Role-based integrated access control and data provenance for SOA based net-centric systems

Service-oriented architecture (SOA) has been widely adopted in the development of many net-centric application systems. In SOA, services potentially from different domains are composed together to accomplish critical tasks. In these systems, security and trustworthiness are the major concerns that have not been well addressed. Many access control models have been developed to ensure proper accesses to critical resources from local as well as external domains. Also, many data provenance schemes have been proposed in recent years to support data quality assessment and enhancement, data reproduction, etc. However, none of the existing mechanisms consider both access control and data provenance in a unified model. In this paper, we propose an integrated role-based access control and data provenance model to secure the cross-domain interactions. We develop a role-based data provenance scheme which tracks the roles of the data originators and contributors and uses this information to help evaluate data trustworthiness. We also make use of the data provenance information and the derived data quality attributes to assist with role-based access control. In this integrated model, the secure usage of a data resource must also consider the quality and trustworthiness of the data. To realize this concept, we develop an extended access control model in which access permissions are specified with constraints over the provenance attributes. Also, to assure confidentiality, we record the access constraints from the data originators and contributors to help decide how the data should be further disseminated.

[1]  Pierangela Samarati,et al.  Providing Security and Interoperation of Heterogeneous Systems , 2004, Distributed and Parallel Databases.

[2]  Elisa Bertino,et al.  Access control enforcement for conversation-based web services , 2006, WWW '06.

[3]  Carlo Batini,et al.  Methodologies for data quality assessment and improvement , 2009, CSUR.

[4]  Elisa Bertino,et al.  An Approach to Evaluate Data Trustworthiness Based on Data Provenance , 2008, Secure Data Management.

[5]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[6]  Raymond A. Paul,et al.  Data provenance in SOA: security, reliability, and integrity , 2007, Service Oriented Computing and Applications.

[7]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[8]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[9]  James Cheney,et al.  Provenance in Databases: Why, How, and Where , 2009, Found. Trends Databases.

[10]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[11]  Cláudio T. Silva,et al.  Provenance for Computational Tasks: A Survey , 2008, Computing in Science & Engineering.

[12]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Elisa Bertino,et al.  Secure collaboration in mediator-free environments , 2005, CCS '05.

[15]  V. S. Subrahmanian,et al.  Merging Heterogeneous Security Orderings , 1996, ESORICS.

[16]  Elisa Bertino,et al.  Security-Aware Service Composition with Fine-Grained Information Flow Control , 2013, IEEE Transactions on Services Computing.

[17]  Elisa Bertino,et al.  Effective and efficient implementation of an information flow control protocol for service composition , 2009, 2009 IEEE International Conference on Service-Oriented Computing and Applications (SOCA).

[18]  Bhavani M. Thuraisingham,et al.  WS-Sim: A Web Service Simulation Toolset with Realistic Data Support , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference Workshops.

[19]  David W. Walker,et al.  Support for Provenance in a Service-based Computing Grid , 2004 .

[20]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[21]  Elisa Bertino,et al.  Policy-Driven Service Composition with Information Flow Control , 2010, 2010 IEEE International Conference on Web Services.

[22]  Bhavani M. Thuraisingham,et al.  Rule-Based Run-Time Information Flow Control in Service Cloud , 2011, 2011 IEEE International Conference on Web Services.

[23]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.

[24]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[25]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[26]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[27]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[28]  Elisa Bertino,et al.  The SCIFC Model for Information Flow Control in Web Service Composition , 2009, 2009 IEEE International Conference on Web Services.

[29]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..