An authorization model for cross-enterprise collaborations
Corresponding Author
Fotios I. Gogoulos
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Correspondence: Fotios I. Gogoulos, School of Electrical and Computer Engineering, National Technical University of Athens, Heroon Polytechniou 9, 15773, Athens, Greece.
E-mail: [email protected]
Search for more papers by this authorAnna Antonakopoulou
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorGeorgios V. Lioudakis
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorAziz S. Mousas
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorDimitra I. Kaklamani
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorIakovos S. Venieris
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorCorresponding Author
Fotios I. Gogoulos
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Correspondence: Fotios I. Gogoulos, School of Electrical and Computer Engineering, National Technical University of Athens, Heroon Polytechniou 9, 15773, Athens, Greece.
E-mail: [email protected]
Search for more papers by this authorAnna Antonakopoulou
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorGeorgios V. Lioudakis
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorAziz S. Mousas
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorDimitra I. Kaklamani
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorIakovos S. Venieris
School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece
Search for more papers by this authorAbstract
In the modern enterprise world, collaboration has emerged as a standard of best business practice. In order to build competitive advantages and minimize inefficiencies, organizations nowadays pursuit strategic alliances with partners outside the comfort of familiar security zones, loosen their hierarchical structures, exploit “edge” competencies, and aggregate diverse and heterogeneous sources of information. Nevertheless, such techniques dictate the concentration, use, and circulation of corporate information and sensitive personal data and, thus, ignite severe information confidentiality and privacy concerns. Hence, the employment of the appropriate collaboration technology is not sufficient; potential lack of successful protection mechanisms limits the effectiveness of partnerships and denies the respective investments to reach their full potential. In this paper, an authorization framework toward the protection of sensitive resources in the context of cross-enterprise scenarios is presented. The proposed framework is founded on the utilization of a semantic information model, which integrates individual privacy preferences, organizational access control rules and information handling policies into the authorization determination procedure. Partners within the framework are organized in a bridged federated architecture in order to build a secure communication network, within which semantic and trust interoperability is guaranteed. Copyright © 2014 John Wiley & Sons, Ltd.
References
- 1
Bughin J. The rise of enterprise 2.0. Journal of Direct, Data and Digital Marketing Practice 2008; 9(3): 251–259.
10.1057/palgrave.dddmp.4350100 Google Scholar
- 2 De Hertogh S, Viaene S, Dedene G. Governing Web 2.0. Communications of the ACM 2011; 54(3): 124–130.
- 3 F Cruz-Cunha, M Manuela, J Varajo (eds.) Handbook of Research on Enterprise 2.0: Technological, Social, and Organizational Dimensions. IGI Global, 2014.
- 4 Cavoukian A, Tapscott D. Privacy and the Enterprise 2.0. New Paradigm Learning Corporation: Toronto, Ontario, Canada, 2006.
- 5 The Gallup Organization. Data protection in the European Union: citizens perceptions analytical report, 2008. Flash Eurobarometer 225.
- 6 TNS Opinion & Social. Attitudes on data protection and electronic identity in the European Union, 2011. Special Eurobarometer 359.
- 7 Acquisti A. The economics of personal data and the economics of privacy, 2010. Joint WPISP-WPIE Roundtable.
- 8 Datta P, Chatterjee S. Online consumer market inefficiencies and intermediation. ACM SIGMIS Database 2011; 42(2): 55–75.
- 9 Milojicic D. Interview with Rich Friedrich, Dave Cohen, and Alex Dreiling. IEEE Internet Computing 2008; 12(1): 10–13.
- 10
Gogoulos F,
Antonakopoulou A,
Lioudakis GV,
Kaklamani DI,
Venieris IS. Trust in an enterprise world: a survey. In Handbook of Research on Enterprise 2.0, MM Cruz-Cunha, F Moreira, J Varajão (eds). IGI Global: Hershey, Pennsylvania (USA), 2014; 199–219.
10.4018/978-1-4666-4373-4.ch011 Google Scholar
- 11 Adams C, Lloyd S. Understanding pki: Concepts, Standards, and Deployment Considerations, 2nd edn. Addison-Wesley Longman Publishing Co., Inc.: Boston, MA, USA, 2002.
- 12 Dhamija R, Dusseault L. The seven flaws of identity management: usability and security challenges. IEEE Security and Privacy 2008; 6(2): 24–29.
- 13 Borking JJ. Why adopting privacy enhancing technologies (PETs) takes so much time. In Computers, privacy and data protection: an element of choice, S Gutwirth, Y Poullet, P De Hert, R Leenes (eds). Springer: Netherlands, 2011; 309–341
- 14 European Parliament and Council. Directive 95/46/EC of the European Parliament and of the Council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities 1995; L 281: 31–50.
- 15 European Parliament and Council. Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Official Journal of the European Communities 2002; L 201: 37–47.
- 16 Organization for economic co-operation and development. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1981.
- 17
Lioudakis GV,
Gaudino F,
Boschi E,
Bianchi G,
Kaklamani DI,
Venieris IS. Legislation-aware privacy protection in passive network monitoring. In Information Communication Technology Law, Protection and Access Rights: Global Approaches and Issues, IM Portela, MM Cruz-Cunha (eds). IGI Global: Hershey, Pennsylvania (USA), 2010: 363–383.
10.4018/978-1-61520-975-0.ch022 Google Scholar
- 18 Polk WT, Hastings NE, Malpani A. Public key infrastructures that satisfy security goals. IEEE Internet Computing 2003; 7(4): 60–67.
- 19 Polk WT, Hastings NE. Bridge certification authorities: connecting B2B public key infrastructures, 2001. National Institute of Standards and Technology.
- 20 International Telecommunication Union. X.509: information technology-open systems interconnection-the directory: public-key and attribute certificate frameworks, 2008. ITU-T Recommendation.
- 21 Westerinen A, Schnizlein J, Strassner J, Scherling M, Quinn B, Herzog S, Huynh A, Carlson M, Perry J, Waldbusser S. Terminology for policy-based management, 2001. RFC 3198 (Informational).
- 22 JBoss AS. (Available from: http://www.jboss.org/) [Accessed on 25 August 2013].
- 23 Lioudakis GV, Gogoulos F, Antonakopoulou A, Kaklamani DI, Venieris IS. Privacy protection in passive network monitoring: an access control approach, Proceedings of the 2009 International Conference on Advanced Information Networking and Applications Workshops, WAINA ’09, IEEE Computer Society: Washington, DC, USA, 2009; 109–116.
- 24 Gogoulos F, Antonakopoulou A, Lioudakis GV, Mousas AS, Kaklamani DI, Venieris IS. Privacy-aware access control and authorization in passive network monitoring infrastructures, CIT 2010: Proceedings of the 10th IEEE International Conference on Computer and Information Technology, Bradford, 2010; 1114–1121.
- 25 McGuinness DL, Van Harmelen F. OWL Web ontology language overview, 2004. W3C Recommendation, (Available from: http://www.w3.org/TR/owl-features/) [Accessed on 25 August 2013].
- 26 Samer WA, Romain L, Francois B, AbdelMalek B. A formal model of trust for calculating the quality of x. 509 certificate. Security and Communication Networks 2011; 4(6): 651–665.
- 27 Drabent W. Hybrid reasoning with non-monotonic rules, Proceedings of the 6th International Conference on Semantic Technologies for Software Engineering, ReasoningWeb’10, Springer-Verlag: Berlin, Heidelberg, 2010; 28–61.
- 28 Mousas AS, Antonakopoulou A, Gogoulos F, Lioudakis GV, Kaklamani DI, Venieris IS. Visualising access control: the PRISM approach, Proceedings of the 2010 14th Panhellenic Conference on Informatics, PCI ’10, IEEE Computer Society: Washington, DC, USA, 2010; 107–111.
- 29 Apache J. (Available from: http://jena.apache.org/) [Accessed on 25 August 2013].
- 30 Park JS, An G, Liu IY. Active access control (AAC) with fine-granularity and scalability. Security and Communication Networks 2011; 4(10): 1114–1129.
- 31 Karjoth G, Schunter M, Waidner M. Platform for enterprise privacy practices: privacy-enabled management of customer data, Proceedings of the 2nd International Conference on Privacy Enhancing Technologies, PET’02, Springer-Verlag: Berlin, Heidelberg, 2003; 69–84.
- 32 Bhargav-Spantzel A, Squicciarini AC, Bertino E. Trust negotiation in identity management. IEEE Security & Privacy 2007; 5(2): 55–63.
- 33 Crockford D. The application/json media type for JavaScript object notation (JSON), 2006. RFC 4627 (Informational).
- 34 Rescorla E. HTTP Over TLS, 2000. RFC 2818 (Informational).
- 35 Blaze M, Feigenbaum J, Keromytis AD. Keynote: trust management for public-key infrastructures (position paper), Proceedings of the 6th International Workshop on Security Protocols, Springer-Verlag: London, UK, UK, 1999; 59–63.
