More Web Proxy on the site http://driver.im/

research-article

Towards application-layer purpose-based access control

Authors:

Max-R. Ulbricht,

Thomas Peikert,

Marcel Reppenhagen,

Karl WolfAuthors Info & Claims

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 1288 - 1296

https://doi.org/10.1145/3341105.3375764

Published: 30 March 2020 Publication History

Abstract

In this paper, we propose an architecturally novel approach to implementing purpose-based access control in practice. Different from previous proposals, our approach resides on the application instead of the data(base) layer. This allows for significantly better integration with established architectures and practices of real-world application engineering and to achieve database independence.

To validate practical applicability, we provide two exemplary implementations and briefly assess the introduced overhead in matters of achievable throughputs. Results significantly depend on data and query type but basically suggest bearable overheads for realistic applications even though possible performance optimizations have not been implemented in our proofs-of-concept yet. Our approach thus proposes significantly better practical feasibility than previous ones and exhibits reasonable overheads. It therefore paves the way for purpose-based access control to be actually adopted in practice.

References

[1]

Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. 2002. Hippocratic Databases. In Proceedings of the 28th International Conference on Very Large Data Bases. VLDB Endowment, Hong Kong, China, 143--154. http://dl.acm.org/citation.cfm?id=1287369.1287383

[2]

Gustavo Alonso, Fabio Casati, Harumi Kuno, and Vijay Machiraju. 2004. Web Services: Concepts, Architectures and Applications. Springer-Verlag, Berlin Heidelberg. https://www.springer.com/de/book/9783540440086

Digital Library

[3]

Jasmin Azemović. 2012. Data Privacy in SQL Server Based on Hippocratic Database Principles. http://blogs.msdn.com/b/mvpawardprogram/archive/2012/07/30/data-privacy-in-sql-server-based-on-hippocratic-database-principles.aspx

[4]

V. R. Basili. 1989. Software development: a paradigm for the future. In [1989] Proceedings of the Thirteenth Annual International Computer Software Applications Conference. IEEE, Orlando, Florida, 471--485.

[5]

Elisa Bertino. 2005. Purpose Based Access Control for Privacy Protection in Database Systems. In Database Systems for Advanced Applications (Lecture Notes in Computer Science), Lizhu Zhou, Beng Chin Ooi, and Xiaofeng Meng (Eds.). Springer Berlin Heidelberg, Beijing, China, 2--2.

[6]

Ji-Won Byun, Elisa Bertino, and Ninghui Li. 2005. Purpose Based Access Control of Complex Data for Privacy Protection. In Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT '05). ACM, New York, NY, USA, 102--110.

Digital Library

[7]

Ji-Won Byun and Ninghui Li. 2008. Purpose Based Access Control for Privacy Protection in Relational Database Systems. The VLDB Journal 17, 4 (2008), 603--619.

Digital Library

[8]

P. Colombo and E. Ferrari. 2017. Enhancing MongoDB with Purpose-Based Access Control. IEEE Transactions on Dependable and Secure Computing 14, 6 (Nov. 2017), 591--604.

[9]

European Parliament & Council. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=en

[10]

European Parliament & Council. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L 119/1 (2016), 1--88. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

[11]

Martin Fowler. 2003. Patterns of Enterprise Application Architecture (01 ed.). Addison Wesley, Boston.

[12]

Martin Fowler. 2015. PresentationDomainDataLayering. https://martinfowler.com/bliki/PresentationDomainDataLayering.html

[13]

FTC. 1998. Privacy Online: A Report to Congress. https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf

[14]

Andrew Hunt, David Thomas, and Ward Cunningham. 1999. The Pragmatic Programmer. From Journeyman to Master (01 ed.). Addison Wesley, Reading, Mass.

[15]

ISO. 2011. ISO/IEC 29100:2011-Information Technology - Security Techniques - Privacy Framework.

[16]

Markku Laine, Denis Shestakov, Evgenia Litvinova, and Petri Vuorimaa. 2011. Toward Unified Web Application Development. IT Professional 13, 5 (Sept. 2011), 30--36.

Digital Library

[17]

Yasin Laura-Silva and Walid Aref. 2006. Realizing Privacy-Preserving Features in Hippocratic Databases. http://docs.lib.purdue.edu/cstech/1665

[18]

Kristen LeFevre, Rakesh Agrawal, Vuk Ercegovac, Raghu Ramakrishnan, Yirong Xu, and David DeWitt. 2004. Limiting Disclosure in Hippocratic Databases. In Proceedings of the Thirtieth International Conference on Very Large Data Bases-Volume 30. VLDB Endowment, Toronto, Canada, 108--119. http://dl.acm.org/citation.cfm?id=1316701

Digital Library

[19]

Qiang Lin. 2004. Defense In-Depth to Achieve "Unbreakable" Database Security. In Proceedings of the 2nd International Conference on Information Technology for Application. unknown, Harbin, China, 386--390.

[20]

Aastha Mehta, Eslam Elnikety, Katura Harvey, Deepak Garg, and Peter Druschel. 2017. Qapla: Policy compliance for database-backed systems. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1463--1479.

[21]

OECD. 1980. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[22]

OECD. 2013. THE OECD PRIVACY FRAMEWORK. http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf

[23]

J. Padma, Y. N. Silva, M. U. Arshad, and W. G. Aref. 2009. Hippocratic PostgreSQL. In Procceedings of the 2009 IEEE 25th International Conference on Data Engineering. IEEE, Shanghai, China, 1555--1558.

Digital Library

[24]

Frank Pallas, David Bermbach, Steffen Müller, and Stefan Tai. 2017. Evidence-Based Security Configurations for Cloud Datastores. In Proceedings of the the 32nd ACM Symposium on Applied Computing. ACM, Marrakech, Morocco, 424--430.

Digital Library

[25]

Frank Pallas and Martin Grambow. 2018. Three Tales of Disillusion: Benchmarking Property Preserving Encryption Schemes. In 15th International Conference on Trust, Privacy and Security in Digital Business - TrustBus 2018. Springer, Regensburg, Germany, 39--54.

[26]

Pethuru Raj, Anupama Raman, and Harihara Subramanian. 2017. Architectural Patterns: Uncover essential patterns in the most indispensable realm of enterprise architecture (1 ed.). Packt Publishing, Birmingham, UK.

[27]

Mark Richards. 2015. Software Architecture Patterns. O'Reilly Media, Inc., Sebastopol, USA.

[28]

Alex Roichman and Ehud Gudes. 2007. Fine-grained Access Control to Web Databases. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT '07). ACM, Sophia Antipolis, France, 31--40.

Digital Library

[29]

Johannes Sametinger. 1997. Software Reuse. In Software Engineering with Reusable Components, Johannes Sametinger (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 9--19.

[30]

Vítor Estêvão Silva Souza and Ricardo de Almeida Falbo. 2005. An Agile Approach for Web Systems Engineering. In Proceedings of the 11th Brazilian Symposium on Multimedia and the Web (WebMedia '05). ACM, Pocos de Caldas - Minas Gerais, Brazil, 1--3.

Digital Library

[31]

Sarah Spiekermann and Lorrie Faith Cranor. 2008. Engineering Privacy. IEEE Transactions on Software Engineering 35, 1 (2008), 67--82.

Digital Library

[32]

Max-R Ulbricht and Frank Pallas. 2018. YaPPL-A Lightweight Privacy Preference Language for Legally Sufficient and Automated Consent Provision in IoT Scenarios. In Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer, Barcelona, Spain, 329--344.

