This chapter advocates the convergence between Access Control (AC) models, focusing on the granularity of sharing, and Digital Right Management (DRM) models focusing on conditional authorizations and obligations. The convergence is also expected in terms of control enforcement considering that both AC and DRM models must be equally protected against any form of tampering and piracy. We capitalize on the democratization of powerful secure chip platforms (e.g., smart cards, secure USB dongles) which can be plugged in a variety of client devices (PC, PDA, cell phones, consumer electronics) to design a new architecture of a trusted access and usage control system. The benefits of the proposed architecture are exemplified in two different contexts: a fair DRM scenario and a healthcare scenario.
In computer systems, access control models are used to express who is granted privilege to execute which actions on which set of resources. Many works have been conducted on access control management in the database context, trying to provide the finest granularity of sharing. In relational database systems, privileges can be granted on virtual objects, called views, dynamically built by an SQL query (Melton et al., 1993). In XML databases, XPath expressions are usually used to delineate the objects or document parts targeted by an access control rule (Bertino et al., 2001; Gabillon et al., 2001; Damiani et al., 2002). The reason for this granularity concern is that databases often contain sensitive information (e.g., personal, commercial, administrative, military data) shared by a large number of users playing different roles with different privileges. Digital Right Management (DRM) models are also used to regulate the access to resources. DRM models primarily target the protection of digital assets (e.g., videos and sounds). The granularity of the access control is of lesser concern here but the conditions (e.g., to pay a fee) and obligations (e.g., to increment a counter at each copy) related to how a privilege can be exercised become central (XrML; ODRL). Hence DRM models complement access control with usage control. Another major concern of DRM systems is the enforcement of the access and usage control rules to fight against a large scale piracy threatening the global multimedia content industry (IFPI).
As the information distributed to customers becomes more complex and structured (e.g., encyclopaedia, cultural collections, stock exchange databases) the need for finer granularity rules arise in the DRM context. Conversely, as database applications show an increasing concern for regulating the usage made of the information legally accessed, the need for access control rules integrating contextual conditions and obligations arises. This is particularly true for databases containing personal data (Agrawal et al., 2002). The management of Electronic Health Records illustrates this well. For example, permissive access control rules should apply to a medical folder in specific contexts like an emergency situation. Obligations like registering all accesses to a medical folder in a log are also required to allow auditing the system.
In this chapter, we advocate the convergence between the access control and DRM worlds, encompassing the expression of fine grain access control and accurate usage control. This convergence is also expected in terms of control enforcement. In database environments, the access control is usually enforced by the database server, under the assumption that the server is trusted. Unfortunately, even the most defended servers (including those of Pentagon, FBI and NASA) have been successfully attacked, and database systems are identified as the primary target of computer criminality (Computer Security Institute, 2007). This motivated the design of new architectures where the server role amounts to deliver raw content to smart clients implementing the access control (Bouganim et al., 2004; Hacigumus et al., 2002). The question becomes how to enforce access and usage control on the client side. This question is not new in the DRM context, though no satisfactory solutions have been proposed yet. Indeed, today’s DRM methods are so coercive that they do nothing but exasperating consumers and legitimize piracy (Champeau, 2004). The question is newer in the database world, people slowly becoming aware of the value of personal data and starting considering that protecting privacy is at least as important as protecting digital assets.
Key Terms in this Chapter
Data Spoofing: an attacker deletes or modifies (even randomly) some data, thereby potentially corrupting the evaluation of access and usage rules and/or query evaluation.
MAC: The Mandatory Access Control Model (MAC) attaches security level to objects and clearance level to users in a centralized way.
Secure Operating Environment: A combination of hardware and software modules providing a tamper-resistant storage and execution environment protecting against any form of snooping and tampering attacks.
RBAC: The Role Bases Access Control Model (RBAC) introduces the concepts of Roles and Teams to improve the administration of access control policies for a large population of cooperating users.
Insider: a person properly identified by the database server (i.e., a registered user) who tries to get information exceeding her own privileges. The owned privileges give her more abilities than the intruder to tamper the system and to deduce valuable unauthorized content.
Intruder: a person with no database privilege, who infiltrates a computer system and tries to extract valuable information from the database footprint on disk.
DAC: The Discretionary Access Control model (DAC) gives the creator of an object the privilege to define the policy regulating access to this object, and granted privileges can be transmitted between users.
Administrator: a person who has enough (usually all) privileges to administer a computer system (System Administrator) or a DBMS (Database Administrator or DBA). These privileges give her the opportunity to access the database files and to spy on the DBMS behavior (e.g., main memory monitoring).
Data Splicing: an attacker replaces a valid data by another valid data. This attack may lead to reveal unauthorized data, corrupt the evaluation of access and usage rules.
Data Replaying: an attacker replaces a valid data by one of its older version. For instance, replaying old access rules may lead to disclose unauthorized data.
Access Control Policy: Set of rules regulating the use of the resources of a system, each rule granting or revoking the right to access some data or perform some action in that system.
Usage Control: complements access control with contextual predicates, conditioning the activation of a given privilege, and obligations, i.e., mandatory actions associated to the exercise of a privilege.
Data Snooping: an attacker examines the (potentially encrypted) data, on disk, in the memory or on the communication links and deduces unauthorized information.