Abstract
Data exchange between organizations is becoming an increasingly significant issue due to the great opportunities it presents. However, there is great reluctance to share if data sovereignty is not provided. Providing it calls for not only access control but also usage control implemented in distributed systems. Access control is a research field where there has been a great deal of work, but usage control, especially implemented in distributed systems as Distributed Usage Control (DUC), is a very new field of research that presents great challenges. Moreover, little is known about what challenges must really be faced and how they must be addressed. This is evidenced by the fact that existing research has focused non-specifically on different features of DUC, which are not formalized. Therefore, the path for the development of DUC solutions is unclear and it is difficult to analyze the scope of data sovereignty attained by the wide range of DUC solutions. In this context, this article is based on an initial in-depth analysis of DUC related work. In it, the challenges posed by DUC in terms of data sovereignty and the features that must be provided to address them are identified and analyzed for the first time. Based on these features, an initial DUC framework is proposed to assess in a practical and unified way the extent to which DUC solutions provide data sovereignty. Finally, the assessment framework is applied to compare the scopes of the most widespread DUC solutions and identify their limitations.
- [1] . 1976. Protection in operating systems. Commun ACM 19, 8 (1976), 461–471.
DOI: Google ScholarDigital Library - [2] . 1996. The expressive power of multi-parent creation in monotonic access control models. Journal of Computer Security 4, 2/3 (1996), 149–166.
DOI: Google ScholarCross Ref - [3] . 1996. Role hierarchies and constraints for lattice-based access controls. In Proceedings of the 4h European Symposium on Research in Computer Security. Lecture Notes in Computer Science, Computer Security-ESORICS96, Springer.Google ScholarCross Ref
- [4] Matunda Nyanchama and Sylvia Osborn. 1996. Modeling Mandatory Access Control in Role-Based Security Systems. In Database Security IX. IFIP Advances in Information and Communication Technology, D. L. Spooner, S. A. Demurjian, and J. E. Dobson (Eds). Springer, Boston, MA. Google ScholarCross Ref
- [5] . 1998. How to do discretionary access control using roles. In Proceedings of the ACM Workshop on Role-Based Access Control. 47–54.Google ScholarDigital Library
- [6] . 1999. Simulation of the augmented typed access matrix model (ATAM) using roles. In Proceedings of INFOSECU99 International Conference on Information and SecurityU99.Google Scholar
- [7] . 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3, 2 (May 2000), 85–106.
DOI: Google ScholarDigital Library - [8] . 2001. Benefits of information sharing with supply chain partnerships. Industrial Management and Data Systems 101, 3 (2001), 114–119.
DOI: Google ScholarCross Ref - [9] . 2002. Towards usage control models: Beyond traditional access control. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. Monterey, California, USA, 57–64.
DOI: Google ScholarDigital Library - [10] . 2003. Usage control: A vision for next generation access control. In Proceedings of the Computer Network Security. 17–31.
DOI: Google ScholarCross Ref - [11] . 2003. Provisions and obligations in policy rule management. Journal of Network and Systems Management 11, 3 (2003), 351–372.
DOI: Google ScholarCross Ref - [12] . 2005. Beyond Proof-of-compliance: Security analysis in trust management. Journal of the ACM 52, 3 (2005), 474–514.
DOI: Google ScholarDigital Library - [13] . 2004. Comparing the expressive power of access control models. In Proceedings of the 11th ACM Conference on Computer and Communications Security. 62–71.
DOI: Google ScholarDigital Library - [14] . 2004. Attribute mutability in usage control. In Proceedings of the Research Directions in Data and Applications Security XVIII. 15–29.
DOI: Google ScholarCross Ref - [15] . 2002. The UCON ABC usage control model. ACM Transactions on Information and System Security 7, 1 (2002), 128–174.
DOI: Google ScholarDigital Library - [16] . 2005. Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8, 4 (2005), 351–387.
DOI: Google ScholarDigital Library - [17] . 2005. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security. 12–14.
DOI: Google ScholarDigital Library - [18] Alexander Pretschner, Manuel Hilty, and David Basin. 2006. Distributed usage control. Commun. ACM 49, 9 (September 2006), 39--44. Google ScholarCross Ref
- [19] . 2007. A policy language for distributed usage control. In Proceedings of the 12th European Symposium on Research in Computer Security. 24–26.
DOI: Google ScholarCross Ref - [20] . 2007. A theory for comparing the expressive power of access control models. Journal of Computer Security 15, 2 (2007), 231–272.
DOI: Google ScholarCross Ref - [21] . 2008. A general obligation model and continuity-enhanced policy enforcement engine for usage control. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT). ACM, 123–132.
DOI: Google ScholarDigital Library - [22] . 2009. PrimeLife Policy Language. Retrieved June 15, 2022 from https://www.w3.org/2009/policy-ws/papers/Trabelisi.pdf.Google Scholar
- [23] . 2010. Usage control in computer security: A survey. Computer Science Review 4, 2 (May 2010), 81–99.
DOI: Google ScholarDigital Library - [24] . 2011. Sticky policies. An approach for managing privacy across multiple parties. IEEE Computer 44, 9 (2011), 60–68.
DOI: Google ScholarDigital Library - [25] . 2011. PPL: PrimeLife privacy policy engine. In Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2011. 184–185.
DOI: Google ScholarCross Ref - [26] . 2013. Sticky policies for mobile devices. In Proceedings of the ACM symposium on Access control Models and Technologies, SACMAT. ACM, 257–260.
DOI: Google ScholarDigital Library - [27] . 2013. Application-sensitive access control evaluation using parameterized expressiveness. In Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium. 145–160.
DOI: Google ScholarDigital Library - [28] Organization for the Advancement of Structured Information Standards (OASIS). 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. Retrieved June 15, 2022 from http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf.Google Scholar
- [29] . 2014. On the suitability of dissemination-centric access control systems for group-centric sharing. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy CODASPY 2014. Association for Computing Machinery, 1–12.
DOI: Google ScholarDigital Library - [30] . 2014. An actor-based, application-aware access control evaluation framework. In Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT. Association for Computing Machinery 199–210.
DOI: Google ScholarDigital Library - [31] . 2014. Enhancing cloud security with context-aware usage control policies. In Proceedings of the Informatik. 211–222.Google Scholar
- [32] . 2015. Decomposing, comparing, and synthesizing access control expressiveness simulations. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium. 18–32.Google ScholarDigital Library
- [33] . 2015. PPL v2.0: Uniform data access and usage control on cloud and mobile. In Proceedings of the 1st International Workshop on TEchnicaland LEgal Aspects of Data pRIvacy and Security, TELERISE 2015. Institute of Electrical and Electronics Engineers Inc., 2–7.
DOI: Google ScholarDigital Library - [34] Florian Kelbert and Alexander Pretschner. 2015. A Fully Decentralized Data Usage Control Enforcement Infrastructure. In Proc. 13th International Conference on Applied Cryptography and Network Security.
DOI: Google ScholarCross Ref - [35] . 2017. Implementing usage control in internet of things: A smart home use case. In Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS, IEEE, 1056–1063.
DOI: Google ScholarCross Ref - [36] . 2018. Data usage control for distributed systems. ACM Transactions on Privacy and Security 21, 3 (June 2018).
DOI: Google ScholarDigital Library - [37] Elizabeth Scaria, Arnaud Berghmans, Marta Pont, Catarina Arnaut, and Sophie Leconte. 2018. Study on data sharing between companies in Europe: Final report, Publications Office. Retrieved June 15, 2022 from .Google ScholarCross Ref
- [38] . 2018. LUCON: Data flow control for message-based IoT systems. In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE).
DOI: Google ScholarCross Ref - [39] . 2018. Industrial data space architecture implementation using FIWARE. Sensors (Switzerland) 18, 7 (July 2018).
DOI: Google ScholarCross Ref - [40] . 2018. The challenge of access control policies quality. Journal of Data and Information Quality 10, 2 (September 2018).
DOI: Google ScholarDigital Library - [41] . 2019. A Distributed Usage Control Framework for Industrial Internet of Things.
DOI: Google ScholarCross Ref - [42] . 2019. Data sovereignty and data space ecosystems. Business and Information Systems Engineering 61, 5 (2019), 549–550.
DOI: Google ScholarCross Ref - [43] 2019. IDSA Reference Architecture Model. Retrieved June 15, 2022 from https://internationaldataspaces.org//wp-content/uploads/IDS-Reference-Architecture-Model-3.0-2019.pdf.Google Scholar
- [44] . 2020. A systematic approach toward extracting technically enforceable policies from data usage control requirements. In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP'20).
DOI: Google ScholarCross Ref - [45] . 2019. Theoretical assessment of existing frameworks for data usage control: Strength and limitations with respect to current application scenarios.Google Scholar
- [46] . 2019. Methods and tools for policy analysis. ACM Computing Surveys 51, 6 (February 2019).
DOI: Google ScholarDigital Library - [47] . 2020. Evaluation methodology for distributed usage control solutions. In Proceedings of the 2020 Global Internet of Things Summit (GIoTS).
DOI: Google ScholarCross Ref - [48] . 2020. Data usage and access control in industrial data spaces: Implementation using FIWARE. Sustainability 12, 9 (May 2020).
DOI: Google ScholarCross Ref - [49] . 2020. The international data spaces information model—an ontology for sovereign exchange of digital content. In Proceedings of the International Semantic Web Conference 2020.
DOI: Google ScholarDigital Library - [50] European Commission. 2022. A European Strategy for data | Shaping Europe. Retrieved June 15, 2022 from https://digital-strategy.ec.europa.eu/en/policies/strategy-data.Google Scholar
- [51] Internet Society. 2022. Concerns Over Privacy and Security Contribute to Consumer. Retrieved June 15, 2022 from https://www.internetsociety.org/news/press-releases/2019/concerns-over-privacy-and-security-contribute-to-consumer-distrust-in-connected-devices/.Google Scholar
- [52] . 2018. Open Digital Rights Language (ODRL) Version 2.2. Retrieved June 15, 2022 from https://www.w3.org/TR/odrl-model/(visitedon19/05/2022).Google Scholar
Index Terms
- Assessment Framework for the Identification and Evaluation of Main Features for Distributed Usage Control Solutions
Recommendations
Data usage control enforcement in distributed systems
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacyDistributed usage control is concerned with how data may or may not be used in distributed system environments after initial access has been granted. If data flows through a distributed system, there exist multiple copies of the data on different client ...
Data Sovereignty Governance Framework
ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering WorkshopsData has emerged as a central commodity in most modern applications. Unregulated and rampant collection of user and usage data by applications led to concerns on privacy, trust, and ethics. This has resulted in several governments and organizations ...
SENTIMENT ASSESSMENT OF TEXT BY ANALYZING LINGUISTIC FEATURES AND CONTEXTUAL VALENCE ASSIGNMENT
Text is not only an important medium to describe facts and events, but also to effectively communicate information about the writer's positive or negative sentiment underlying an opinion, or to express an affective or emotional state, such as happiness, ...
Comments