Purpose-based Privacy Preserving Access Control for Secure Service Provision and Composition

Authors:Morteza Amini*Farnaz Osanloo

Shravani EdemMS in SE, ITU, San Jose, CA

Introduction• NIST(National Institute of Standards and Technology(NIST)) defined Cloud

Computing as “ A model for enabling convenient, on_demand network access to a shared pool of configurable computing resources(e.g. n/w’s, servers, storage, apps and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

• Cloud computing enables users to access dynamic resources via internet from everywhere and at any time.

• Build Cloud computing have three delivery models, Software as a Service(SaaS), Platform as a Service(PaaS) and Infrastructure as a Service(IaaS)

• Here, in this paper, author used software as a service(SaaS) model to describe how software provides services to the customers using web services.

• Web Service: Self-contained, loosely-coupled, modular program, which can be reused in many new applications using the existing web service.

• Main important security concern while hosting the application and data in the shared infrastructure which increases the probability of unauthorized access to the data.

Contd..

1/31/172711 North First St. - San Jose, CA 95134 - www.itu.edu

Existing Systems:• By using the traditional way of access control models (such as

DAC(Discretionary Access Control), MAC(Media Access Control) and RBAC(Required Based Access Control) like identity-based and identification through roles assigned are suitable for centralized systems where, only a limited set of known users and known set of services are accessed because those are not changeable.

• This is a defect

• An other solution: As we develop the applications in an open system means where different parties of communication(users & services) are unknown to each other and who might not be placed in a secure domain would like to access our application. So, it would be better to determine an access control rule based on the attributes of users and services. Thus, ABAC(Attribute based access control) model is developed.

• ABAC is more clearly structured in a simple and efficient way than RBAC. But, still it lacks privacy issue and trust from users.

1/31/172711 North First St. - San Jose, CA 95134 - www.itu.edu

Author’s Proposed System

So, to gain that trust and providing excellent services, a framework providing services based on the users privacy policies esp. for SaaS Model is designed.

So, in this framework, automatically new policies are added to the existing policies based on the provided services, by following a bottom-up approach(To build new policies it refers existing policies of the services by following security requirements.)

1/31/172711 North First St. - San Jose, CA 95134 - www.itu.edu

Motivation to design new framework

Balancing privacy preserving access control mechanism and user authentication is a big challenge because users do not have much interest to reveal their identity, location and actions. So, the new framework with proposed privacy preserving access control model which includes privacy policies within chains of services is designed, it satisfies 3 basic requirements.

1. Method should be accessible explicitly and simple enough for policy designer to understand.

2. It should be using the formal method specification and guarantee the correctness of proposed algorithm and created method.

3. It should be easily implemented on the existing programing platform and constituent with the existing standard.

1/31/172711 North First St. - San Jose, CA 95134 - www.itu.edu

Proposed Framework: Its main purpose is to provide privacy access control for composite and simple

web services.

In this framework the basic entities and components are;

Users(Requesters), Policy Decision Point(PDP), Policy Enforcement Point(PEP), Policy Administration Point(PAP), Policy Information Point(PIP), Manager, Composer, Ranker, Service Repository, Negotiator.

service call

handshake

1/31/172711 North First St. - San Jose, CA 95134 - www.itu.edu

Purpose based privacy preserving access control model

• Data Structure of Model: Different parts of the model are defined formally as fallows:

•1. Web Service and Service Provider: We can have different web services and a set of tuples(variables or data might be required by users) and functions to perform on those data or variables. The set of all existing services denoted by SRV Set.

Contd..

•2. Privacy Policy: Each service has its own privacy and access policies, policy is a tuple Here dj -data, pj- purposes, tj-available time of dj(in months)

•Example: The above privacy rule says that the data-type(name) can be used just for reservation and payment purposes. The time period for maintaining the record name is 1 month.

•3. Access Control Policy: Applies only if the condition satisfies and granted permission to access.

Contd..•2. User Accessing Request based on the Privacy Preference:

•

•In this privacy preference, the user specifies sensitivity level-1 for the name data-type, and this data can be used for all purpose except Advertisement.

• Service and Policy Composition: When the existing web services are not able to provide user’s requested service, service composition is required. And all those services are placed in service chains. Based on the survey made on most requested services, the highest rank is given to it in Ranker component. In each policy, positive and negative purposes are verified. And Policy Management will take care of adding or removing of policy rules, and checks with the side-effects.

Conclusion•Once the new policy is introduced for web service, it automatically follows bottom up approach by verifying in the composite services and finally placed that service in service chain.

•When different service chains are available to provide a composite service, it will be selected based on the QoS criteria.

•Thus, proposed system will check the compliance between the privacy policies of both the service provider and the user dynamically.

Thank You