Академический Документы
Профессиональный Документы
Культура Документы
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/273635349
READS
544
3 AUTHORS:
Jerry Gao
Younghee Park
20 PUBLICATIONS 56 CITATIONS
SEE PROFILE
SEE PROFILE
Shuyu Li
Shaanxi Normal University
1 PUBLICATION 0 CITATIONS
SEE PROFILE
I. INTRODUCTION
The term big data has recently come into use to refer to the
ever-increasing amount of information that organizations are
storing, processing and analyzing, owing to the growing
number of information sources in use [1]. Much big data
already resides in the cloud, and this trend will increase in the
future. For example, IT research and advisory firm Gartner
estimates that by 2016 more than half of all large company data
will be stored in the cloud [2]. This trend means that the cloud
must provide a suitable infrastructure for implementing big
data analytics platforms.
Currently, big data is increasingly generated and utilized
across diverse domains in fields such as healthcare, education,
and finance, and also brings opportunities to discover new
values and understand hidden values of big data. While big
data can yield extremely useful information, it also presents
new challenges with respect to security issues. The
effectiveness and efficiency of traditional security mechanisms
are being reconsidered as big data introduces its own particular
characteristics and security requirements. Current technologies
being developed to manage massive data sets often are not
designed with adequate security measures, in part because we
lack an adequate policy mechanism to be compatible with
current approaches to security.
In general, policy refers to guidelines or regulations that
encourage user engagement and protect participants data
reports. Security policy is defined according to the National
Institute of Standards and Technology as the [a]ggregate of
directives, regulations, rules, and practices that prescribes how
an organization manages, protects, and distributes information
[3].
Sponsored by China Scholarship Council.
result of the comparison, an extension of PRE called Typebased PRE (TPRE) is proposed for enhancing sticky policy
enforcement.
F. Policy language
Policy language is also a hot topic, and a number of policy
languages have been presented in the last few years, for
example, the eXtensible Access Control Markup Language
(XACML) and its extending authorization profile XSPA.
XACML [20] provides a mechanism for specifying security
and privacy policies. XSPA [21] fosters interoperability in the
healthcare context and introduces mechanisms to enforce
authorization policies controlling access to information,
possibly stored across enterprise boundaries. Kuang et al. [22]
review recent research approaches that focused on security
policy integration and conflict reconciliation among various
healthcare organizations. Based on the results of their analysis,
they proposed an approach for integrating security XACML
policies based on an RBAC policy model considering both
constraints and meta-data information. They also focus on
solution of policy redundancy and conflicts. Hu et al. [23]
present a Semantic Access Control Policy Language (SACPL)
for cloud computing environments. They introduce Access
Control Oriented Ontology System (ACOOS) as the semantic
basis of SACPL, aiming to solve the interoperability issue of
distributed access control policies. The ACOOS is used to
annotate the syntax elements of XACML with semantic
information. The authors also add some syntax elements such
as priority and confidentiality.
G. Policy applied in Healthcare Domain
Security policies in healthcare applications have been a
popular research topic among researchers since data security
and patient privacy are always very important to healthcare
service vendors and practice. Katt et al. [24] propose an
architecture that enables access control for cross-domain
document exchanges according to policies that are stored in a
central repository. Jin et al. [25] propose an access control
scheme that supports patient-centric selective sharing of EHRs
(Electronic Health Records). This work discusses policy
specifications that take into consideration distributed data
integration and privacy protection and provide a mechanism to
identify and resolve policy anomalies in the process of policy
composition. Ardagna et al. [26] propose an access control
solution based on the definition of policy spaces, aiming at
better regulating break the glass exceptions that occur in
healthcare systems. Policy space is defined as a policy
repository for policies that regulate access to resources. In this
solution, the policies are defined, composed and evaluated in
different spaces by means of algebra. Deng et al. [27] propose
an approach to build a trustworthy cloud platform motivated by
the specific requirements of healthcare applications and the
trustworthiness of healthcare platforms. The proposed solution
is based on using federated cloud architecture to enforce
common security and data protection policies in various cloud
layers.
result will create a log record, which will be inserted into audit
log database. The trusted authority is then able to perform a
subsequent analysis to possibly individuate abuses or access
requests that should be regulated by defining a proper set of
policies. Depending on the evaluation result, the trusted
authority decides whether to release the private decryption key
or refuse.
