Wednesday , July 18 2018
Home / Information Security / Privacy Preserving Access Control Framework

Privacy Preserving Access Control Framework

Mohammed H. Almeshekah and Ninghui Li
Report (full text)

I worked with Prof. Li at Purdue to provide a report on privacy preserving access control framework for project lead by Dr. Waleed Alrodhan on studying the privacy practices in the Saudi Market. Below is a description on the project and the details of the report we provided.

Project Summary:

Information privacy issues have been noticeably reinforced and its significance has gained momentum after the prevalent usage of communications, data storage and processing technologies particularly after the widespread of the Internet and its major role in peoples’ lives starting from social networks, e-Commerce, and e-Government. A massive volume of personal information and data stored on the Internet and internal systems of public and private organization which created serious legal, ethical, and technological problems regarding issues related to information collection, processing, dissemination, and invasion.

This research stands out as it targets a current state assessment of information privacy in Saudi in addition to the development of some tools that would help to implement privacy on some IT applications used in the Kingdom.

The expected project contributions can be summarized as follows:

  • A comprehensive assessment of information privacy practices at the public, health, banking, and private sectors to identify the gaps between the existing regulations and some of the commonly used applications and systems at various organizations.
  • Development of privacy templates based on eXtensible Access Control Markup Language (XACML) which complies with privacy regulations of the above mentioned sectors and the templates will be available for the public in order to be used and implemented in various applications.
  • Development of an open source system that acts as a Policy Enforcement Point (PEP) between the file system and the end user. This system aims to enforce privacy requirements on various file types.

Upon the project completion, all of the developed research reports, tools, and source codes will be available to the public and can be used and adopted for development of new systems or enhancing existing ones to address various privacy requirements.

Report ABSTRACT: As the convergence between our physical and digital worlds continues at a rapid pace, much of our information is becoming available online. Maintaining the privacy of users information is one of the critical components of any system. In this document we discuss a comprehensive framework that can be integrated into current organizations infrastructure providing a privacy preserving access control. In particular, we propose the following steps.

  1. Provide organizational and continual support and commitment to privacy protection.
  2. Understand the current data collection/usage situation as well as the need of data in the organization.
  3. Understand the requirements on data collection and sharing specified by laws and regulations.
  4. Establish a privacy policy that governs personal data. Such a policy needs to be specified at three levels: for data subjects, for organization and employees, for IT systems.
  5. Develop ways to support communications with users.
  6. Identify the information system components that collect/store/process personal data, and connect them with Access Control System
  7. Design, implement, and deploy an Access Control System that can verify whether data access requests satisfy the organizational privacy policy.
  8. Protect the organization IT system against malicious attack.
  9. Protect users information when exported to third party.

The emphasis of this report is on Step 7. We propose an XACML-based architecture with three major components. These components are the XACML privacy extension, the EnCoRe project framework, and the ExtXACML obligation enforcement extension. These three components lay over the traditional XACML model and enforces the privacy policies. We discuss how these components work together in achieving the OECD privacy guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *