Protecting information sharing in distributed collaborative environment

Li, Min (2010) Protecting information sharing in distributed collaborative environment. [Thesis (PhD/Research)]

[img] Text (Introductory Pages)

Download (103Kb)
[img] Text (Whole Thesis)

Download (614Kb)


This thesis focuses on three aspects (i.e., role-based access control, role-based delegation and privacy-aware access control) of developing a systematic methodology for information sharing in distributed collaborative environments. We develop techniques for setting up secure
group communication and providing accesses to group members for many database systems, which incorporate new security constrains and policies raised by current information technologies. We create new forms of access control models to identify and address issues of sharing information in collaborative environments and to specify and enforce privacy protection rules to support identified issues.

In role based access control systems (RBAC) permissions are associated with roles, and users are made members of appropriate roles thereby acquiring the roles’ permissions. This greatly simplifies management of permissions. Roles are created for various job functions in an organization and users are assigned roles based on their
responsibilities and qualifications. Users can be easily reassigned from one role to another. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed. The principal motivation of RBAC is to simplify administration. In large organizations the number of roles can be in the hundreds or thousands, and users can
be in the tens or hundreds of thousands, maybe even millions. Effective management of permission-role assignment could be very useful in practice to avoid the security breach, especially when conflicting permissions granted to the same role. Constraints are an important
aspect of RBAC and are a powerful mechanism for laying out higher level organizational policy. Even for the usage control (UCON) model, constraints are discussed less and no formal language is proposed to describe constraints precisely. An appealing is to study constraints
formally in RBAC and UCON models. Our work looks at proposing formal approaches to check conflicts and help allocate permissions without compromising security in RBAC and proposing a formal language to specify constraints for system designers and administrators in UCON models.

Delegation requirement arises when a user needs to act on another’s behalf to access resources. Essentially, in a multi-agent system, delegation becomes the primary mechanism
of inter-agent collaboration and cooperation. However, the previous delegation model could not work efficiently in large systems and perform the sensitive delegation task within the broad area of security. In this thesis, we introduce a flexible ability-based delegation model
within RBAC. Moreover, to avoid risk during the delegation process, we propose a secure multi-level delegation model, where a projection between the reliability of delegatees and
the sensitivity of delegated tasks is built. Our multi-level delegation model allows that a delegatee in a higher trust level can be assigned with a higher level task.

With the widespread use of information technology, privacy protection becomes a major concern and it could not be easily achieved by traditional access control models. In this thesis, we propose a privacy-aware access control model with generalization boundaries, which could maximize data usability while, minimizing disclosure of privacy. Moreover, our privacy-aware access control model provides a much finer level of control. Although Hippocratic database enforced the fine-grained disclosure policy through creating a privacy authorization table, but it does not allow to distinguish which particular method is used
for fulfilling a service in a real world case. We use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process, in which one can determine the minimum disclosure of data for fulfilling the root purpose with respect to customer’s maximum trust. We provide efficient algorithms to automatically derive the optimal way of authorizations needed to achieve a service from enterprise privacy policies.

Statistics for USQ ePrint 19562
Statistics for this ePrint Item
Item Type: Thesis (PhD/Research)
Item Status: Live Archive
Additional Information: Doctor of Philosophy (PhD) thesis.
Faculty / Department / School: Historic - Faculty of Sciences - Department of Maths and Computing
Date Deposited: 30 Aug 2011 01:13
Last Modified: 13 Jul 2016 01:36
Uncontrolled Keywords: information sharing; distributed colaboration
Fields of Research : 08 Information and Computing Sciences > 0806 Information Systems > 080609 Information Systems Management
08 Information and Computing Sciences > 0804 Data Format > 080499 Data Format not elsewhere classified

Actions (login required)

View Item Archive Repository Staff Only