Security, privacy and interoperability in heterogeneous systems

Abstract

Partners in VOs can share large amount of data. Sharing of individual data items is straightforward, but sharing components of complex data structures stored in heterogeneous systems is often a challenge. Sharing is typically governed by rules and policies that need to be translated into access right / privilege control and data granularity control. Simultaneous control of privileges and data granularity across different organizations is a difficult task, and most traditional approaches, such role-based access control can become prohibitively complex in such scenarios. We propose a scheme for concurrent control of subject privileges and object granularity. It includes participants, duties and operations, and generates security labels that describe security features. To facilitate interoperability between heterogeneous systems, the labels also carry information about the data model, including dynamic hierarchy description. The model supports subject activity control over objects with variable data access granularity. It encompasses the advantages of existing role based and label based control. First, an abstract subject privilege control model is built, and the mathematical relationships between privileges in the label system are defined. Second, an abstract object dynamic granularity model is produced and the mathematical relationship between granularity levels is established. At last, a pair-wise privacy label system is provided as an integrated information protection mechanism, where relationships between subject activities and privileges are described for actual access control. A formal verification of the proposed method has also been performed. © 2010 IFIP.