Privacy Preserving Access Control in Service-Oriented Architecture

Service-oriented Architecture (SOA) comprises a number of loosely-coupled independent services, which collaborate, interact and share data to accomplish incoming requests. A service invocation can involve multiple services, where each service accesses, processes and shares the client's data. These interactions may share data with unauthorized services and violate client's privacy. The client has no means of identifying if a violation occurred because it has no control over the service invocations beyond its trust domain. Such interactions introduce new security challenges which are not present in traditional systems. This paper proposes a data-centric approach for privacy preserving access control in SOA. Benefits of the proposed approach include the ability to dynamically define access polices by the clients and control data access at the time of each service interaction. A realistic healthcare scenario is used to evaluate the implementation of the proposed solution which validates its viability.

[1]  Anderson Santana de Oliveira,et al.  Enabling Message Security for RESTful Services , 2012, 2012 IEEE 19th International Conference on Web Services.

[2]  Massimo Mecella,et al.  Verification of Access Control Requirements in Web Services Choreography , 2008, 2008 IEEE International Conference on Services Computing.

[3]  Elisa Bertino,et al.  ACConv -- An Access Control Model for Conversational Web Services , 2011, TWEB.

[4]  Leszek Lilien,et al.  Protecting Privacy of Sensitive Data Dissemination Using Active Bundles , 2009, 2009 World Congress on Privacy, Security, Trust and the Management of e-Business.

[5]  Bharat K. Bhargava,et al.  Consumer Oriented Privacy Preserving Access Control for Electronic Health Records in the Cloud , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[6]  Mudhakar Srivatsa,et al.  An Access Control System for Web Service Compositions , 2007, IEEE International Conference on Web Services (ICWS 2007).

[7]  Rohit Ranchal Cross-Domain Data Dissemination and Policy Enforcement , 2015 .

[8]  Bharat K. Bhargava,et al.  RADical Strategies for Engineering Web-Scale Cloud Solutions , 2015, IEEE Cloud Computing.

[9]  Donna Xu,et al.  Self Protecting Data Sharing Using Generic Policies , 2015, 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  Bharat K. Bhargava,et al.  An End-to-End Security Auditing Approach for Service Oriented Architectures , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[12]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[13]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[14]  Ajay Mohindra,et al.  Building scalable, secure, multi-tenant cloud services on IBM Bluemix , 2016, IBM J. Res. Dev..

[15]  John Viega,et al.  Why applying standards to Web services is not enough , 2006, IEEE Security & Privacy.

[16]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[17]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .