Skip to main content
SpringerLink
Log in

Using JSON to Specify Privacy Preserving-Enabled Attribute-Based Access Control Policies

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10656))

Abstract

With the growth of big data systems and ubiquitous computing, privacy has become a critical issue in security research. Purpose based access control model is a common approach for privacy preserving in data access for database management systems. However, previous works that are based on purposes ranging from the table level to the data cell level and that are extended with role-based access control model inherently suffer from the problem of role explosion and cumbersomeness in context aware policy specification. Besides, NoSQL databases have recently become increasingly popular as data platforms for big data and real-time web applications. Due to the simplicity in design but effectiveness in horizontal scaling and performance, using NoSQL databases are a better alternative approach in comparison with traditional relational databases. However, the lack of a fine-grained access control system with data privacy protection is one of the most important considerations in NoSQL databases. In this paper, we address this issue by proposing and implementing a comprehensive mechanism for enforcing document store attribute-based security policies together with an improved data privacy protection mechanism in the fine-grained level. We use Polish notation for modeling conditional expressions which are the combination of subject, resource, and environment attributes so that privacy policies are flexible, dynamic and fine grained. Furthermore, privacy rules are constrained not only by access and intended purposes but also by subject, resource, and environment attributes as well as levels of data disclosure. The experiments have been carried out to illustrate the execution time of evaluating access control policies and privacy policies in various data sizes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bertino, E., Ghinita, G., Kamra, A.: Access control for databases: concepts and systems. Found. Trends® Databases 3(1–2), 1–148 (2011)

    MATH  Google Scholar 

  2. Sandhu, R.: The future of access control: attributes, automation, and adaptation. In: Krishnan, G., Anitha, R., Lekshmi, R., Kumar, M., Bonato, A., Graña, M. (eds.) Computational Intelligence, Cyber Security and Computational Models. AISC, vol. 246, p. 45. Springer, New Delhi (2014). https://doi.org/10.1007/978-81-322-1680-3_5

    Chapter  Google Scholar 

  3. Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Special Publication 800(162) (2013)

    Google Scholar 

  4. Westin, A.F.: Privacy and freedom. Washington Lee Law Rev. 25(1), 166 (1968)

    Google Scholar 

  5. Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, pp. 102–110. ACM, June 2005

    Google Scholar 

  6. Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008). https://doi.org/10.1007/s00778-006-0023-0

    Article  Google Scholar 

  7. Colombo, P., Ferrari, E.: Enforcement of purpose based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 26(11), 2703–2716 (2014)

    Article  Google Scholar 

  8. Colombo, P., Ferrari, E.: Efficient enforcement of action-aware purpose-based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 27(8), 2134–2147 (2015)

    Article  Google Scholar 

  9. Colombo, P., Ferrari, E.: Enhancing MongoDB with purpose based access control. In: IEEE Transactions on Dependable and Secure Computing (2015)

    Google Scholar 

  10. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)

    Article  Google Scholar 

  11. Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security–a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)

    Article  Google Scholar 

  12. Parducci, B., Lockhart, H., Rissanen, E.: Extensible access control markup language (XACML) version 3.0. OASIS Standard, pp. 1–154 (2013)

    Google Scholar 

  13. Le Thi, K.T., Dang, T.K., Kuonen, P., Drissi, H.C.: STRoBAC – spatial temporal role based access control. In: Nguyen, N.-T., Hoang, K., Jȩdrzejowicz, P. (eds.) ICCCI 2012. LNCS (LNAI), vol. 7654, pp. 201–211. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34707-8_21

    Chapter  Google Scholar 

  14. Thi, Q.N.T., Dang, T.K.: X-STROWL: a generalized extension of XACML for context-aware spatio-temporal RBAC model with OWL. In: 2012 Seventh International Conference on Digital Information Management (ICDIM), pp. 253–258. IEEE, August 2012

    Google Scholar 

  15. Nurseitov, N., Paulson, M., Reynolds, R., Izurieta, C.: Comparison of JSON and XML data interchange formats: a case study. Caine 2009, 157–162 (2009)

    Google Scholar 

  16. Wang, H., Sun, L., Bertino, E.: Building access control policy model for privacy preserving and testing policy conflicting problems. J. Comput. Syst. Sci. 80(8), 1493–1503 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  17. Kabir, M.E., Wang, H.: Conditional purpose based access control model for privacy protection. In: Proceedings of the Twentieth Australasian Conference on Australasian Database, vol. 92, pp. 135–142. Australian Computer Society Inc., January 2009

    Google Scholar 

  18. Kabir, M.E., Wang, H., Bertino, E.: A role-involved conditional purpose-based access control model. In: Janssen, M., Lamersdorf, W., Pries-Heje, J., Rosemann, M. (eds.) EGES/GISP -2010. IAICT, vol. 334, pp. 167–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15346-4_13

    Chapter  Google Scholar 

  19. Kabir, M.E., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. with Appl. 38(3), 1482–1489 (2011)

    Article  Google Scholar 

  20. Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 24 (2010)

    Article  Google Scholar 

  21. Ni, Q., Lin, D., Bertino, E., Lobo, J.: Conditional privacy-aware role based access control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 72–89. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_6

    Chapter  Google Scholar 

  22. Son, H.X., Tran, L.K., Dang, T.K., Pham, Y.N.: Rew-XAC: an approach to rewriting request for elastic ABAC enforcement with dynamic policies. In: 2016 International Conference on Advanced Computing and Applications (ACOMP), pp. 25–31. IEEE, November 2016

    Google Scholar 

Download references

Acknowledgements

This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-11.

Author information

Authors and Affiliations

  1. Ho Chi Minh City University of Technology, Ho Chi Minh City, Vietnam

    Que Nguyet Tran Thi, Tran Khanh Dang, Huy Luong Van & Ha Xuan Son

Authors
  1. Que Nguyet Tran Thi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tran Khanh Dang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Huy Luong Van
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ha Xuan Son
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Que Nguyet Tran Thi .

Editor information

Editors and Affiliations

  1. Guangzhou University , Guangzhou, China

    Guojun Wang

  2. Edith Kinney Gaylord Presidential Professor, University of Oklahoma, Norman, Oklahoma, USA

    Mohammed Atiquzzaman

  3. Aalto University, Espoo, Finland

    Zheng Yan

  4. University of Texas at San Antonio, San Antonio, Texas, USA

    Kim-Kwang Raymond Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Thi, Q.N.T., Dang, T.K., Van, H.L., Son, H.X. (2017). Using JSON to Specify Privacy Preserving-Enabled Attribute-Based Access Control Policies. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10656. Springer, Cham. https://doi.org/10.1007/978-3-319-72389-1_44

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72389-1_44

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72388-4

  • Online ISBN: 978-3-319-72389-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation