Skip to main content

Advertisement

SpringerLink
Log in

Audit-based compliance control

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In this paper we introduce a new framework for controlling compliance to discretionary access control policies [Cederquist et al. in Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), 2005; Corin et al. in Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), 2004]. The framework consists of a simple policy language, modeling ownership of data and administrative policies. Users can create documents, and authorize others to process the documents. To control compliance to the document policies, we define a formal audit procedure by which users may be audited and asked to justify that an action was in compliance with a policy. In this paper we focus on the implementation of our framework. We present a formal proof system, which was only informally described in earlier work. We derive an important tractability result (a cut-elimination theorem), and we use this result to implement a proof-finder, a key component in this framework. We argue that in a number of settings, such as collaborative work environments, where a small group of users create and manage document in a decentralized way, our framework is a more flexible approach for controlling the compliance to policies.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. AC 2 proof tools at http://www.cs.ru.nl/paw

  2. Abadi, M.: Logic in access control. In: Kolaitis, P.G. (ed.) Proceedings of the Symposium on Logic in Computer Science (LICS), pp. 228–233. IEEE Computer Society Press (2003)

  3. Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: Tsudik, G. (ed.) Proceedings of the Conference on Computer and Communications Security (CCS), pp. 52–62. ACM Press (1999)

  4. Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-p3p privacy policies and privacy authorization. In: Samarati, P. (ed.) Proceedings of the ACM workshop on Privacy in the Electronic Society (WPES 2002), pp. 103–109. ACM Press (2002)

  5. Bandmann, O.L., Firozabadi, B.S., Dam, M.: Constrained delegation. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Security and Privacy (S&P), pp. 131–140. IEEE Computer Society Press (2002)

  6. Becker, M.Y., Sewell, P.: Cassandra: flexible trust management, applied to electronic health records. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 139–154. IEEE Computer Society Press (2004)

  7. Beckert B. and Posegga J. (1995). leantap: lean tableau-based deduction. J. Autom. Reasoning 15(3): 339–358

    Article  MATH  MathSciNet  Google Scholar 

  8. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the Symposium on Security and Privacy (S&P), pp. 164–173. IEEE Computer Society Press (1996)

  9. Cederquist, J.G., Corin, R.J., Dekker, M.A.C., Etalle, S., den Hartog, J.I.: An audit logic for accountability. In: Sahai, A., Winsborough, W.H. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 34–43. IEEE Computer Society Press (2005)

  10. Chong, C.N., Peng, Z., Hartel, P.H.: Secure audit logging with tamper-resistant hardware. In: Gritzalis, D., S.D.C., Samarati, P., Katsikas, S.K. (eds.) 18th IFIP TC11 International Conference on Information Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, pp. 73–84. Kluwer Academic, Dordrecht (2003)

  11. Corin, R., Etalle, S., den Hartog, J.I., Lenzini, G., Staicu, I.: A logic for auditing accountability in decentralized systems. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the IFIP Workshop on Formal Aspects in Security and Trust (FAST), vol. 173, pp. 187—202. Springer, Berlin (2004)

  12. DeTreville, J.: Binder, a logic-based security language. In: Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 105–113. IEEE Computer Society Press (2002)

  13. Dowek, G., Jiang, Y.: Eigenvariables, bracketing and the decidability of positive minimal intuitionistic logic. Electr. Notes Theor. Comput. Sci. 85(7) (2003)

  14. Garg, D., Bauer, L., Bowers, K., Pfenning, F., Reiter, M.: A linear logic of authorization and knowledge. In: Proceedings of the European Symposium On Research In Computer Security (ESORICS). Springer, Berlin (2006)

  15. Garg, D., Pfenning, F.: Non-interference in constructive authorization logic. In: Proceedings of the Computer Security Foundations Workshop (CSFW). IEEE Computer Society Press (2006)

  16. Halpern, J.Y., van der Meyden, R.: A logic for SDSI’s linked local name spaces. In: Syverson, P. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 111–122. IEEE Computer Society Press (1999)

  17. Halpern, J.Y., Weissman, V.: Using first-order logic to reason about policies. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 187–201. IEEE Computer Society Press (2003)

  18. Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems—NIST interagency report. Technical report, National Institute of Standards and Technology (2006)

  19. Jajodia, S., Gadia, S., Bhargava, G.: Logical design of audit information in relational databases. In: Information Security: An integrated Collection of Essays, pp. 585–595. IEEE Computer Society Press (1995)

  20. Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. Privacy Enhancing Technologies (2002)

  21. Li N., Grosof B.N. and Feigenbaum J. (2003). Delegation logic: a logic-based approach to distributed authorization. ACM Trans. on Inf. Syst. Secur. (TISSEC) 6(1): 128–171

    Article  Google Scholar 

  22. Li, N., Mitchell, J.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) Proceedings of the International Symposium on Practical Aspects of Declarative Languages (PADL) (2003)