Cited By

Pallas FKoerner KBarberá IHoepman JJensen MNarla NSamarin NUlbricht MWagner IWuyts KZimmermann C(2024)Privacy Engineering From Principles to Practice: A RoadmapIEEE Security and Privacy10.1109/MSEC.2024.336382922:2(86-92)Online publication date: 3-Apr-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3363829
Rezayat SBurmester GMa HHartmann S(2024)Conceptual Framework for Designing Hippocratic APIsConceptual Modeling10.1007/978-3-031-75872-0_19(355-376)Online publication date: 21-Oct-2024
https://doi.org/10.1007/978-3-031-75872-0_19
Loechel LAkbayin SGrünewald EKiesel JStrelnikova IJanke TPallas F(2024)Hook-in Privacy Techniques for gRPC-Based Microservice CommunicationWeb Engineering10.1007/978-3-031-62362-2_15(215-229)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-62362-2_15
Show More Cited By

Index Terms

Towards application-layer purpose-based access control

Recommendations

An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument

Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
A conditional purpose-based access control model with dynamic roles

This paper presents a model for privacy preserving access control which is based on variety of purposes. Conditional purpose is applied along with allowed purpose and prohibited purpose in the model. It allows users using some data for certain purpose ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

March 2020

2348 pages

ISBN:9781450368667

DOI:10.1145/3341105

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '20

Sponsor:

SIGAPP

SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing

March 30 - April 3, 2020

Brno, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
432
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)14

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pallas FKoerner KBarberá IHoepman JJensen MNarla NSamarin NUlbricht MWagner IWuyts KZimmermann C(2024)Privacy Engineering From Principles to Practice: A RoadmapIEEE Security and Privacy10.1109/MSEC.2024.336382922:2(86-92)Online publication date: 3-Apr-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3363829
Rezayat SBurmester GMa HHartmann S(2024)Conceptual Framework for Designing Hippocratic APIsConceptual Modeling10.1007/978-3-031-75872-0_19(355-376)Online publication date: 21-Oct-2024
https://doi.org/10.1007/978-3-031-75872-0_19
Loechel LAkbayin SGrünewald EKiesel JStrelnikova IJanke TPallas F(2024)Hook-in Privacy Techniques for gRPC-Based Microservice CommunicationWeb Engineering10.1007/978-3-031-62362-2_15(215-229)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-62362-2_15
Leschke NKirsten FPallas FGrünewald E(2023)Streamlining Personal Data Access Requests: From Obstructive Procedures to Automated Web WorkflowsWeb Engineering10.1007/978-3-031-34444-2_9(111-125)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-34444-2_9
Pallas FHartmann DHeinrich PKipke JGrünewald E(2022)Configurable Per-Query Data Minimization for Privacy-Compliant Web APIsWeb Engineering10.1007/978-3-031-09917-5_22(325-340)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1007/978-3-031-09917-5_22
Grünewald E(2022)Cloud Native Privacy Engineering through DevPrivOpsPrivacy and Identity Management. Between Data Protection and Security10.1007/978-3-030-99100-5_10(122-141)Online publication date: 31-Mar-2022
https://doi.org/10.1007/978-3-030-99100-5_10
Pallas FLegler JAmslgruber NGrünewald EBermbach DCavalcante EDelbruel SEyers D(2021)RedCASTLEProceedings of the 8th International Workshop on Middleware and Applications for the Internet of Things10.1145/3493369.3493601(8-13)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3493369.3493601
Grünewald EPallas F(2021)TILTProceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency10.1145/3442188.3445925(636-646)Online publication date: 3-Mar-2021
https://dl.acm.org/doi/10.1145/3442188.3445925
Sion LLanduyt DJoosen W(2021)An Overview of Runtime Data Protection Enforcement Approaches2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00044(351-358)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00044
Grunewald EWille PPallas FBorges MUlbricht M(2021)TIRA: An OpenAPI Extension and Toolbox for GDPR Transparency in RESTful Architectures2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW54576.2021.00039(312-319)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSPW54576.2021.00039
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents