Assignment 1

shimanto148
Readings.zip

Readings/Attribute-Based_Access_Control.pdf

SECURITY

C O M P U T E R 0 0 1 8 - 9 1 6 2 / 1 5 / $ 3 1 . 0 0 © 2 0 1 5 I E E E P U B L I S H E D B Y T H E I E E E C O M P U T E R S O C I E T Y F E B R U A R Y 2 0 1 5 85

EDITOR JEFFREY VOAS National Institute of Standards and Technology, j.voas@ieee.org

Traditionally, access control (AC) has been based on the identity of a user requesting execution of a capability to perform an operation (for exam- ple, read) on an object (for example, a file), either

directly or through predefined attribute types such as roles or groups assigned to that user. Practitioners have noted that this AC approach is often cumbersome to man- age given the need to associate capabilities directly to users or their roles or groups. In addition, the requester qualifiers of identity, groups, and roles are often insuf- ficient in expressing real-world AC policies. An alterna- tive is to grant or deny user requests based on arbitrary attributes of the user and selected attributes of the object, and environment conditions that could be globally rec- ognized and more relevant to the policies at hand. This approach is often referred to as attribute-based access control (ABAC).

ABAC: A FLEXIBLE ACCESS CONTROL MODEL ABAC is a logical AC model that controls access to objects by eval- uating rules against the attributes of entities (subject and object), op- erations, and the environment rel- evant to a request. ABAC enables more precise AC by allowing for a higher number of discrete inputs

into an AC decision and thereby providing a larger set of possible combinations of those variables to reflect a larger and more definitive set of possible rules to express policies, which are limited only by the computational language and the richness of the available attributes.

This flexibility enables creation of access rules with- out specifying individual relationships between each subject and each object. For example, a subject is as- signed a set of subject attributes upon employment, such as Nancy Smith is a Nurse Practitioner in the Cardiology Department. An object is assigned its object attributes upon creation, such as a folder with Medical Records of Heart Patients. Objects may receive their attributes ei- ther directly from the creator or as a result of automated scanning tools. The administrator or owner of an object creates an AC rule using attributes of subjects and objects to govern the set of allowable capabilities—for example,

Attribute-Based Access Control Vincent C. Hu, D. Richard Kuhn, and David F. Ferraiolo, National Institute of Standards and Technology

Attribute-based access control (ABAC) is a

flexible approach that can implement AC

policies limited only by the computational

language and the richness of the available

attributes, making it ideal for many distributed

or rapidly changing environments.

r2sec.indd 85 1/22/15 5:25 PMAuthorized licensed use limited to: University of Canberra. Downloaded on September 03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions apply.

86 C O M P U T E R W W W . C O M P U T E R . O R G / C O M P U T E R

SECURITY

all Nurse Practitioners in the Cardiol- ogy Department can View the Medical Records of Heart Patients.

Under ABAC, access decisions can change between requests simply by altering attribute values, without re- quiring changes to the subject/object relationships defining the underly- ing rule sets. This provides a more dynamic AC management capability and limits long-term maintenance re- quirements of object protections.

Further, ABAC enables object own- ers or administrators to apply AC policy without prior knowledge of the specific subject and for an unlimited number of subjects that might require access. As new subjects join the organization, rules and objects need not be modified, and as long as the subject is assigned the attributes necessary for access to the required objects—for example, all

Nurse Practitioners in the Cardiology Department are assigned those attri- butes—no modifications to existing rules or object attributes are required. This accommodation of the external (unanticipated) user is one of the pri- mary benefits of employing ABAC.1,2

As a result of this flexibility, ABAC has attracted interest across indus- try and government, and is the fast- est-growing AC model today.3 It has been integrated with other approaches, such as the International Committee for Information Technology Stan- dards (INCITS) standard for role-based access control,4 and has become the basis for an increasing range of prod- ucts. But beyond the basic scheme of associating attributes with subjects, objects, and environments, there has been little consistency among ABAC implementations.

IMPLEMENTING ABAC IN THE ENTERPRISE ENVIRONMENT Due to a lack of consensus on ABAC features, users can’t accurately assess the benefits and challenges associ- ated with the model. To help address this problem, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800- 162, Guide to Attribute Based Access Control (ABAC) Definition and Consid- erations.1 This document serves a two- fold purpose. First, it provides federal agencies with a definition of ABAC and a description of its functional components. Second, it describes planning, design, implementation, and operational considerations for employing ABAC within an enter- prise to improve information sharing while maintaining control of that in- formation. The guide focuses on the

Credential issuance

Enterprise policy manager

Enterprise identity/ credential manager

Subject attribute issuance

Subject

Enterprise subject attribute

administration point

Enterprise object attribute manager

Local object attribute administration point

Optional enterprise object attribute binding and validation service

Enterprise access control policy

repository

Enterprise access

control policy administration point

Af�liation

Etc. Clearance

Name Owner

Etc. Classi�cation TypeEnterprise subject

attribute sharing

Local subject attribute administration point

Hierarchical policy pushed to

subordinate organizations

Local subject attribute repository

Local subject attribute repository

Object attribute repository

Local access control policy repository

Object

Owner

Etc. Classi�cation Type

Af�liation

Etc. Clearance

Name

GroupRole

Rules

Decision Enforce

ABAC access control

mechanism

Environmental conditions Local access control policy

administration point

Set of available attributes for policy

development

Optional enterprise policy decision service

Figure 1. Attribute-based access control (ABAC) example. Adapted from V.C. Hu et al., Guide to Attribute Based Access Control (ABAC) Definition and Considerations, NIST Special Publication 800-162, Nat’l Institute of Standards and Technology, Jan. 2014.

r2sec.indd 86 1/22/15 5:53 PMAuthorized licensed use limited to: University of Canberra. Downloaded on September 03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions apply.

F E B R U A R Y 2 0 1 5 87

challenges of implementing ABAC rather than on balancing the cost and effectiveness of other capabilities ver- sus ABAC.

When deployed across an enter- prise to increase information shar- ing among diverse organizations, ABAC implementations can become complex, requiring an attribute man- agement infrastructure, machine- enforceable policies, and an array of functions that support access deci- sions and policy enforcement. As Fig- ure 1 shows, in addition to the basic policy, attribute, and AC mechanism requirements, the enterprise must support management functions for enterprise policy development and distribution, enterprise identity and subject attributes, subject attribute sharing, enterprise object attributes, authentication, and AC mechanism deployment and distribution.

Enabling these capabilities re- quires careful consideration of nu- merous factors that will influence the design, security, and interoperability of an enterprise ABAC solution. These

factors can be summarized around a set of activities:

› establish the business case for ABAC implementation;

› understand the operational requirements and overall ABAC enterprise architecture;

› establish or refine business pro- cesses to support ABAC;

› develop and acquire an interop- erable set of ABAC capabilities; and

› operate with efficient ABAC processing.

NIST SP 800-162 helps ABAC sys- tem planners, architects, managers, and implementers carry out these ac- tivities in four phases. The initiation phase includes building the business case for deploying ABAC capabilities; scalability, feasibility, and perfor- mance requirements; and developing operational requirements and archi- tecture. The acquisition/development phase includes business process gen- eration and deployment preparation,

system development and solution acquisition considerations, and other enterprise ABAC capabilities. The implementation/assessment phase in- cludes attribute caching, attribute source minimization, and ABAC in- terface specifications. Finally, the op- erations/maintenance phase includes availability of quality ABAC data.

ATTRIBUTE ASSURANCE The metadata of ABAC attributes communicate aspects that are im- portant for attribute standardiza- tion. By coupling a common set of mandatory and optional metadata with attribute assertions, ABAC sys- tems can query attribute information to make their own risk-based deci- sions, especially when delivered via a broker connected to many systems.

In general, attribute metadata fall into three categories:

› Accuracy establishes the policy and technical underpinnings for semantically and syntactically correct use of these attributes

TABLE 1. Level of attribute assurance (LOAA) mappings example.

LOAA Accuracy Integrity Availability

1 Attributes are properly verified for veracity through provision and management.

Secure attribute repository.

Secure communication between attribute providers (APs) and relying parties (RPs).

Attribute refresh frequency meets the system performance requirement.

2 Includes level 1.

Documented rule or standards for attribute value assignment and definition (syntax and semantic rule).

Includes level 1.

Dedicated attribute repositories.

Includes level 1.

Attribute caching during runtime meets the system performance requirement.

3 Includes level 2.

Attributes cover all of the organization’s protection policy requirements (semantically complete).

Includes level 2.

Encrypted attribute values and communications between APs and RPs.

Includes level 2.

Failover or backup attributes support.

4 Includes Level 3.

Attributes under federated or unified governance.

Includes level 3.

Formal rules or policy (or standards) for create, update, modify, and delete attributes.

Includes level 3.

Log for attribute changes and access.

r2sec.indd 87 1/22/15 5:25 PMAuthorized licensed use limited to: University of Canberra. Downloaded on September 03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions apply.

88 C O M P U T E R W W W . C O M P U T E R . O R G / C O M P U T E R

SECURITY

and environmental conditions, and ensures that the reported attributes are trustworthy, based on the trust established in the measurement and reporting processes.

› Integrity considers different standards and protocols used for secure sharing of attributes be- tween systems in order to avoid compromising the integrity and confidentiality of the attributes or exposing vulnerabilities in at- tribute provider (AP) or relying party (RP) systems or entities.

› Availability ensures that the up- date and retrieval of attributes support the RP. In addition, attribute repositories’ failover and backup capability must be considered. Note that some attri- butes might change regularly or over time.

An AP is any person or system that provides subject, object (or resource), or environmental condition attributes regardless of transmission method. The AP could be the original authori- tative source or receiving information from an authoritative source for re- packing and storing-and-forwarding to the ABAC system. Attribute values can be human generated (for example, an employee database) or derived from formulas (for example, a credit score). Regardless of the attribute source, the system should ensure that the attri- bute value received from an AP is ac- curately associated with the subject,

object, or environmental condition to which it applies.2 Table 1 illustrates example levels of attribute assurance (LOAA) based on the accuracy, integ- rity, and availability properties.

A ttribute-based access control is a flexible approach that can implement AC policies limited

only by the computational language and the richness of the available at- tributes. This flexibility enables the greatest breadth of subjects to ac- cess the greatest breadth of objects without specifying individual rela- tionships between each subject and each object, making ABAC ideal for many distributed or rapidly changing environments.

ABAC has the potential to dramat- ically improve AC in modern appli- cations such as e-commerce and the Internet of Things. In the meantime, a consensus definition of ABAC is needed, and work remains to be done in assuring attribute accuracy and re- liability. For more information on on- going efforts, see http://csrc.nist.gov /projects/abac/index.html.

REFERENCES 1. V.C. Hu et al., Guide to Attribute Based

Access Control (ABAC) Definition and Considerations, NIST Special Pub- lication 800-162, Nat’l Institute of Standards and Technology, Jan. 2014; http://nvlpubs.nist.gov/nistpubs /specialpublications/NIST.sp.800 -162.pdf.

2. V.C. Hu, D.F. Ferraiolo, and D.R. Kuhn, Assessment of Access Control Systems, NIST Interagency Report 7316, Nat’l Institute of Standards and Technol- ogy, Mar. 2006; http://csrc.nist.gov /publications/nistir/7316/NISTIR -7316.pdf.

3. Avatier Corp., “Leveraging Today’s Megatrends to Drive the Future of Identity Management,” video presen- tation, Gartner Identity and Access Management (IAM) Summit, 2012; www.avatier.com/products /identity-management/resources /gartner-iam-2020-predictions.

4. D.R. Kuhn, E.J. Coyne, and T.R. Weil, “Adding Attributes to Role Based Access Control,” Computer, vol. 43, no. 6, 2010, pp. 79–81.

VINCENT C. HU is a computer scien- tist in the Computer Security Division at the National Institute of Standards and Technology. Contact him at vhu@ nist.gov.

D. RICHARD KUHN is a project leader and computer scientist in the Computer Security Division at the National Institute of Standards and Technology. Contact him at kuhn@ nist.gov.

DAVID F. FERRAIOLO is a computer scientist and manages the Secure Systems and Applications Group in the Computer Security Division at the National Institute of Standards and Technology. Contact him at dferraiolo@nist.gov.

IEEE Internet Computing reports emerging tools, technologies, and applications implemented through the Internet to support a worldwide computing environment.

For submission information and author guidelines, please visit www.computer.org/internet/author.htm

Engineering and Applying the Internet

r2sec.indd 88 1/22/15 5:25 PMAuthorized licensed use limited to: University of Canberra. Downloaded on September 03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions apply.

Readings/Best Practices, Procedures and Methods for Access Control Management.pdf

Best Practices, Procedures and Methods for Access Control Management

Michael Haythorn

July 13, 2013

1

Table of Contents

Abstract ........................................................................................................................................................ 2

What is Access? ................................................................................................................................. 3

Access Control .................................................................................................................................. 3

Identification .................................................................................................................................... 3

Authentication ................................................................................................................................. 4

Authorization ................................................................................................................................ 4-5

Accountability .................................................................................................................................. 5

Put it All Together ......................................................................................................................... 5-6

Industry Standards and Best Practices ................................................................................................ 7

ISO/IEC 27002 .................................................................................................................................. 7

Requirements for Access Control .................................................................................................... 7

NIST 800-53(A) ................................................................................................................................. 7

Access Control Models ....................................................................................................................... 8

Least Privilege .................................................................................................................................. 8

Separation of Duties ........................................................................................................................ 8

Job Rotation ..................................................................................................................................... 9

Mandatory Access Control ............................................................................................................... 9

Discretionary Access Control ...................................................................................................... 9-10

Role Based Access Control ............................................................................................................. 10

Rule Based Access Control ............................................................................................................. 11

Integrated Approach ...................................................................................................................... 11

Case Studies .................................................................................................................................... 12

Case Study 1: Government/Military .............................................................................................. 12

Case Study 2: Large Financial Company .................................................................................... 12-13

Case Study 3: Small Internet Sales Company ................................................................................. 13

Closing ............................................................................................................................................. 14

References ....................................................................................................................................... 15

2

Abstract Controlling access to information and information systems is a fundamental responsibility of information security professionals. The basic need to consume data creates a requirement to provide control over the access necessary to use that data. It is this subject-object interaction that introduces risk that must be mitigated through methodological policy creation and enforcement. Access controls are managed through the provision of rules to grant/deny subjects who intend to access certain objects. These rules can be defined and enforced through a number of means to create a manageable layered control process. The overarching goal of access control is to facilitate the mitigation of risk to the object. In order to access data, multiple layers must be passed through including identification, authentication, and authorization. Actions of subjects must be monitored, creating accountability. Depending on the requirement for policy enforcement and level of sensitivity of the data to be protected, there are multiple methods that can be implemented to control access. The principle of least privilege, separation of duties, job rotation, mandatory access control, discretionary access control, role based access control and rule based access controls are most commonly used. In addition, industry standards have been established both by government and private entities to identify best practices. ISO/IEC 27002 standard outlines the management of access control policy and enforcement. The government created standard NIST 800-53 and 800-53(A) identifies methods to control access by utilizing various models depending on the circumstances of the need.

3

1 What is Access? The necessity of control is created by the need for access. Access is essentially the ability of the subject and the object to interact. In the terms for this paper, all access is logical, meaning that it exists on a system and is typically a file, folder, program, system or process. The request for access is initiated by the subject and is necessary in all information systems circumstances. 1.1 Access Control Access control is essential where there is sensitive data to protect or privileged actions to be performed. In order to control the use of these functions, there must be a way to limit access. Without this control there would be no ability to prevent unauthorized access to privileged data inside a system. Imagine if any employee working for a soft drink company were able to see the secret formula or if all employees working for large private financial company were able to see the salary of their coworkers. These situations would cause company collapse or employee mutiny because not all data is intended for everyone. Thankfully there is access control in place to prevent the situations above. By using the proper means to control who accesses data, along with when and where it is accessible this data can be protected in order to maintain a competitive advantage, or establish a level of division required for an entity to survive. 1.2 Identification Identification describes a method of ensuring that the subject is in fact who they claim to be. An identity can be assigned to a user a user, program, or process and is used by the system to associate the subject with the identity stored on the system. An example of identification is a user name for a user who is accessing a desktop through a log in screen. In this case the user name is unique to that user and is required for access to be granted. For the purpose of accessing a system or process, the identifier does not need to be unique to a user, but can be generic. The only requirement is that this identity be linked to the process or program on the system so that it can be identified. Diagram 1.1 shows a typical identification request where the system is asking the subject to provide a user name that it will use to associate with a profile stored on the system:

4

1.3 Authentication Identification is half of the typical login process. The next step is authentication where a user, program or process must provide some type of password, passphrase, token, biometric, or key that is matched to the user name and matched to the credential stored on the system or on the network that is being accessed. Once authentication is passed, access is granted or denied to the system based on the information provided. For example, a UNIX user provides a user name and password to log into a UNIX system. The user is only authenticated at this stage yet still does not have access to perform and functions on the system. Diagram 1.2 shows a typical authentication request on a UNIX System where once the user name “root” is provided the system requests the password that is associated with the identifier:

1.4 Authorization The next piece is the authorization of access that is granted to that user, program or process. This control either allows or denies action based on rules that are defined inside the system pertaining to that subject. Rules are defined in many ways and can be based on request, time, location, group, etc. An example of authorization is a subject requesting access to a network shared drive. In this example the subject has successfully identified themselves and authenticated to the system. Their attempt to connect to the shared drive must also be authorized by some control that will grant them this additional access. If the user is granted the access they will be able to connect to the shared drive. If the user does not have the necessary authorization to connect they will be denied access. Authorization is where access control is established and can be implemented at both the macro and micro level depending on the sensitivity of the data and the policy being enforced.

