More Web Proxy on the site http://driver.im/

research-article

Assessment Framework for the Identification and Evaluation of Main Features for Distributed Usage Control Solutions

Authors:

Mariví Higuero,

Francisco Javier DiezAuthors Info & Claims

ACM Transactions on Privacy and Security, Volume 26, Issue 1

Article No.: 10, Pages 1 - 28

https://doi.org/10.1145/3561511

Published: 11 November 2022 Publication History

Abstract

Data exchange between organizations is becoming an increasingly significant issue due to the great opportunities it presents. However, there is great reluctance to share if data sovereignty is not provided. Providing it calls for not only access control but also usage control implemented in distributed systems. Access control is a research field where there has been a great deal of work, but usage control, especially implemented in distributed systems as Distributed Usage Control (DUC), is a very new field of research that presents great challenges. Moreover, little is known about what challenges must really be faced and how they must be addressed. This is evidenced by the fact that existing research has focused non-specifically on different features of DUC, which are not formalized. Therefore, the path for the development of DUC solutions is unclear and it is difficult to analyze the scope of data sovereignty attained by the wide range of DUC solutions. In this context, this article is based on an initial in-depth analysis of DUC related work. In it, the challenges posed by DUC in terms of data sovereignty and the features that must be provided to address them are identified and analyzed for the first time. Based on these features, an initial DUC framework is proposed to assess in a practical and unified way the extent to which DUC solutions provide data sovereignty. Finally, the assessment framework is applied to compare the scopes of the most widespread DUC solutions and identify their limitations.

References

[1]

Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. 1976. Protection in operating systems. Commun ACM 19, 8 (1976), 461–471. DOI:

Digital Library

[2]

Paul Ammann, Richard J. Lipton, and Ravi S. Sandhu. 1996. The expressive power of multi-parent creation in monotonic access control models. Journal of Computer Security 4, 2/3 (1996), 149–166. DOI:

[3]

Ravi Sandhu. 1996. Role hierarchies and constraints for lattice-based access controls. In Proceedings of the 4h European Symposium on Research in Computer Security. Lecture Notes in Computer Science, Computer Security-ESORICS96, Springer.

[4]

Matunda Nyanchama and Sylvia Osborn. 1996. Modeling Mandatory Access Control in Role-Based Security Systems. In Database Security IX. IFIP Advances in Information and Communication Technology, D. L. Spooner, S. A. Demurjian, and J. E. Dobson (Eds). Springer, Boston, MA.

[5]

Ravi Sandhu and Qamar Munawer. 1998. How to do discretionary access control using roles. In Proceedings of the ACM Workshop on Role-Based Access Control. 47–54.

Digital Library

[6]

Qamar Munawer and Ravi Sandhu. 1999. Simulation of the augmented typed access matrix model (ATAM) using roles. In Proceedings of INFOSECU99 International Conference on Information and SecurityU99.

[7]

Sylvia Osborn, Ravi Sandhu, and Qamar Munawer. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3, 2 (May 2000), 85–106. DOI:

Digital Library

[8]

Zhenxin Yu, Hong Yan, and T. C. Edwin Cheng. 2001. Benefits of information sharing with supply chain partnerships. Industrial Management and Data Systems 101, 3 (2001), 114–119. DOI:

[9]

Jaehong Park and Ravi Sandhu. 2002. Towards usage control models: Beyond traditional access control. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. Monterey, California, USA, 57–64. DOI:

Digital Library

[10]

Ravi Sandhu and Jaehong Park. 2003. Usage control: A vision for next generation access control. In Proceedings of the Computer Network Security. 17–31. DOI:

[11]

Claudio Bettini, Sushil Jajodia, X. Sean Wang, and Duminda Wijesekera. 2003. Provisions and obligations in policy rule management. Journal of Network and Systems Management 11, 3 (2003), 351–372. DOI:

[12]

Ninghui Li, John C. Mitchell, and William H. Winsborough. 2005. Beyond Proof-of-compliance: Security analysis in trust management. Journal of the ACM 52, 3 (2005), 474–514. DOI:

Digital Library

[13]

