Continuous Authorization in Subject-Driven Data Sharing Using Wearable Devices

Sharing personal data with other people or organizations over the web has become a common phenomena of our modern life. This type of sharing is usually managed by access control mechanisms that include access control model and policies. However, these models are designed from the organizational perspective and do not provide sufficient flexibility and control to the individuals. Therefore, individuals often cannot control sharing of their personal data based on their personal context. In addition, the existing context-aware access control models usually check contextual condition once at the beginning of the access and do not evaluate the context during an on-going access. Moreover, individuals do not have control to define how often they want to evaluate the context condition for an ongoing access. Wearable devices such as Fitbit and Apple Smart Watch have recently become increasingly popular. This has made it possible to gather an individual's real-time contextual information (e.g., location, blood-pressure etc.) which can be used to enforce continuous authorization to the individual's data resources. In this paper, we introduce a novel data sharing policy model for continuous authorization in subject-driven data sharing. A software prototype has been implemented employing a wearable device to demonstrate continuous authorization. Our continuous authorization framework provides more control to the individuals by enabling revocation of on-going access to shared data if the specified context condition becomes invalid.

[1]  Antonio Corradi,et al.  Context-based access control for ubiquitous service provisioning , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[2]  Douglas Crockford,et al.  The application/json Media Type for JavaScript Object Notation (JSON) , 2006, RFC.

[3]  A. Cresswell,et al.  From "Need to Know" to "Need to Share": Tangled Problems, Information Boundaries, and the Building of Public Sector Knowledge Networks , 2009 .

[4]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control , 1998, Adv. Comput..

[6]  R. Sandhu,et al.  The UCON ABC Usage Control Model JAEHONG , 2004 .

[7]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[8]  Noël Crespi,et al.  Policy-based usage control for a trustworthy data sharing platform in smart cities , 2020, Future Gener. Comput. Syst..

[9]  Jun Han,et al.  A system architecture for subject-centric data sharing , 2018, ACSW.

[10]  Luca Veltri,et al.  IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios , 2015, IEEE Sensors Journal.

[11]  Jun Han,et al.  A Policy Framework for Subject-Driven Data Sharing , 2018, HICSS.

[12]  Roy H. Campbell,et al.  Cerberus: a context-aware security scheme for smart spaces , 2003, Proceedings of the First IEEE International Conference on Pervasive Computing and Communications, 2003. (PerCom 2003)..