5

Diagram 1.2 displays the process of identification, authentication and authorization through the use of a flow chart that can grant or deny access based on the information given and the rules it has been supplied:

1.5 Accountability Finally in order to enforce the misuse of policy once access has been granted, or prevent repeated malicious access attempts there must be some form of accountability. Accountability can use various methods to record or capture events for additional review. This event log can include every access request, both positive and negative, subject login times and locations, subject actions upon login, etc. This information is stored and can be used for investigative purposes or for reporting of usage statistics for audit. Accountability is essential to be able to provide proof of action and without this piece it would much more difficult to reduce risk associated with the access that has been granted in the earlier stages. 1.6 Put it All Together Requiring the subject to provide Identification, authentication and authorization as well as holding them accountable for their actions allows the integrity of the object to be maintained at a much higher level of confidence. As we have seen in the examples above, identity, authentication and authorization are required in conjunction before an object can be accessed. There are cases where a user may be able to identify themselves, authenticate but may not be authorized to perform an action beyond that. On the other hand a user may be authorized to access a resource, but is unable to identify themselves with a

6

proper user name. The same is true for a password credential, a user may have proper identification information but is unable to authenticate because the password the have supplied is either wrong or expired. In order for the subject to access the object each of these pieces must be present and accessible.

7

2 Industry Standards and Best Practices In order to identify industry best practices and standardize access control principles there must be an entity or entities who are responsible for this role. In the case of access control standards, there are two main groups focused on these best practices. 2.1 ISO/IEC 27002 ISO/IEC 27002 is an information security standard that is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This standard specifically defines access control and how access should be managed by information security personnel. Access control is included as a section within this standard to define the best practices to suitably control logical access to network resources, applications, functions and data. “The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.” [1] 2.1 Requirements for Access Control Key highlights of this standard include the business requirements for access control, user access management, responsibilities and definitions and best practices of the different types of access. The standard includes multiple detailed sections aimed at outlining access control for organizations so that they can implement these best practices in the most effective manner. 2.2 NIST 800-53(A) After the Federal Information Security Management Act (FISMA) was passed in 2002 a statutory provision to ensure that agencies comply with mandatory processing standards. The National Institute of Standards (NIST) is the technology measurement and standards department was asked to develop standards and guidelines for the federal government. The NIST handbook is similar in information covered to the ISO/IEC 27002 but since it is tied to the governmental practices is goes into significantly more detail related to security controls and assessing the adequacy of the controls. NIST 800-53 addresses multiples aspects of access, including management, technical and operational roles. [2]

8

3 Access Control Models The standards and best practices from above can be used in a practical means through several different methods and models that are deemed appropriate depending on what type of security a company wants to maintain. There are many models available to use as a template for access control, but the most commonly referenced methods include least privilege, separation of duties, job rotation, mandatory access control, discretionary access control, role based access control and rule based access control. In this section we will go into greater detail about these models and their usage. 3.1 Least Privilege The principle of least privilege is simple, no user should have any access above what is required to perform their tasks at any given time. This approach, when put into practice in its simplest form is both difficult to experience from an end user perspective and difficult to manage from an administrative perspective. In many cases users do not know what access they would need to perform their tasks and without extensive knowledge of the environment, the team provisioning the access may not know what access they need either. This method of access control does not scale well and can be prohibitively expensive and difficult to implement and maintain. Because of that, generally when this principle is used, it is used in conjunction with another approach. 3.2 Separation of Duties The method of separation of duties states that no one person be able to handle a transaction from beginning to end. This method addresses fault or fraud by preventing someone from maliciously or accidentally initiating and completing a transaction without an additional layer of input. This method reduces the likelihood of fraud by introducing multiple variables into the process. A line of segregation is established by creating different layers of responsibility and ability to perform these transactions. This method is much like an assembly line where no single worker completely builds the finished product from start to finish. Instead each worker has their assigned task that contributes to the final product but does not create it. Diagram 3.1 displays this method using the assembly line example to show that no one user can complete a transaction from beginning to end:

9

3.3 Job Rotation The concept of job rotation is similar to separation of duties where no one person has the ability to complete a transaction, except in this case a time limit is introduced. Job rotation requires that individuals change their roles and thus the functions they can perform at regular intervals. This rotation is to prevent exploiting a process or situation for an extended period of time. This method of access control is not typically used without the addition of another method. This method is frequently employed and has introduced several possible benefits including an increased diversity of skill and experience as well an increased job satisfaction through job change. 3.4 Mandatory Access Control Mandatory access control or MAC is based on subject and object access level and is frequently employed in federal government and military instances. The basic principle of mandatory access control involves a central authority identifying subject’s and object’s appropriate access level. Subjects inherit the access to the objects at their same level. There is no access granted above their level. In some cases this method is also applied to prevent access below a subject’s level as well. This method of access control is a high security and requires a great detail of management overhead because each object must be assigned a label which will then allow or deny access to subjects depending on the level assigned. It is important to note that mandatory access control is a non-discretionary method, meaning that a user is not able to change the permissions on any object, including objects they own. Permission assignments must be performed by the central authority that is responsible for maintenance of the access control system. [3] Diagram 3.2 displays the concept of mandatory access control where there is a distinct division between levels of access:

3.5 Discretionary Access Control Discretionary access control or DAC uses the discretion of the subject to control access. DAC uses the permissions assigned by the owners of the objects to grant or deny access. This model distributes the load of access control to the subjects which removes the need for a central authority. This method is less secure than a non-discretionary access control method due to the lack of centralized authority. Decisions of access appropriateness are made by the subjects themselves and can frequently introduce risk. This method is common in small to medium sized organizations due to the reduction in overhead thus reducing cost and time necessary to implement access controls.

10

Diagram 3.3 displays a user granting access to an object that they own based on their own discretion:

3.6 Role Based Access Control Role based access control or RBAC requires a central authority to determine the access that will be granted to the role. Access is grouped by role across an organization and users can be in multiple groups depending on their role. No access is provided outside of access that is granted inside of the role. This practice frequently leads to providing more access than is required to complete necessary tasks. Typically, role based access control is part of a multi-level access system, like in the case of a commercial entity where there are distinct levels between necessary job roles. Role based access control is similar to discretionary access control in that the privileges are associated with the role of the subject and not controlled by a central authority. Once a role is achieved all access is automatically granted to that user for that role. Diagram 3.4 displays how roles can be divided in an organization to allow users of the same title to access the same resources:

3.7 Rule Based Access Control

11

Rule based access control (also known as RBAC) uses a set of rules provisioned to subjects defined by a central authority. This method of access control is non-discretionary and can be extremely granular depending on the sensitivity of the data. Rules can be defined inside of access control lists for user access to each object. Since all permissions are controlled by a single authority, the overhead can be similar to mandatory access control. Rule based access control can also be used to permit access during a certain period of time, or could require a subject to invoke access each time they intend to use it. Diagram 3.5 shows how a central authority can define rules for subject access to objects:

3.8 Integrated Approach Although one method identified above can be used as an access control solution, this is not typically the case. Most organizations will choose to use a combination of these methods as they are needed based on the requirement of the organization. Using an integrated approach allows companies to base access control on their own standards and needs. For example, a company might use role based access control for anyone with the title of database administrator, but may also use rule based access control to grant exception access beyond what is granted through the role. Additionally, a company may use a combination of rule based access control and least privilege access, where users are granted access to the objects they require only for the period of time they require them. Once access is invoked the ability to access the object only lasts for a period of time until it is automatically removed to prevent improper use.