Mahesh v Tripunitara and Ninghui Li. 2004. Comparing the expressive power of access control models. In Proceedings of the 11th ACM Conference on Computer and Communications Security. 62–71. DOI:

Digital Library

[14]

Jaehong Park, Xinwen Zhang, and Ravi Sandhu. 2004. Attribute mutability in usage control. In Proceedings of the Research Directions in Data and Applications Security XVIII. 15–29. DOI:

[15]

Jaehong Park and Ravi Sandhu. 2002. The UCON ABC usage control model. ACM Transactions on Information and System Security 7, 1 (2002), 128–174. DOI:

Digital Library

[16]

Xinwen Zhang, Francesco Parisi-Presicce, and Ravi Sandhu. 2005. Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8, 4 (2005), 351–387. DOI:

Digital Library

[17]

Manuel Hilty, David Basin, and Alexander Pretschner. 2005. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security. 12–14. DOI:

Digital Library

[18]

Alexander Pretschner, Manuel Hilty, and David Basin. 2006. Distributed usage control. Commun. ACM 49, 9 (September 2006), 39--44.

[19]

M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter. 2007. A policy language for distributed usage control. In Proceedings of the 12th European Symposium on Research in Computer Security. 24–26. DOI:

[20]

Mahesh v Tripunitara and Ninghui Li. 2007. A theory for comparing the expressive power of access control models. Journal of Computer Security 15, 2 (2007), 231–272. DOI:

[21]

Basel Katt, Xinwen Zhang, Ruth Breu, Michael Hafner, and Jean-Pierre Seifert. 2008. A general obligation model and continuity-enhanced policy enforcement engine for usage control. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT). ACM, 123–132. DOI:

Digital Library

[22]

Claudio A. Ardagna, Laurent Bussard, Sabrina de Capitani Di Vimercati, Gregory Neven, Stefano Paraboschi, Eros Pedrini, Franz-Stefan Preiss, Dave Raggett, Pierangela Samarati, Slim Trabelsi, and Mario Verdicchio. 2009. PrimeLife Policy Language. Retrieved June 15, 2022 from https://www.w3.org/2009/policy-ws/papers/Trabelisi.pdf.

[23]

Aliaksandr Lazouski, Fabio Martinelli, and Paolo Mori. 2010. Usage control in computer security: A survey. Computer Science Review 4, 2 (May 2010), 81–99. DOI:

Digital Library

[24]

Siani Pearson and Marco Casassa Mont. 2011. Sticky policies. An approach for managing privacy across multiple parties. IEEE Computer 44, 9 (2011), 60–68. DOI:

Digital Library

[25]

Slim Trabelsi, Jakub Sendor, and Stefanie Reinicke. 2011. PPL: PrimeLife privacy policy engine. In Proceedings of the 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2011. 184–185. DOI:

[26]

Francesco di Cerbo, Slim Tabelsi, Thomas Steingruber, Gabriella Dodero, and Michele Bezzi. 2013. Sticky policies for mobile devices. In Proceedings of the ACM symposium on Access control Models and Technologies, SACMAT. ACM, 257–260. DOI:

Digital Library

[27]

Timothy L. Hinrichs, Diego Martinoia, William C. Garrison III, Adam J. Lee, Alessandro Panebianco, and Lenore Zuck. 2013. Application-sensitive access control evaluation using parameterized expressiveness. In Proceedings of the 2013 IEEE 26th Computer Security Foundations Symposium. 145–160. DOI:

Digital Library

[28]

Organization for the Advancement of Structured Information Standards (OASIS). 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. Retrieved June 15, 2022 from http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf.

[29]

William C. Garrison, Yechen Qiao, and Adam J. Lee. 2014. On the suitability of dissemination-centric access control systems for group-centric sharing. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy CODASPY 2014. Association for Computing Machinery, 1–12. DOI:

Digital Library

[30]

William C. Garrison, Adam J. Lee, and Timothy L. Hinrichs. 2014. An actor-based, application-aware access control evaluation framework. In Proceedings of the ACM Symposium on Access Control Models and Technologies, SACMAT. Association for Computing Machinery 199–210. DOI:

Digital Library

[31]

Christian Jung, Andreas Eitel, and Reinhard Schwarz. 2014. Enhancing cloud security with context-aware usage control policies. In Proceedings of the Informatik. 211–222.