  23. Li, N., Mitchell, J., Winsborough, W.: Design of a role-based trust-management framework. In: Abadi, M., Bellovin, S.M. (eds.) Proceedings of the Symposium on Research in Security and Privacy (S&P), pp. 114–130. IEEE Computer Society Press (2002)

  24. Longstaff, J.J., Lockyer, M.A., Thick, M.G.: A model of accountability, confidentiality and override for healthcare and other applications. In: Proceedings of the Workshop on Role-based Access Control (RBAC)

  25. Necula, G.C.: Compiling with proofs. Ph.D. thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA (1998)

  26. OASIS Access Control TC: eXtensible Access Control Markup Language (XACML) Version 2.0—Oasis Standard, 1 Feb 2005 (2005)

  27. Park, J., Sandhu, R.: Originator control in usage control. In: Lobo, J., Dulay, N. (eds.) Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY), p. 60. IEEE Computer Society, Washington, DC, USA (2002)

  28. Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Bertino, E. (ed.) Proceedings of the Symposium on Access Control Models and Technologies (SACMAT), pp. 57–64. ACM Press (2002)

  29. Pfenning, F.: Linear logic course handouts. http://www.cs.cmu. edu/ fp/courses/linear.html (2002)

  30. Pfenning, F., Schürmann, C.: System description: Twelf—a meta-logical framework for deductive systems. In: Ganzinger, H. (ed.) Proceedings of the International Conference on Automated Deduction (CADE), pp. 202–206. Springer, Berlin (1999)

  31. Rissanen, E., Firozabadi, B.S., Sergot, M.J.: Discretionary overriding of access control in the privilege calculus. In: Dimitrakos, T., Martinelli, F. (eds.) Proceedings of the 2nd IFIP Workshop on Formal Aspects in Security and Trust (FAST), pp. 219–232. Springer, Berlin (2004)

  32. Sandhu, R., Park, J.: Usage control: A vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) Proceedings of the International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security MMM-ACNS. LNCS, vol. 2776, pp. 17–31. Springer, Berlin (2003)

  33. Sandhu R. and Samarati P. (1994). Access control: principles and practice. IEEE Commun. Mag. 32(9): 40–48

    Article  Google Scholar 

  34. Sandhu R. and Samarati P. (1996). Authentication, access control and audit. ACM Comput. Surv. 28(1): 241–243

    Article  Google Scholar 

  35. Shmatikov V. and Talcott C.L. (2005). Reputation-based trust management. J. Comput. Secur. 13(1): 167–190

    Google Scholar 

  36. Szabo E.M. ed. (1969). The Collected of Gerhard Gentzen. North Holland, Amsterdam

    MATH  Google Scholar 

  37. The European Parliament and the Council of the European Union: UE DIRECTIVE 2002/58/EC on privacy and electronic communications. Official Journal of the European Union. http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/ l_20120020731en 00370047.pdf (2002)

  38. The US Department of Health and Human Services: Summary of the HIPAA Privacy Rule. Available on the website http://www.hhs.gov/ocr/privacysummary.pdf (2002)

  39. Topkara, M., Topkara, U., Atallah, M.J.: Words are not enough: sentence level natural language watermarking. In: Proceedings of the International workshop on Contents Protection and Security (MCPS), pp. 37–46. ACM Press (2006)

  40. U.S. Securities and Exchange Commission: Sarbanes-oxley act (2002)

  41. Wang, X., Lao, G., De Martini, T., Reddy, H., Nguyen, M., Valenzuela, E.: XrML: eXtensible rights markup language. In: Kudo, M. (ed.) Proceedings of the Workshop on XML Security (XMLSEC), pp. 71–79. ACM Press (2002)

  42. Whitehead, N., Abadi, M., Necula, G.C.: By reason and authority: a system for authorization of proof-carrying code. In: Focardi, R. (ed.) Proceedings of the Computer Security Foundations Workshop (CSFW), pp. 236–250. IEEE Computer Society Press (2004)

Download references

Author information

Authors and Affiliations

  1. SQIG—IT, IST, Technical University of Lisbon, Lisbon, Portugal

    J. G. Cederquist

  2. Computer Science Department, University of Twente, Twente, The Netherlands

    R. Corin, S. Etalle & J. I. den Hartog

  3. Security Group, TNO ICT, Delft, The Netherlands

    M. A. C. Dekker

  4. Telematica Instituut, Enschede, The Netherlands

    G. Lenzini

Authors
  1. J. G. Cederquist
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. Corin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. A. C. Dekker
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. J. I. den Hartog
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. G. Lenzini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to M. A. C. Dekker.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Cederquist, J.G., Corin, R., Dekker, M.A.C. et al. Audit-based compliance control. Int. J. Inf. Secur. 6, 133–151 (2007). https://doi.org/10.1007/s10207-007-0017-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0017-y

Keywords

Search

Navigation