12

4 Case Studies In order to understand how these access control methods are applied it is best to relate real world scenarios that can be applied to the concepts introduced in a best practice. The following section will exemplify three cases where a combination of methods are used to create a security policy that is suited for the situation. 4.1 Case Study 1: Government/Military In this example we will use the United States Military as the organization, but these principles can be applied broadly across governmental entities due to the relation of privilege groups. Military organizations have a defined range of classification levels that a central authority is responsible for assigning. This non-discretionary access method is the most demanding, but is necessary given the sensitivity of the data. These classifications include top secret, secret, confidential, restricted and unclassified. Starting at the bottom, unclassified data has been made available to the public, and top secret data is only available to the subjects who have the proper clearance, or access. This military access control method follows the mandatory access control model, which prevents subjects and objects from reading above and in some cases writing below the access level granted. An engineer with a confidential level clearance is not able to read data above the confidential classification and a subject with a restricted level clearance is not able to write data that is unclassified. The objective of this mandatory access control is to first identify what type of data or object you have and then allow subjects with that equal access to use it. This type of access control requires a central authority to make the decisions about the classification of the subjects as well as classification of the objects. There is no discretion given to the subjects because they may not make the right decision about the access level, even with data they create. This type of access control method is extremely time consuming, expensive and has a high level of overhead to maintain, but it is necessary in order to keep the most sensitive data secure from individuals who should not have access to it. 4.2 Case Study 2: Large Financial Company In this example, we introduce a large financial company with extremely sensitive personal customer data to protect. This company does not have the same security levels defined as the military organization from the example above. Instead of the use of mandatory access control, the financial company will use an integrated approach combining methods based on the type of access and the user that will access it. The most common approach will be based on the role of the subject. Multiple rules will be defined for a single role, and a user is only allowed to be in one role at a time. On top of this access, subjects will be granted exception or rule based access to objects that are required beyond their role. This type of access is necessary to prevent subjects from gaining unnecessary access from a role and maintains this exception access through a central authority. In order to be added to a role and then given rule exception access subjects must be granted this approval by the custodians or owners of the role and applications inside of rules. This prevents users from granting access to themselves and provides an audit trail that access was approved based on a defined business justification for each user.

13

The most privileged access in this large financial company is write access on a trading platform, so this access is managed through a special type of rule based access control that uses the concept of least privilege. Users must invoke their access to these functions only when they need them. Once the access is invoked, the functions are available to them, but they have a limited of time (usually less than 24 hours) to perform their required actions before the access is lost. Financial companies have a wide range of subjects and objects which is why a centrally managed administration authority is essential to enforcing the policy and mitigating risk to the firm. Users in this instance also play a key role because they are the most knowledgeable about what they need to perform their duties, and any access above this function must be removed. 4.3 Case Study 3: Small Internet Sales Company The final case study involves less sensitive data and is a typical scenario for most small businesses like an internet sales company. For this example the company has a sales and marketing department, human resources, and a technology department. Each department has data that should not be available to the other groups, but the company lacks the time and money required to centralize the authority of access to this data. Discretionary access allows the subjects to assign the privileges to the objects they own and maintain. A human resources analyst who holds the salary information of all employees will make this document only available to those in her department because of the sensitivity of the data. This is done using a Windows access control rule that allows only a certain number of employees to access this data. Similarly the sales manager who has access to company sales statistics and records does not share this data with anyone but those who are authorized to see it. In some cases, data can move between groups especially in the example of a technology engineer who owns a database that houses the employee directory. This data is accessible to everyone because it is something everyone needs. DAC has very low overhead in this situation and the responsibility is on the subjects to maintain access control. The risk is higher in this type of example for that reason, but small companies take this type of risk because is necessary to avoid the cost of another more involved solution.

14

5 Closing Managing access control can be approached in different ways. But in the end, in order for the system to function effectively at its most basic level, a subject must have access to an object in order to perform its required task. Controlling this access based on a predefined rule is essential to mitigate risk of the object being unprotected. In order to achieve this function, the subject must first properly identify itself, adequately authenticate to the system and then be appropriately authorized to perform the action it is requesting. In most cases this is done though an integrated process created based on the need of the entity responsible for the objects. Without the methods, there would be no reason to control access because there would be no system at all.

15

6 References

[1] Disterer. (2013). Iso/iec 27000, 27001 and 27002 for information security management. Journal of

Information Security, 4(92-100)

[2] Locke. (2009). Recommended security controls for federal information systems and organizations.

3(800-53)

[3] Osborn. (n.d.). Mandatory access control and role-based access control revisited. 31-40.

Ballad, B. (2010). Access control, authentication, and public key infrastructure. (pp. 238-264). Sudbury,

MA: Jones & Bartlett Learning.

Cascarino, R. (2012). Auditor's guide to it auditing, second edition. Hoboken, NJ: John Wiley & Sons Inc.

Dubrawsky, I. (2009). Eleventh hour security. (pp. 92-101). Burlington, MA: Elsevier Inc.

Ferraiolo, D., Cugini, J., & Kuhn, R. (n.d.). Retrieved from

http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-cugini-kuhn-95.pdf

NIST. (n.d.). Retrieved from website: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf

Seidl, D. (2013). Comptia security training kit. (pp. 380-386). Sebastopo, CAl: O'Reilly Media, Inc.

Techotopia.com. (n.d.). Retrieved from

http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Cont

rol

Readings/understanding ABCA-heathcare.pdf

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/339209000

Understanding Attribute-Based Access Control for Modelling and Analysing

Healthcare Professionals' Security Practices

Article  in  International Journal of Advanced Computer Science and Applications · March 2020

DOI: 10.14569/IJACSA.2020.0110286

CITATIONS

3 READS

471

4 authors:

Some of the authors of this publication are also working on these related projects:

INTRICATE-SEC 2017 (https://a9cd724a8d9a1a45152060b49dda0b28a41e78bd.googledrive.com/host/0Bz5sP2wYmG3HZTRsbndvWjJlN1k/public_html/index.html) View

project

Formal Methods for Modelling Cyber-Physical Systems and Other Approaches for Enhancing Critical Infrastructure Protection View project

Livinus Obiora Nweke

Norwegian University of Science and Technology

22 PUBLICATIONS   47 CITATIONS   

SEE PROFILE

Prosper Yeng

Norwegian University of Science and Technology

29 PUBLICATIONS   47 CITATIONS   

SEE PROFILE

Stephen Wolthusen

Royal Holloway, University of London

214 PUBLICATIONS   1,766 CITATIONS   

SEE PROFILE

Bian Yang

Norwegian University of Science and Technology

115 PUBLICATIONS   1,676 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Livinus Obiora Nweke on 20 February 2020.

The user has requested enhancement of the downloaded file.

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

Understanding Attribute-Based Access Control for Modelling and Analysing Healthcare Professionals’

Security Practices

Livinus Obiora Nweke Information Security and Communication Technology

Norwegian University of Science and Technology (NTNU) Gjøvik, Norway

Prosper Yeng Information Security and Communication Technology

Norwegian University of Science and Technology (NTNU) Gjøvik, Norway

Stephen D. Wolthusen School of Mathematics and Information Security

Royal Holloway, University of London Egham, United Kingdom

Information Security and Communication and Technology Norwegain University of Science and Technology (NTNU)

Gjøvik, Norway

Bian Yang Information Security and Communication Technology

Norwegian University of Science and Technology (NTNU) Gjøvik, Norway

Abstract—In recent years, there has been an increase in the application of attribute-based access control (ABAC) in electronic health (e-health) systems. E-health systems are used to store a patient’s electronic version of medical records. These records are usually classified according to their usage i.e., electronic health record (EHR) and personal health record (PHR). EHRs are electronic medical records held by the healthcare providers, while PHRs are electronic medical records held by the patients themselves. Both EHRs and PHRs are critical assets that require access control mechanism to regulate the manner in which they are accessed. ABAC has demonstrated to be an efficient and effective approach for providing fine grained access control to these critical assets. In this paper, we conduct a survey of the existing literature on the application of ABAC in e-health systems to understand the suitability of ABAC for e-health systems and the possibility of using ABAC access logs for observing, modelling and analysing security practices of healthcare professionals. We categorize the existing works according to the application of ABAC in PHR and EHR. We then present a discussion on the lessons learned and outline future challenges. This can serve as a basis for selecting and further advancing the use of ABAC in e-health systems.

Keywords—Attribute-Based Access Control (ABAC); E-health Systems; Personal Health Record (PHR); Electronic Health Record (EHR)

I. INTRODUCTION

There has been a growing interest in the application of ABAC in e-health systems. This is evident by the increasing number of publications and on-going research activities in that direction. According to Gartner report [1] it is predicted that 70% of enterprises will adopt ABAC mechanism as the most dominant access control mechanism for the protection of critical assets. In the healthcare industry, e-health systems interact with critical assets like electronic medical records, and ABAC has been shown to offer a promising approach to securing these critical assets.

Traditionally, medical records are paper-based but tremen- dous progresses in information and communication technology have led to a shift from paper-based medical records to electronic version of the medical records. Like the traditional paper-based medical record, electronic version of the medical record is a collection of medical history of an individual. However, unlike the traditional paper-based medical records, the electronic version is stored in electronic format following the required standards.

The electronic version of medical records is usually clas- sified according to their usage i.e., electronic health record (EHR) and personal health record (PHR). Whilst EHRs are electronic medical records of an individual held by the health- care providers; PHRs are referred to as electronic medical records of an individual held by the individual themselves. Although EHRs can be shared across different healthcare providers, PHRs have shown to be an effective approach for individuals to share their electronic medical records with different healthcare providers, family and friends.

Sharing of electronic medical records raises security and privacy concerns for both EHR and PHR. For EHR, healthcare providers are required by regulatory bodies to ensure that the security and privacy of the electronic medical records are maintained. In the case of PHR, an individual would want to ensure that only authorized entities have access to their electronic medical records. Several approaches have been proposed to address the security and privacy concerns raised by EHR and PHR. The approach that have received wide-spread acceptance is ABAC.

ABAC aims to provide fine-grained access to a resource or an object based on the attributes of the subject and that of the object; in addition to the environmental conditions. A subject refers to an entity such as a person, process or device that wishes to access a resource or an object. A resource or an

www.ijacsa.thesai.org 1 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

object is a system-related entity containing information such as records, that a subject desires to access. The environmental conditions are the operational contexts such as the time and location of access. Hence, in ABAC, the attributes of the subject and the requested object as well as the environmental condition determines the set of operations that can be executed on the requested object.

A wide range of applications of ABAC in e-health systems have been proposed in the literature and examined in individual studies. However, a comprehensive survey of these techniques that can serve as a basis for selecting and further advancing the use of ABAC in e-health systems is still missing in the literature. Abbbas and Khan in [2] presented a review on the state of the art in privacy preserving techniques for e-health cloud based systems. The authors in [3], [4] provided a survey on the security and privacy issues in e-health cloud based systems. To the best of our knowledge, there is no survey on the application of ABAC in e-health systems.

In this paper, we present a survey on the application of ABAC in e-health systems. We categorize the different applications of ABAC in e-health systems according to those use in PHR and those apply in EHR. We present a comparison of the different approaches employ in the existing works. Then, using some of the key features of the existing approaches, we present a discussion on their differences. Also, we describe the lessons learned from the survey and outline future challenge. Lastly, the concept of modelling and analysing healthcare professionals’ security practices is discussed.

The rest of this paper is organised as follows. Section II presents an overview of the security and privacy require- ments for e-health systems. Also, the dominant access control mechanisms deploy in e-health systems are explored, and the justification for wide-spread acceptance of ABAC in e-health systems is described. Section III presents a literature survey of the existing works on the application of ABAC in e-health systems. Section IV discusses the lessons learned from the survey and outline future challenge. In addition a discussion on modelling and analysing healthcare professionals’ security practices is presented. Section V concludes the paper.

II. BACKGROUND

In this section, we provide an overview of the security and privacy requirements for e-health systems. We also examine the commonly used access control measures for e-health sys- tems and why ABAC mechanism is the most preferred access control mechanism for e-health systems.

A. Requirements of E-Health Systems

Several standards and laws have been proposed to specify the security and privacy requirements for e-health systems. The most popular of these standards and laws is the American standard health insurance portability and accountability act (HIPAA) [5]. HIPAA is mainly concern about the privacy and security of patient health information (PHI). With the migra- tion of PHI from paper-based to electronic format, HIPAA was upgraded to health information technology for economic and clinical health (HITECH) to address privacy and security concerns posed by such migration.

HIPAA is applicable to all types of Covered Entity or Busi- ness Associate that processes PHI. Covered Entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI [5]. Business Associate is a person or business that provide a service - or performs certain function or activity for - a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity [5]. Usually, a business associate is required to sign business associate agreement with the Covered Entity stating what PHI they can access, how it would be used and that it will be returned or destroyed once the task it is needed for is completed [5]. Also, while the PHI is in the custody of the business associate, the business associate has the same HIPAA compliance obligations as a Covered Entity.

The two types of rules specified by HIPAA are the privacy rule and security rule. The privacy rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral [5]. Under the security rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities [6]. There are three parts to the security rule: administrative safeguards, which is in the form of policies and procedures that brings the privacy rule and security rule together; technical safeguards refer to the technology that is used to protect PHI and provide access to the data; and physical safeguards, which has to do with physical access to PHI regardless of its location [6].

An international standard that defines the requirements for e-health systems is the ISO/IEC 27799 [7]. The ISO/IEC 27799 provides special recommendations on security needs in the healthcare sector, taking into account the unique nature of its operating environment. It applies ISO/IEC 27002 to the healthcare domain with appropriate security controls towards enhancing the protection of PHI. The development of ISO/IEC 27799 took into consideration, personal data protection leg- islations, privacy and security best practices, individual and organizational accountability, meeting the security needs iden- tified in common healthcare situations, and operating electronic health information systems in an adequately secured healthcare environment. Also, ISO/IEC 27799 aims to protect information such as PHI, pseudonymized data derived from PHI, clinical or medical knowledge related or not related to any patient, data on health professionals, staff and volunteers, audit trail data produced by health information systems, including access control data and other security related system configuration data, for health information systems.

Other important standards for e-health systems include OpenEHR [8], the health level 7 clinical document architecture (CDA) [9], and the continuity of care document (CCD) [9]. The OpenEHR is an open standard that specifies the man- agement and storage, retrieval and exchange of health data in EHRs. Also, openEHR defines specifications for clinical information models, EHR Extracts, demographics, data types and various kinds of service interfaces [8]. The HL7 CDA is a document markup standard that specifies the structure and semantics of clinical documents for the purpose of fa- cilitating exchange between healthcare providers and patients [9]. A clinical document is defined by HL7 CDA as having the following features: persistence, stewardship, potential for

www.ijacsa.thesai.org 2 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

authentication, context, wholeness, and human readability [9]. And CCD is a joint effort of HL7 International and American society for testing and materials (ASTM) to enable interop- erability of clinical data [9]. It allows physicians to send electronic medical information to other providers without loss of meaning and as such, improves the overall patient care.

In general, the requirements that are of interest to this survey are the recommended technical safeguards for e-health systems. These technical safeguards aim to provide secure, reliable, access to PHR or EHR; where and when it is requested. The requirements include the following [5]:

• Implement a means of access control

• Introduce a mechanism to authenticate PHR and EHR

• Implement tools for encryption and decryption

• Introduce activity logs and audit controls

B. Access Control Mechanisms

One of the security controls necessary to meet the security and privacy requirements for e-health systems is the imple- mentation of access control mechanisms. These are measures that can be used to regulate access to a given resource. Earlier implementation of access control mechanisms in e- health systems employ role-based access control (RBAC) [2]. RBAC restricts access to a resource based on the user’s role. The use of a role based access control suffers some drawbacks as the definition of roles is static and it lacks flexibility and responsiveness. Every user needs to be enrolled in advance in the system. For example, in an emergency situation where the patient is outside the local domain where the patient health information held, a doctor not registered within the local domain of the patient will not be able to access the patient’s health information. Therefore, the efficacy of role-based access control is limited because it cannot handle situations where unregistered personnel requires access to the system as in the case of emergency that we described.

Emergency access such as self-authorization and break the glass (BTG) are basic requirements in healthcare systems. Self- authorization is a provision in the access control mechanism that allows healthcare professionals to access the minimum and necessary healthcare records for therapeutic purposes during emergency situations. Similarly, BTG mechanism is used when conventional access control mechanisms are inadequate to access minimum and necessary healthcare information for ther- apeutic measures [10], [11]. Considering that RBAC policies rely on permissions that does not often change [12], installing emergency access mechanisms on static roles may pose a high security threat. For instance, an adversary who might have unlawfully acquired health professionals’ credentials under RBAC, could easily compromise healthcare records by using the emergency access control windows since there are no other control variables to authentic the accesses of the malicious user.

A flexible access control mechanism that provides fine grained access control to a resource is ABAC. Like RBAC, ABAC employs a policy driven approach. However, in ABAC, access to a resource is granted based on the attributes of the subjects and the objects together with the environmental

attributes. This eliminates the need of having to register a user into the system before providing access; instead, access is granted based on the attributes of the user and that of the requested resource. Thus, ABAC mechanisms would provide appropriate level of access to healthcare records even for any extraordinary actions that need to be taken during emergency situations.

For emergency situations, ABAC ensures that the authenti- cation mechanism of emergency accesses can be configured to include more control variables such as attributes of the user, environment and resources to reduce risk of privacy and security breaches. For instance, the resource and environmental attributes such as the patient status and location could indicate emergency care or intensive-care services. Hence, any accesses other than the specified attributes would be restricted, to reduce the risk of exploitation. Therefore, ABAC policies enables flexible configurations for users to override their conventional access restrictions in a controlled and justifiable manner in emergency access scenarios.

ABAC have shown to be an effective and efficient mech- anism for providing fine-grained access to PHRs and EHRs given the dynamic nature of today’s e-health environment. Also, it can be combined with different cryptographic schemes to provide secure and anonymous sharing of PHRs and EHRs among healthcare providers and patients. So many research efforts are on-going in developing appropriate ABAC model for e-health systems. The next section provides a survey of some of these efforts to further support the assertion that ABAC is a much better access control mechanism for e-health systems.

III. LITERATURE SURVEY

In this section, we present a survey of the existing liter- ature on the application of ABAC in e-health systems. We categorize the existing work according to the type of patient’s electronic version of medical records considered. Already we have observed that the electronic version of a patient health record is usually classified according to those held by the patient themselves (PHR) and those held by the healthcare providers (EHR). We use this understanding to present the different applications of ABAC in e-health systems.

A. Application of ABAC in Personal Health Record (PHR)

PHR offers a flexible and convenient way for storing and sharing a patient’s electronic version of medical records. It empowers the patients by giving them control over their medical record and deciding with whom to share those records. However, the current trend in the storage of PHR has shown that cloud platforms are very popular way of storing PHR. This raises questions of security and privacy of PHR as there have been wide spread concerns that PHR stored in the cloud may be exposed to unauthorized parties. Several approaches that use ABAC in PHR have been proposed in the literature to address these concerns.

A typical use case scenario of the application of ABAC in PHR is shown in Figure 1. Li et al [13] describe a unified fine-grained access control for PHR in cloud computing. In this system, the patient utilizes the cloud storage platform for storing the encrypted version their PHRs. The policy manager

www.ijacsa.thesai.org 3 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

facilitates the encryption of the patient’s PHRs. Also, the medical staff is able to download the encrypted PHRs from the cloud and use their private keys to decrypt the PHRs. A trusted attribute authority is used for all patients and medical staff to authenticate and verify their attributes.

Fig. 1. Use Case Scenario of ABAC in PHR [13]

One of the earliest approaches in the use of ABAC to provide security and privacy for PHR stored in the cloud is presented in [14]. The authors used a variant of attribute- based encryption (ABE) referred to as broadcast ciphertext policy ABE (bABE) which extends the functionality of ABE to include user revocation. An ABE uses a public key encryption system, where each user’s key is labelled with a set of attributes, and the ciphertext is linked with an access policy. The private key of the user can decrypt the ciphertext only if the attribute set of the user’s key matches the access policy associated with the ciphertext. Furthermore, the approach presented assumes trusted cloud provider and the use of a trusted authority to issue the relevant private keys.

Li et al in [15] propose a patient-centric framework and approach which exploits ABE techniques to provide fine- grained access control to PHR in cloud environment. In the proposed model, the system is divided into several security domains according to the different users’ data access require- ments. ABE is deployed to cryptographically enforce patient centric PHR access. In additional, the PHR is assumed to be stored on a semi-trusted service provider and the proposed framework supports access revocation. Another patient-centric cloud-based secured PHR system is presented in [16]. The proposed system enables secure storage of PHR data on a semi-trusted cloud service provider and allows the patient to selectively share their PHR data with wide range of users. The authors reduced key management complexity for both owners and users by dividing the users into two security domains, namely: public domain and personal domain. Also, they show that PHR owners can encrypt PHR data for the public domain using ciphertext-policy ABE scheme, while the PHR data for the personal domain can be encrypted using anonymous multi- receiver identity encryption scheme.

A fine-grained access of interactive, PHR, that extends a secure composite document format i.e., Publicly Posted Composite Documents (PPCD) is described in [17]. PPCD is a SQLite-based serialization which is developed for busi- ness workflows and is able to contain multiple documents of different sensitivity and formatting. The method proposed

in this work includes both the original PPCD-type and an additional new entry table to provide for password-based and private key access. The authors employ Password Key Derivation function as the privacy preserving technique and the method also supports access revocation. Ray et al in [18] apply attribute based access control for preserving the privacy of PHR. The authors show how the privacy of PHR can be expressed and enforced through the use of an attribute based access control supported by extensible access control markup language (XACML). In this paper, the XACML is used to model the different types of policies and expressing the patient’s privacy preference for subsequent enforcement by the attribute based access policies.

There are constraints imposed on cloud based PHR schemes that use ABE. An approach to address these con- straints is proposed in [19]. The method adopted in this work involves the use of multi-authority system architecture, unlike existing methods that utilize single trusted authority. In addition, a proxy re-encryption scheme is deployed to ensure that only authorized users are able to decrypt the required PHR files. A more recent work by Li et al [13] present a unified fine-grained access control for PHR in cloud environment. The proposed approach is able to store PHR for multiple patients. It consists of ABE layer and symmetric layer. Whilst the ABE layer facilitates a multi-privilege access control for PHR from multiple patients; in the symmetric layer, symmetric keys that match medical workers’ access privileges and the keys with higher privilege can override keys with lower privilege but not the other way around. Also, the authors use ciphertext policy ABE as the privacy preserving technique for the proposed method.

B. Application of ABAC in Electronic Health Record (EHR)

EHR is handled by healthcare providers and also, it pro- vides them with the opportunity of sharing those records among different healthcare providers. EHR is usually stored on-premise under the administrative control of the healthcare provider but recent trends have shown a gradual shift from on- premise storage of EHR to cloud. This further increases the risk of exposing EHR to unauthorized parties. However, ABAC has demonstrated to be a promising approach to mitigating the risk of exposing EHR to unauthorized parties. Different methods that employ ABAC in EHR have been discussed in existing works.

The system architecture as shown in Figure 2, depicts a use case scenario of the application of ABAC in EHR. Joshi et al [20] in this work provide users access to the system using Access Broker Unit. The Access Broker Unit consists of the organizational Knowledge Base, the Rule Based Engine and the Policy Unit. The Organization Knowledge Base stores all the details of the users in the form of an ontology - the EHR Ontology. The Policy Unit stores all the access policies. And the Rule Based Engine uses the user and document attributes from the ontology for implementing the access control policies. The authors use ABE for encryption, and the Key Generation Unit generates the private keys required for the ABE. Then, the encrypted data are stored in the cloud, which hosts, the EHR Ontology.

Pussewalage and Oleshchuk in [21] propose an ABAC scheme for secure sharing of EHR. The scheme uses selective

www.ijacsa.thesai.org 4 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

Fig. 2. Use Case Scenario of ABAC in EHR [20]

disclosure that meets the security requirement of EHR. An access requester supplies a valid set of attributes that satisfies the underlying policy of the requested object using attribute and private key commitments. The proposed approach is said to be collision resistant; such that it is impossible to collude attributes of more than one user to gain access to EHR. This is achieved by giving a unique identifier to every user and including it to every attribute key owned by the respective users. In addition, the proposed method supports on demand user revocation and it is applicable to on-premise storage platform.

Several standards have been developed to facilitate inter- operability of EHR. The most recent effort in that direction is the Fast Health Interoperability Resources (FHIR) [22], which specifies requirements for fast and efficient storage/retrieval of EHR. The authors in [23] exploit ABAC to create owner- centric methodology for granting access to EHR. They fo- cussed on FHIR and suggested ways to allow incremental and batch release of EHR stored using FHIR to any requesting party, based on access policies defined by the resource-owners.

Cloud based storage are currently being adopted by health- care providers for storing EHR. Joshi et al. in [20] develop an ABAC mechanism for cloud-based EHR that uses ABE to securely store EHR at field level. The developed system extracts the user and EHR filed attribute from a HIPAA complaint knowledge graph which facilitates easy querying and faster data access operation. Also, in [24] the authors propose ABAC which uses Hidden Vector Encryption system to encrypt EHR in cloud environment. The approach presented is able to protect EHR from insider attacks as EHR can only be view by those that are able to supply the appropriate attributes. Seol et al in [25] present a cloud-based EHR model that performs ABAC using XACML. The combination of XML encryption and XML digital signatures are used as security and privacy preserving technique.

There are situations where EHR is shared among different providers. It is possible for an adversary to infer the health condition of a patient by observing the frequency in which the EHR is accessed by a particular healthcare provider. This type of situation violates the privacy of the patient. The authors in [26] propose an efficient multi-show unlinkable access for collaborative e-health environment that exploits attribute- based credential scheme. They utilize anonymous attribute

credentials which ensure that users can anonymously prove the ownership of a set of attributes to a verifier and by so doing, obtain access to the protected resources. The method involves randomization of the users credential along with its signature before being disclosed to a verifier. Similarly, Micha- las and Weingarten in [27] describe the use of HealthShare, a secure approach for sharing EHR between multiple organiza- tions hosting patient’s data in different cloud environments. In the proposed method, a revocable key-policy ABE is used to ensure that access by a malicious or compromised user/organization can easily be revoked without generating new encryption keys.

IV. DISCUSSION

In this section, we present a comparison of the different approaches used in the existing works. We then use some of the key features of the existing approaches to present a discussion on their differences. Also, we describe the lessons learned from the survey and outline future challenge. Lastly, the concept of modelling and analysing healthcare professionals’ security practices is discussed.

A. Comparison of the Different Approaches

A detailed summary of the existing works on the applica- tion of ABAC in e-health systems that we have presented in this work is shown in Table I. Some of the key features of the existing approaches are employed to discuss the differences in the approaches. Also, we describe the lessons learned from the survey and outline future challenge.

1) Privacy Preserving Techniques: refer to approaches that may be exploited to provide confidentiality of PHR and EHR. It involves the encryption of the health data to be stored using cryptographic methodologies such that only an individual that possess the decryption key can have access to the health data. It can be observed from Table I that whilst the existing works employ different privacy preserving techniques, ABE and its variants appears to be the most popular approach.

ABE is a type of public key encryption where the private key and the ciphertext are related with a set of attributes or an access policy over the attributes of the users. There are two main variants of ABE, and they are: ciphertext-policy ABE [28] and key-policy ABE [29]. A combination of ciphertext with access policy specifying the attributes of legitimate users is employ in ciphertext-policy ABE, while key-policy ABE uses a set of attributes and private keys associated with the access policy to specify which ciphertexts the key holder can access. Li et al. in [13] argue that ciphertext-policy ABE is more flexible and appropriate for PHR than key-policy ABE in practice. This is evident from the summary in Table I as most application of ABAC in PHR use ciphertext-policy ABE for privacy protection.

Another privacy preserving technique that is used in the existing works is XACL. XAMCL defines a declarative fine- grained, ABAC control policy language which describes how to evaluate access requests according to rules stated in access policies [30]. The authors in [18] use XAMCL to show how a patient’s privacy preferences could be expressed and enforced in PHR. XAMCL is deploy in [23] as the privacy preserving technique for EHR. The authors utilize XAMCL for providing

www.ijacsa.thesai.org 5 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

TABLE I. SUMMARY OF EXISTING WORKS ON APPLICATION OF ABAC IN E-HEALTH SYSTEMS

Work Type of Health Record Considered

Privacy Preserving Technique

Access Revocation Storage Platform Used

Adversarial Model Assumption

[15] PHR ABE Supported Cloud Semi-trusted Service Provider

[16] PHR Ciphertext-Policy ABE

Not Specified Not Specified Semi-trusted Service Provider

[18] PHR XACML Not Specified Not Specified Not Specified [20] EHR Ciphertext-Policy

ABE Not Specified Cloud Not Specified

[27] EHR Key-Policy ABE Supported Cloud Trusted Service Provider

[25] EHR XACML with XML Encryption and XML Digital Signatures

Not Specified Cloud Not Specified

[13] PHR Ciphertext-Policy ABE

Not Specified Cloud Semi-trusted Service Provider

[17] PHR Password Key Derivation Function

Supported Cloud Not Specified

[26] EHR U-Prove Not Specified On-Premise Trusted Service Provider

[21] EHR Not Specified Supported On-Premise Trusted Service Provider

[24] EHR Hidden Vector En- cryption

Not Specified Cloud Not Specified

[19] PHR Proxy Re- encryption

Supported Cloud Semi-trusted Service Provider

[14] PHR Ciphertext-Policy ABE

Supported Cloud Trusted Service Provider

[23] EHR XACML Not Specified On-Premise Trusted Service Provider

fine-grained authorization and access to FHIR resources. Seol et al in [25] employ XACML with XML encryption and XML digital signatures as additional measure for ensuring that the privacy and security of EHR are preserved.

Other privacy preserving techniques used in the existing works surveyed include: the use of password key derivation function, U-Prove, hidden vector encryption and proxy re- encryption. Balinsky and Mohammad [17] use password key function to provide end-to-end encryption and show that it ensures no central authority is needed when accessing plaintext data or decryption keys. Authors in [26] argue that enforcing anonymously as well as multi-session unlinkable access for users in e-health is very pertinent. They use the standard U- prove credential scheme and formally prove its multi-show unlinkability property. The paper in [24] use hidden vector encryption to encrypt and embed access control policies within the encrypted data. This approach completely removes the need for two separate security controls. Also Pussewalage and Oleshchuk [19] apply a proxy re-encryption scheme to ensure that only authorized users are able to decrypt PHR files.

2) Access Revocation: is another important feature of the existing works surveyed. Although not all the works specified the presence of access revocation, it is an essential charac- teristic of ABAC in e-health as it enables the disabling of a user’s access to PHR or EHR. Several methods have been adopted in order to provide efficient access revocation. The authors in [15] implement access revocation by re-encrypting the ciphertexts and updating the users’ private keys. For the papers in [19], [21], the attribute authority is responsible for the access revocation process.

The remaining papers surveyed in this work adopted direct access revocation. The authors in [17] present direct access revocation where the owner of PHR can revoke access by re- encrypting and signing the PHR with a set of newly generated

keys. For the paper in [14], each user has a user-index which facilitates direct revocation of user access to an encrypted data. This eliminates the need for re-encrypting the data or refresh- ing the system parameters to implement access revocation. Also, Michalas and Weingarten [27] present an algorithm that EHR owner can use to revoke access for the unique key that is generated for a particular user. Like the approach in [14], the EHR owner does not have to decrypt and then re-encrypt file with a fresh key.

3) Storage Platform Used: refers to method used in storing the PHRs or EHRs. The traditional approach for EHRs has been on-premise, but recent trends have shown a gradual shift to cloud environment. This is due to flexibility and cost- effectiveness that cloud storage environment offers. In the case of PHRs, cloud storage has been the prevalent methodology for storage because it is infeasible for a single individual to bear the cost of setting up storage resources for storing PHRs. Hence, patients that would like to be responsible for their medical health records rely of cloud storage platforms for storing their health information.

4) Adversarial Model Assumption: has to do with the assumptions made by the different models about the nature of the storage platform used in storing PHRs and EHRs. These assumptions are necessary when developing formal proof that the proposed approach is feasible and meets all the legal and ethical requirements for storing PHRs and EHRs. The adver- sarial model assumption considered in most of the existing papers surveyed either assumes trusted service provider or semi-trusted provider. Although these are reasonable assump- tions, it would also be insightful to consider untrusted service providers. This would guarantee that the stringent privacy and security requirements for PHR and EHR are met.

5) Lessons Learned and Future Challenge: Indeed, e- health systems require a flexible and fine-grained access con-

www.ijacsa.thesai.org 6 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

trol mechanism for secured access to PHRs and EHRs. ABAC has shown to be an efficient and effective approach to meeting the security and privacy requirements of e-health systems. We have presented a survey of the different applications of ABAC in e-health systems. By classifying the existing works according to the types of health records considered, we are able to investigate what have been done so far in the literature.

We observe that there has been an increasing adoption of PHR for storing patient health records. This gives the patient greater control of their health record, allowing them to share it with different healthcare providers, family and friends. Also, we notice that ciphertext-policy ABE is the predominant privacy preserving technique used for PHR as it enables the patient to revoke access easily to any user they no longer want to have access to their PHR. In addition, cloud storage platform is used in all the surveyed works for storing PHR.

The storing of EHR as observed in this survey is shifting from the traditional on-premise to cloud environment. This can be attributed to the flexibility and cost-effectiveness of the cloud storage platform. Further, there is an increasing collaboration between different healthcare providers which have led to different approaches proposed for facilitating such collaborations without compromising the privacy of the patient.

All the survey works either assumes that the service provider is trusted or semi-trusted. In the future, approaches that consider untrusted service provides needs to be examined. Recent data breaches involving cloud providers and insider threats further buttress the need to investigate ABAC mech- anism for e-health systems that assumes untrusted service providers. Such stringent assumption would ensure that in the case that the third party providers are compromised, the privacy of the patient is still preserved.

B. Towards Modelling and Analysing Healthcare Profession- als’ Security Practices

Logging of healthcare professionals’ accesses is required in the code of conduct for healthcare and care service of Norway [31] and in most international standards for healthcare service. The purpose of logging and protecting the logs includes non- repudiation and investigations [32], [33]. Access logs can be analysed to improve data quality and integrity by detecting healthcare information errors and inconsistencies [32], [33]. For this reason, the Healthcare Security Practice Analysis, Modelling and Incentivization (HSPAMI) project was initiated to determine the metrics of healthcare professional’s security practices towards improving upon their conscious care be- haviour [34]. One of the major tasks of HSPAMI is to analyse healthcare professionals’ access logs towards improving their security behaviour [34].

Analysing RBAC logs may require a lot effort and re- sources to design the algorithm, for such analysis to be efficient and effective. This is because RBAC mechanisms emphasize only on the role attribute as a control variable for implementing the required protection mechanisms. Without considerable efforts and resources, a higher rate of outliers, false positives and false negative rates are likely to be recorded during the analysis. It is desirable to design the algorithm for the log analysis taking into consideration the environment attributes, the resource attributes and the attributes of the

objects in emergency access scenarios. For instance, the log analysis algorithm should be able to determine if the patient status was classified under emergency within the given period. Also, the location of the patient such as the type of hospital ward could support in decision making. Thus, if the patient was admitted in the intensive-care unit (ICU) or emergency ward, the environmental attributes could provide such knowledge. Since RBAC does not include these control variables, more resources may have to be invested in designing such algorithms for efficient log analysis.

In the case of ABAC logs, analysing the logs would likely require less resource to design the algorithm for such analysis to be efficient and effective. ABAC mechanism as we already observed, contain more control variables and as such the logs of ABAC would also contain those variables. These control variables in ABAC logs are desirable variables for the design of an efficient algorithm for log analysis, unlike RBAC that uses the role attribute as the main control variable. Therefore, given that ABAC logs include the control variables needed for the design of an efficient algorithm for the analysis of access logs, fewer resources are likely to be deployed in the design such algorithms.

V. CONCLUSION

In summary, we have presented a survey of the existing works on the application of ABAC in e-health systems. We classified the existing works according to the application of ABAC in PHR and EHR. Our survey showed that cloud based storage of PHR and EHR is very popular and that ciphertext- policy ABE is the commonly used for providing security and privacy guarantees in the storage of PHR in the cloud environment. Moreover, we presented a comparison of the different approaches employed in the existing works and used some key characteristics of the existing approaches to present a discussion on their differences. The lessons learned from the survey are described and future challenge that needs to be investigated is outlined. Lastly, a discussion on modelling and analysing healthcare professionals’ security practices is presented.

REFERENCES

[1] Gartner, “Market trends: Cloud-based security services market, worldwide, 2014,” 2014. [Online]. Available: https://www.gartner.com/doc/2607617

[2] A. Abbas and S. U. Khan, “A review on the state-of-the-art privacy- preserving approaches in the e-health clouds,” vol. 18, pp. 1431–1441, 2014.

[3] Y. Al-Issa, M. A. Ottom, and A. Tamrawi, “ehealth cloud security challenges: A survey,” Journal of Healthcare Engineering, vol. 2019, pp. 1–15, 2019.

[4] N. A. Azeez and C. V. der Vyver, “Security and privacy issues in e-health cloud-based system: A comprehensive content analysis,” Egyptian Informatics Journal, vol. 20, pp. 97–108, 2019.

[5] HIPAA-Journal, “Hipaa explained.” [Online]. Available: https://www.hipaajournal.com/hipaa-explained/

[6] M. Scholl, K. Stine, J. Hash, P. Bowen, A. Johnson, C. D. Smith, and D. I. Steinberg, “Nist special publication 800-66 revision 1: An introductory resource guide for implementing the health insurance portability and accountability act (hipaa) security rule,” 2008.

[7] ISO, “Iso/iec 27799:2016 health informatics - information security management in health using iso/iec 27002,” 2016. [Online]. Available: https://www.iso.org/standard/62777.html

www.ijacsa.thesai.org 7 | P a g e

(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, February 2020

[8] openEHR, “openehr – a semantically -enabled health computing plat- form,” 2016.

[9] HL7-International, “Clinical document architcture (cda).” [10] A. Ferreira, D. Chadwick, P. Farinha, R. Correia, G. Zao, R. Chilro,

and L. Antunes, “How to securely break into rbac: The btg-rbac model,” in Proc. Annual Computer Security Applications Conf, Dec. 2009, pp. 23–31.

[11] HIPAA, “Break glass procedure: Granting emergency access to critical ephi systems,” 2004.

[12] A. D. Brucker and H. Petritsch, “Extending access control models with break-glass,” in Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, ser. SACMAT ’09. New York, NY, USA: ACM, 2009, pp. 197–206. [Online]. Available: http://doi.acm.org/10.1145/1542207.1542239

[13] W. Li, B. M. Liu, D. Liu, R. P. Liu, P. Wang, S. Luo, and W. Ni, “Unified fine-grained access control for personal health records in cloud computing,” IEEE Journal of Biomedical and Health Informatics, vol. 23, no. 3, pp. 1278–1289, May 2019.

[14] S. Narayan, M. Gagné, and R. Safavi-Naini, “Privacy preserving ehr system using attribute-based infrastructure,” in Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop, ser. CCSW ’10. New York, NY, USA: ACM, 2010, pp. 47–52. [Online]. Available: http://doi.acm.org/10.1145/1866835.1866845

[15] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure sharing of personal health records in cloud computing using attribute- based encryption,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 131–143, Jan. 2013.

[16] C. Wang, X. Xu, D. Shi, and W. Lin, “An efficient cloud-based personal health records system using attribute-based encryption and anonymous multi-receiver identity-based encryption,” in Proc. Cloud and Internet Computing 2014 Ninth Int. Conf. P2P, Parallel, Grid, Nov. 2014, pp. 74–81.

[17] H. Y. Balinsky and N. Mohammad, “Fine grained access of interactive personal health records,” in Proceedings of the 2015 ACM Symposium on Document Engineering, ser. DocEng ’15. New York, NY, USA: ACM, 2015, pp. 207–210. [Online]. Available: http://doi.acm.org/10.1145/2682571.2797098

[18] I. Ray, T. C. Ong, I. Ray, and M. G. Kahn, “Applying attribute based access control for privacy preserving health data disclosure,” in Proc. IEEE-EMBS Int. Conf. Biomedical and Health Informatics (BHI), Feb. 2016, pp. 1–4.

[19] H. S. G. Pussewalage and V. Oleshchuk, “A patient-centric attribute based access control scheme for secure sharing of personal health records using cloud computing,” in Proc. IEEE 2nd Int. Conf. Col- laboration and Internet Computing (CIC), Nov. 2016, pp. 46–53.

[20] M. Joshi, K. Joshi, and T. Finin, “Attribute based encryption for secure access to cloud based ehr systems,” in Proc. IEEE 11th Int. Conf. Cloud Computing (CLOUD), Jul. 2018, pp. 932–935.

[21] H. S. G. Pussewalage and V. A. Oleshchuk, “An attribute based access control scheme for secure sharing of electronic health records,” in Proc. Applications and Services (Healthcom) 2016 IEEE 18th Int. Conf. e- Health Networking, Sep. 2016, pp. 1–6.

[22] HL7-International, “Fhir overview,” 2019. [Online]. Available: https://www.hl7.org/fhir/overview.html

[23] S. Mukherjee, I. Ray, I. Ray, H. Shirazi, T. Ong, and M. G. Kahn, “Attribute based access control for healthcare resources,” in Proceedings of the 2Nd ACM Workshop on Attribute-Based Access Control, ser. ABAC ’17. New York, NY, USA: ACM, 2017, pp. 29–40. [Online]. Available: http://doi.acm.org/10.1145/3041048.3041055

[24] E. Mrema and V. Kumar, “Fine grained attribute based access control of healthcare data,” 2018.

[25] K. Seol, Y. Kim, E. Lee, Y. Seo, and D. Baik, “Privacy-preserving attribute-based access control model for XML-based electronic health record system,” IEEE Access, vol. 6, pp. 9114–9128, 2018.

[26] H. S. G. Pussewalage and V. A. Oleshchuk, “An efficient multi-show unlinkable attribute based credential scheme for a collaborative e-health environment,” in Proc. IEEE 3rd Int. Conf. Collaboration and Internet Computing (CIC), Oct. 2017, pp. 421–428.

[27] A. Michalas and N. Weingarten, “Healthshare: Using attribute-based encryption for secure data sharing between multiple clouds,” in Proc.

IEEE 30th Int. Symp. Computer-Based Medical Systems (CBMS), Jun. 2017, pp. 811–815.

[28] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- based encryption,” in Proc. IEEE Symp. Security and Privacy (SP ’07), May 2007, pp. 321–334.

[29] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute- based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp. 89–98. [Online]. Available: http://doi.acm.org/10.1145/1180405.1180418

[30] O. Standard, “extensible access control markup language (xacml) version 3.0,” Jan. 2013. [Online]. Available: http://docs.oasis- open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

[31] D. ehelse, “Code of conduct for information security and data protection in the healthcare and care services sector,” 2018. [Online]. Available: https://ehelse.no/normen/documents-in-english

[32] A. Ferreira, R. Cruz-Correia, and L. Antunes, “Usability of authentica- tion and access control: A case study in healthcare,” in Proc. Carnahan Conf. Security Technology, Oct. 2011, pp. 1–7.

[33] A. Ferreira, P. Farinha, C. Santos-Pereira, R. J. C. Correia, P. P. Rodrigues, A. da Costa Pereira, and V. Orvalho, “Log analysis of human computer interactions regarding break the glass accesses to genetic reports,” in ICEIS 2013 - Proceedings of the 15th International Conference on Enterprise Information Systems, Volume 3, Angers, France, 4-7 July, 2013, S. Hammoudi, L. A. Maciaszek, J. Cordeiro, and J. L. G. Dietz, Eds. SciTePress, 2013, pp. 46–53.

[34] P. Yeng, B. Yang, and E. Snekkenes, “Observational measures for effective profiling of healthcare staffs’ security practices,” in Proc. IEEE 43rd Annual Computer Software and Applications Conf. (COMPSAC), vol. 2, Jul. 2019, pp. 397–404.

www.ijacsa.thesai.org 8 | P a g e

View publication statsView publication stats