[32]

William C. Garrison III and Adam J. Lee. 2015. Decomposing, comparing, and synthesizing access control expressiveness simulations. In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium. 18–32.

Digital Library

[33]

Francesco di Cerbo, Doliere Francis Some, Laurent Gomez, and Slim Trabelsi. 2015. PPL v2.0: Uniform data access and usage control on cloud and mobile. In Proceedings of the 1st International Workshop on TEchnicaland LEgal Aspects of Data pRIvacy and Security, TELERISE 2015. Institute of Electrical and Electronics Engineers Inc., 2–7. DOI:

Digital Library

[34]

Florian Kelbert and Alexander Pretschner. 2015. A Fully Decentralized Data Usage Control Enforcement Infrastructure. In Proc. 13th International Conference on Applied Cryptography and Network Security. DOI:

[35]

Antonio la Marra, Fabio Martinelli, Paolo Mori, and Andrea Saracino. 2017. Implementing usage control in internet of things: A smart home use case. In Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS, IEEE, 1056–1063. DOI:

[36]

Florian Kelbert and Alexander Pretschner. 2018. Data usage control for distributed systems. ACM Transactions on Privacy and Security 21, 3 (June 2018). DOI:

Digital Library

[37]

Elizabeth Scaria, Arnaud Berghmans, Marta Pont, Catarina Arnaut, and Sophie Leconte. 2018. Study on data sharing between companies in Europe: Final report, Publications Office. Retrieved June 15, 2022 from.

[38]

Julian Schütte and Gerd Stefan Brost. 2018. LUCON: Data flow control for message-based IoT systems. In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). DOI:

[39]

Álvaro Alonso, Alejandro Pozo, José Manuel Cantera, Francisco de la Vega, and Juan José Hierro. 2018. Industrial data space architecture implementation using FIWARE. Sensors (Switzerland) 18, 7 (July 2018). DOI:

[40]

Elisa Bertino, Amani Abu Jabal, Seraphin Calo, DInesh Verma, and Christopher Williams. 2018. The challenge of access control policies quality. Journal of Data and Information Quality 10, 2 (September 2018). DOI:

Digital Library

[41]

Antonio Marra, Fabio Martinelli, Paolo Mori, and Andrea Saracino. 2019. A Distributed Usage Control Framework for Industrial Internet of Things. DOI:

[42]

Matthias Jarke, Boris Otto, and Sudha Ram. 2019. Data sovereignty and data space ecosystems. Business and Information Systems Engineering 61, 5 (2019), 549–550. DOI:

[43]

Boris Otto et al. 2019. IDSA Reference Architecture Model. Retrieved June 15, 2022 from https://internationaldataspaces.org//wp-content/uploads/IDS-Reference-Architecture-Model-3.0-2019.pdf.

[44]

Arghavan Hosseinzadeh, Andreas Eitel, and Christian Jung. 2020. A systematic approach toward extracting technically enforceable policies from data usage control requirements. In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP'20). DOI:

[45]

Gonzalo Gil, Aitor Arnaiz, and Marivi Higuero. 2019. Theoretical assessment of existing frameworks for data usage control: Strength and limitations with respect to current application scenarios.

[46]

Amani Abu Jabal, Maryam Davari, Elisa Bertino, Christian Makaya, Seraphin Calo, Dinesh Verma, Alessandra Russo, and Christopher Williams. 2019. Methods and tools for policy analysis. ACM Computing Surveys 51, 6 (February 2019). DOI:

Digital Library

[47]

Gonzalo Gil, Aitor Arnaiz, Marivi Higuero, and Francisco Javier Diez. 2020. Evaluation methodology for distributed usage control solutions. In Proceedings of the 2020 Global Internet of Things Summit (GIoTS). DOI:

[48]

Andres Munoz-Arcentales, Sonsoles López-Pernas, Alejandro Pozo, Álvaro Alonso, Joaquín Salvachúa, and Gabriel Huecas. 2020. Data usage and access control in industrial data spaces: Implementation using FIWARE. Sustainability 12, 9 (May 2020). DOI:

