Article Preview
TopIntroduction
As business organisations use the Internet for B2B activities, we are seeing ever-increasing amounts of data that is accessed and shared across networks spanning multiple administrative domains and organisational boundaries. Such collaborative environments pose several security concerns – for instance, risks to data confidentiality, data privacy and threats to improper data usage – leading to increased demands to address these concerns. Various authors (Biennier & Favrel, 2005; Hadaya & Pellerin, 2008) describe the issues when organisations share sensitive information with others in a business setting. Here collaboration is essential, but privacy of data is also critical. Hence the shift toward the distributed application paradigm has required a fundamental re-evaluation of information security and in particular, access control.
Of particular interest is the loss of control issue. When data is released into another administrative domain, the data owner relinquishes all control over it: it can be downloaded, copied, disseminated, redistributed (Miklau & Suciu, 2003). A mechanism is needed that suitably allows interested parties to maintain control over their data as it flows from one domain to another.
Consider a document that is edited and transferred amongst multiple contributors. The owner of the document might impose different restrictions on each contributor which could depend on the history of the contributions. Thus the owner wishes to impose different access control requirements to the document. Maintaining control over the document’s content, its structure and its flow path as it circulates through networks spanning multiple administrative domains is a non-trivial issue.
The key question we address here is how to allow the owner of logically related data items (which we call document) to retain control over the data after the document has been passed on to another recipient (perhaps by the owner or some other recipient). The recipient must be allowed to perform operations authorised by the owner. Furthermore, the system must be able to detect if the recipient has performed any disallowed operation. Thus we need a history (or context) sensitive access control scheme.
The principal issue of owner controlled security in a distributed environment leads us to the following questions:
- •
What information should be contained in the document?
- •
What aspects of the history are stored and where?
- •
What operations on the document do we support?
- •
How can integrity checks be performed?
- •
What is the role of the owner?
- •
How can the desired system be engineered?
This article develops an architecture model for enforcing access and change control requirements in inter-organisational collaborative environments. This architecture is flexible by design to allow for ease of integration within existing technology landscapes. It is developed in two phases; first as an abstract model and then a specific design of the abstract model. This design is then made more concrete into an implementation model leading to a prototype implementation and later, a pilot implementation. The use of off-the-shelf tools is a principal requirement in the implementation of our model.
TopAbstract Model
Before we describe the implementation details, we present a more precise description of the problem and solution.