- 36 Li N, Mitchell JC, Winsborough WH. Design of a role-based trust-management framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP ’02, IEEE Computer Society: Washington, DC, USA, 2002; 114–130.
- 37 Alfieri R, Cecchini R, Ciaschini V, dell Agnello LF, Gianoli A, LÃţrentey K, Spataro F. VOMS, an authorization system for virtual organizations. In Grid Computing, Lecture Notes in Computer Science, Vol. 2970, F Fernndez Rivera, M Bubak, A Gmez Tato, R Doallo (eds). Springer-Verlag: Berlin, Heidelberg, 2004; 33–40.
- 38
Thompson MR,
Essiari A,
Mudumbai S. Certificate-based authorization policy in a PKI environment. ACM Transactions on Information and System Security 2003; 6(4): 566–588.
10.1145/950191.950196 Google Scholar
- 39 Chadwick D, Zhao G, Otenko S, Laborde R, Su L, Nguyen TA. PERMIS: a modular authorization infrastructure. Concurrency and Computation:Practice and Experience 2008; 20(11): 1341–1357.
- 40 Koshutanski H, Ma A. Interoperable semantic access control for highly dynamic coalitions. Security and Communication Networks 2010; 3(6): 565–594.
- 41 Bauer L, Schneider MA, Felten EW, Appel AW. Access control on the Web using proof-carrying authorization, Proceedings of Darpa Information Survivability Conference and Exposition, 2003. vol. 2, IEEE, Washington, DC, USA,2003; 117–119.
- 42 Bauer L, Garriss S, Reiter MK. Distributed proving in access-control systems, Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, IEEE Computer Society: Washington, DC, USA, 2005; 81–95.
- 43 Lesniewski-Laas C, Ford B, Strauss J, Morris R, Kaashoek MF. Alpaca: extensible authorization for distributed services, Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, ACM: New York, NY, USA, 2007; 432–444.
- 44 Maffei M, Pecina K. Privacy-aware proof-carrying authorization, Proceedings of the ACM Sigplan 6th Workshop on Programming Languages and Analysis for Security, PLAS ’11, ACM: New York, NY, USA, 2011; 7:1–7:6.
- 45
Antonakopoulou A,
Lioudakis GV,
Gogoulos F,
Kaklamani DI,
Venieris IS. Leveraging access control for privacy protection: a survey. In Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards, G Yee (ed). IGI Global: Hershey, Pennsylvania (USA), 2012; 65–94.
10.4018/978-1-61350-501-4.ch003 Google Scholar
- 46 Ardagna CA, Damiani E, De Capitani di Vimercati S, Samarati P. Towards privacy-enhanced authorization policies and languages, Proceedings of the 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, DBSec’05, Springer-Verlag: Berlin, Heidelberg, 2005; 16–27.
- 47 Ardagna CA, Cremonini M, De Capitani di Vimercati S, Samarati P. A privacy-aware access control system. Journal of Computer Security 2008; 16(4): 369–397.
- 48 Trabelsi S, Sendor J, Reinicke S. PPL: primelife privacy policy engine, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (Policy), IEEE, Pisa, Italy, 2011; 184–185.
- 49 Bezzi M, Trabelsi S. Data usage control in the future Internet cloud. In The Future Internet, J Domingue, A Galis, A Gavras, T Zahariadis, D Lambert (eds). Springer-Verlag: Berlin, Heidelberg, 2011; 223–231.
- 50 Fatema K, Chadwick D, Lievens S. A multi-privacy policy enforcement system. In Privacy and Identity Management For Life, IFIP Advances in Information and Communication Technology, Vol. 352, S Fischer-Hübner, P Duquenoy, M Hansen, R Leenes, G Zhang (eds). Springer Berlin Heidelberg: 2011; 297–310.
- 51 Chadwick DW, Fatema K. A privacy preserving authorisation system for the cloud. Journal of Computer and System Sciences 2012-09; 78(5): 1359–1373.
- 52 Arenas AE, Aziz B, Silaghi GC. Reputation management in collaborative computing systems. Security and Communication Networks 2010; 3(6): 546–564.
- 53 CAS Open CRM solution. (Available from: http://www.cas-crm.com/products/cas-open/), [Accessed on 25 August 2013].
- 54 FP7 ICT project PRISM (privacy-aware secure monitoring). (Available from: http://www.fp7-prism.eu/) [Accessed on 25 August 2013].
- 55 FP7 ICT Project DEMONS (Decentralized, cooperative, and privacy-preserving monitoring for trustworthinesS). (Available from: http://www.fp7-demons.eu/).