From the data users perspective, after sending a data
access request, he/she will get a response that is either permit
or deny. If the result of response is permit, he/she can get the
private decryption key from the trusted authority, then
downloads the data required from data center and decrypts it
by using the key. Otherwise, he/she will be denied to access the
data.
V. AN APPLICATION USE CASE IN HEALTHCARE
This section uses a scenario in healthcare to illustrate an
application of the proposed framework. The scenario is
described as follows:
Suppose there is a child (no more than 12 years old) who
has a broken leg and some contusions on his body (indicating
that he may have been abused) is brought into a hospital by
ambulance late one night, and his mother accompanies with
him. He is taken to the emergency room and is seen by
emergency room doctors.
In this scenario, several users are involved and each user
has a different role and access control requirements for
accessing the hospitals EHR(Electric Health Record) data.
These users include: (1) the child who needs treatment; (2) the
childs parent; (3) the emergency doctors; (4) the nurses; (5)
the social workers who are possibly responsible for helping the
VI. CONCLUSION
This paper presents a meta-model for security policies and
a comprehensive framework for access management at the IaaS
level. The advantages to using our meta-model include easy
upgrading, customization, automatic evaluation and validation
of security policies. The proposed framework is being
implemented on the open source IaaS platform OpenStack,
using HDFS and MySQL for data storage and adopting IBE as
the encryption method. However, we must address several
challenges including policy heterogeneity and policy
aggregation in order to implement a fully secure and trusted
policy framework for big data infrastructure. For future work,
we plan to address these challenges by developing automated
security policies, mediation for conflict resolution of
heterogeneous policies, and auditing and compliance for policy
enforcement.
REFERENCES
[1]
[2]
Tankard, Colin. "Big data security". Network Security, 2012, no.7: 5-8.
Domenico Talia. "Clouds for Scalable Big Data Analytics". IEEE
Computer, 2013, vol.46, no.5: 98-101.
[3] Karadsheh, Louay. "Applying security policies and service level
agreement to IaaS service model to enhance security and transition".
Computers & Security, 2012, vol.31, no.3: 315-326.
[4] Chunming Rong , Son T. Nguyen , Martin Gilje Jaatun. "Beyond
lightning: A survey on security challenges in cloud computing".
Computers and Electrical Engineering, 2013, vol.39, no.1:47-54.
[5] Mark Dermot Ryan. "Cloud computing security: the scientific challenge,
and a survey of solutions". Journal of Systems and Software, 2013,
vol.86, no.9: 2263-2268.
[6] Min Chen, Shiwen Mao, Yunhao Liu. "Big data: a survey". Mobile
Networks and Applications, 2014, vol.19, no.2: 171-209.
[7] David Ferraiolo, Janet Cugini and Richard Kuhn "Role-based Access
Control (RBAC): Features and motivations". Proceedings of 11th
Annual Computer Security Applications Conference, 1995, pp. 241248.
[8] Abou ElKalam A, El Baida R, Balbiani P, Benferhat S, Cuppens F,
Deswarte Y, Mi`ege A, Saurel C, Trouessin G. "Organization based
access control". Proceedings of IEEE 8th international workshop on
policies for distributed systems and networks, 2003, pp. 1-12.
[9] Louay Karadsheh. "Applying security policies and service level
agreement to IaaS service model to enhance security and transition".
Computers & Security, 2012, vol.31, no.3: 315-326.
[10] Said Oulmakhzoune, Nora Cuppens-Boulahia, Frdric Cuppens,
Stephane Morucci, Mahmoud Barhamgi, Djamal Benslimane. "Privacy
query rewriting algorithm instrumented by a privacy-aware access
control model". Annales des Tlcommunications, 2014, vol.69, no.1: 319.
[11] Mukesh Singhal, Santosh Chandrasekhar, Tingjian Ge, Ravi S. Sandhu,
Ram Krishnan, Gail-Joon Ahn, Elisa Bertino. "Collaboration in
multicloud computing environments: framework and security issues".
IEEE Computer, 2013, vol.46, no.2: 76-84.
[12] Takabi Hassan. "A semantic based policy management framework for
cloud computing environments". Doctoral Dissertation, University of
Pittsburgh, 2013.
[13] J. M. Alcaraz Calero, N. Edwards, J. Kirschnick, L. Wilcock, M. Wray.
"Toward a multi-tenancy authorization system for cloud services". IEEE
Security and Privacy, 2010, vol.8, no.6: 48-55.
[14] Abdulrahman Almutairi, Muhammad I. Sarfraz, Saleh Basalamah, Walid
G. Aref, Arif Ghafoor. "A distributed access control architecture for
cloud computing". IEEE Software, 2012, vol.29, no.2: 36-44.
[15] Ulrich Lang, Rudolf Schreiner. "Analysis of recommended cloud
security controls to validate OpenPMF policy as a service".
Information Security Technical Report, 2011, vol.16, no.3: 131-141.
[16] Mohammed Hussain , Hanady Abdulsalam. "SECaaS: security as a
service for cloud-based applications". Proceedings of the Second Kuwait
Conference on e-Services and e-Systems, 2011, pp. 1-4.
[17] G. Karjoth, M. Schunter, M. Waidner. "Platform for enterprise privacy
practices: privacy-enabled management of customer data". Proceedings
of 2nd Workshop on Privacy Enhancing Technologies, 2002, Springer,
LNCS, vol.2482, pp. 69-84.
[18] Siani Pearson, Marco Casassa Mont. "Sticky policies: an approach for
managing privacy across multiple parties". IEEE Computer, 2011,
vol.44, no.9: 60-68.
[19] Tang Qiang. "On using encryption techniques to enhance sticky policies
enforcement". Technical Report TR-CTIT-08-64, Centre for Telematics
and Information Technology University of Twente, Enschede, 2008,
ISSN 1381-3625.
[20] eXtensible Access Control Markup Language (XACML) Version 2.0.
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-corespec-os.pdf, February 2005.
[21] Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of
XACML v2.0 for Healthcare Version 1.0. http://www.oasisopen.org/committees/document.php?document_id=34164&wg_abbrev=
xacml, August 2009.
[22] T. P. Kuang, H. Ibrahim, N. I. Udzir, F. Sidi. "Security extensible access
control markup language policy integration based on role-based access
control model in healthcare collaborative environments". American
Journal of Economics and Business Administration, 2011, vol.3, no.1:
101-111.
[23] L. Hu, Sh. Ying, X. Jia, K. Zhao. "Towards an approach of semantic
access control for cloud computing". Proceedings of First International
Conference on Cloud Computing (CloudCom09), 2009, pp. 145-156.
[24] B. Katt, R. Breu, M. Hafner, T. Schabetsberger, R. Mair, F. Wozak.
"Privacy and access control for ihe-based systems". Proceedings of First
International Conference Electronic Healthcare, 2008, pp. 145153.
[25] Jing Jin, Gail-Joon Ahn, Hongxin Hu, Michael J. Covington, Xinwen
Zhang. "Patient-centric authorization framework for electronic
healthcare services". Computers & Security, 2011, vol.30, no.2: 116127.
[26] Claudio Agostino Ardagna, Sabrina De Capitani di Vimercati, Sara
Foresti, Tyrone Grandison, Sushil Jajodia, Pierangela Samarati. "Access
control for smarter healthcare using policy spaces". Computers &
Security, 2010, vol.29, no.8: 848-858.
[27] Deng, M., Nalin, M., Petkovic, M., Baroni, I., Marco, A. "Towards
trustworthy health platform cloud". Proceedings of Secure Data
Management Workshop, 2012, Springer, LNCS, vol.7482, pp. 162175.