[49]

Sebastian Bader, Jaroslav Pullman, Christian Mader, Sebastian Tramp, Christoph Quix, Andreas W. Muller, Matthias Bockmann, Benedikt Imbusch, Johannes Lipp, Sandra Geisler, and Christoph Lange. 2020. The international data spaces information model—an ontology for sovereign exchange of digital content. In Proceedings of the International Semantic Web Conference 2020. DOI:

Digital Library

[50]

European Commission. 2022. A European Strategy for data | Shaping Europe. Retrieved June 15, 2022 from https://digital-strategy.ec.europa.eu/en/policies/strategy-data.

[51]

Internet Society. 2022. Concerns Over Privacy and Security Contribute to Consumer. Retrieved June 15, 2022 from https://www.internetsociety.org/news/press-releases/2019/concerns-over-privacy-and-security-contribute-to-consumer-distrust-in-connected-devices/.

[52]

Renato Iannella. 2018. Open Digital Rights Language (ODRL) Version 2.2. Retrieved June 15, 2022 from https://www.w3.org/TR/odrl-model/(visitedon19/05/2022).

Cited By

Akaichi IKirrane S(2025)A comprehensive review of usage control frameworksComputer Science Review10.1016/j.cosrev.2024.10069856(100698)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100698
Denis NLaurent MChabridon S(2024)A decentralized model for usage and information flow control in distributed systemsComputers and Security10.1016/j.cose.2024.103975144:COnline publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103975
Akbari Gurabi MHermsen FMandal ADecker S(2024)Towards Privacy-Preserving Machine Learning in Sovereign Data Spaces: Opportunities and ChallengesPrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_11(158-174)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_11
Show More Cited By

Index Terms

Assessment Framework for the Identification and Evaluation of Main Features for Distributed Usage Control Solutions
1. Security and privacy
  1. Security services
    1. Digital rights management

Recommendations

Data usage control enforcement in distributed systems
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Distributed usage control is concerned with how data may or may not be used in distributed system environments after initial access has been granted. If data flows through a distributed system, there exist multiple copies of the data on different client ...
Data Sovereignty Governance Framework
ICSEW'20: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops

Data has emerged as a central commodity in most modern applications. Unregulated and rampant collection of user and usage data by applications led to concerns on privacy, trust, and ethics. This has resulted in several governments and organizations ...
SENTIMENT ASSESSMENT OF TEXT BY ANALYZING LINGUISTIC FEATURES AND CONTEXTUAL VALENCE ASSIGNMENT

Text is not only an important medium to describe facts and events, but also to effectively communicate information about the writer's positive or negative sentiment underlying an opinion, or to express an affective or emotional state, such as happiness, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 26, Issue 1

February 2023

342 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3561959

Editor:
Ninghui Li
Purdue University, USA

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2022

Online AM: 09 September 2022

Accepted: 17 August 2022

Revised: 17 June 2022

Received: 28 April 2021

Published in TOPS Volume 26, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Refereed

Funding Sources

HODEI-X
SPRI-Basque Government

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
383
Total Downloads

Downloads (Last 12 months)86
Downloads (Last 6 weeks)9

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Akaichi IKirrane S(2025)A comprehensive review of usage control frameworksComputer Science Review10.1016/j.cosrev.2024.10069856(100698)Online publication date: May-2025
https://doi.org/10.1016/j.cosrev.2024.100698
Denis NLaurent MChabridon S(2024)A decentralized model for usage and information flow control in distributed systemsComputers and Security10.1016/j.cose.2024.103975144:COnline publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103975
Akbari Gurabi MHermsen FMandal ADecker S(2024)Towards Privacy-Preserving Machine Learning in Sovereign Data Spaces: Opportunities and ChallengesPrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_11(158-174)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_11
Gil GArnaiz AHiguero MDiez FJacob E(2022)Context-Aware Policy Analysis for Distributed Usage ControlEnergies10.3390/en1519711315:19(7113)Online publication date: 27-Sep-2022
https://doi.org/10.3390/en15197113

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents