
Colombo, P., Ferrari, E.: Efficient enforcement of action-aware purpose-based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 27(8), 2134–2147 (2015)
Colombo, P., Ferrari, E.: Enhancing MongoDB with purpose based access control. In: IEEE Transactions on Dependable and Secure Computing (2015)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security–a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)
Parducci, B., Lockhart, H., Rissanen, E.: Extensible access control markup language (XACML) version 3.0. OASIS Standard, pp. 1–154 (2013)
Le Thi, K.T., Dang, T.K., Kuonen, P., Drissi, H.C.: STRoBAC – spatial temporal role based access control. In: Nguyen, N.-T., Hoang, K., Jȩdrzejowicz, P. (eds.) ICCCI 2012. LNCS (LNAI), vol. 7654, pp. 201–211. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34707-8_21
Thi, Q.N.T., Dang, T.K.: X-STROWL: a generalized extension of XACML for context-aware spatio-temporal RBAC model with OWL. In: 2012 Seventh International Conference on Digital Information Management (ICDIM), pp. 253–258. IEEE, August 2012
Nurseitov, N., Paulson, M., Reynolds, R., Izurieta, C.: Comparison of JSON and XML data interchange formats: a case study. Caine 2009, 157–162 (2009)
Wang, H., Sun, L., Bertino, E.: Building access control policy model for privacy preserving and testing policy conflicting problems. J. Comput. Syst. Sci. 80(8), 1493–1503 (2014)
Kabir, M.E., Wang, H.: Conditional purpose based access control model for privacy protection. In: Proceedings of the Twentieth Australasian Conference on Australasian Database, vol. 92, pp. 135–142. Australian Computer Society Inc., January 2009
Kabir, M.E., Wang, H., Bertino, E.: A role-involved conditional purpose-based access control model. In: Janssen, M., Lamersdorf, W., Pries-Heje, J., Rosemann, M. (eds.) EGES/GISP -2010. IAICT, vol. 334, pp. 167–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15346-4_13
Kabir, M.E., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. with Appl. 38(3), 1482–1489 (2011)
Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 24 (2010)
Ni, Q., Lin, D., Bertino, E., Lobo, J.: Conditional privacy-aware role based access control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 72–89. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_6
Son, H.X., Tran, L.K., Dang, T.K., Pham, Y.N.: Rew-XAC: an approach to rewriting request for elastic ABAC enforcement with dynamic policies. In: 2016 International Conference on Advanced Computing and Applications (ACOMP), pp. 25–31. IEEE, November 2016
Acknowledgements
This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-11.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Thi, Q.N.T., Dang, T.K., Van, H.L., Son, H.X. (2017). Using JSON to Specify Privacy Preserving-Enabled Attribute-Based Access Control Policies. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10656. Springer, Cham. https://doi.org/10.1007/978-3-319-72389-1_44
Download citation
DOI: https://doi.org/10.1007/978-3-319-72389-1_44
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72388-4
Online ISBN: 978-3-319-72389-1
eBook Packages: Computer ScienceComputer Science (R0)