Laurent Bussard

Downstream Usage Control

Whereas access control describes the conditions that have to be fulfilled before data is released, usage control describes how the data has to be treated after it is released. Usage control can be applied to digital rights management, where the data are usually copyright-protected media, as well as in privacy, in which case the data are privacy-sensitive personal information. An important aspect of usage control for privacy, especially in light of the current trend towards composed web services (so-called mash-ups), is downstream usage, i.e., with whom and under which usage control restrictions data can be shared. In this work, we present a two-sided XML-based policy language: on the one hand, it allows users to express in their preferences in a fine-grained way the exact paths that their data is allowed to follow, and the usage restrictions that apply at each hop in the path. On the other hand, it allows data consumers to express in their policies how they intend to treat the data, with whom they intend to share it, and how the downstream consumers intend to treat the data.

An Approach to Identity Management for Service Centric Systems

Today users consume applications composed by services from different providers across trust domains. By experience we know that security requirements and user identity management make services composition difficult. We believe that delegation of access rights across trust domains will become an essential mechanism in services composition scenarios. Users care about security but cannot deal with the variety of existing solutions for access control. A unified interface of access control and delegation is essential for multi-domain composite services. This paper addresses the problem of identity management for service-centric systems and proposes a novel approach based on an abstract delegation framework supporting different access control mechanisms. We show how the abstract delegation framework is designed to give control and clarity to the user consuming applications based on service composition. Besides the theoretical aspects, the paper shares experiences based on scenarios from the automotive industry.

Context-Aware Access Control; Making Access Control Decisions Based on Context Information

In ubiquitous computing environments access control decisions have to be adaptable to changes of the situation or state of an entity, in order to properly adjust to these changes without the need of manual interaction. A solution to this challenge is context-aware access control, where the mentioned changes are influencing access control decisions. In this paper we present a security framework for mobile business applications that is capable of performing context-aware access control on message level. There are several components in the framework that together (1) ensure that security requirements defined in policies are enforced in the framework, (2) provide context information and apply plausibility checks to increase the confidence that context information represents the actual situation or state (context) of an entity, and (3) perform the access-control decisions based on a combination of classic access control schemes and context information. In addition, a scenario is described where the introduced features of the framework are applied.

Obligation language and framework to enable privacy-aware SOA

Privacy policies defines rights and obligations on data (e.g. personally identifiable information) collected by services. Tackling privacy policies in a service oriented architecture spanning multiple trust domains is difficult because it requires a common specification and distributed enforcement. This paper focuses on the specification and enforcement of obligations. We describe the requirements, the resulting language, and its implementation. Finally, we compare our results with obligation support in the state of the art. The key contribution of this work is to bridge the gap between specific mechanisms to enforce obligations and underspecified support for obligations in todays access control and data handling policy languages.

Abstract privacy policy framework: addressing privacy problems in SOA

This paper argues that privacy policies in SOA needs a lifecycle model. We formalize the lifecycle of personal data and associated privacy policies in Service Oriented Architectures (SOA), thus generalizing privacy-friendly data handling in cross-domain service compositions. First, we summarize our learning in two research projects (PrimeLife and SecPAL for Privacy) by proposing generic patterns to enable privacy policies in SOA. Second, we map existing privacy policy technologies and ongoing research work to the proposed abstraction. This highlights advantages and shortcomings of existing privacy policy technologies when applied to SOA.

Matching Privacy Policies and Preferences:Access Control, Obligations, Authorisations, and Downstream Usage

This chapter describes how users’ privacy preferences and services’ privacy policies are matched in order to decide whether personal data can be shared with services. Matching has to take into account data handling, i.e. does services handle collected data in a suitable way according to user expectations, and access control, i.e. do the service that will be granted access to the data comply with user expectations. Whereas access control describes the conditions that have to be fulfilled before data is released, data handling describes how the data has to be treated after it is released. Data handling is specified as obligations that must be fulfilled by the service and authorisations that may be used by the service. An important aspect of authorisation, especially in light of the current trend towards composed web services (so-called mash-ups), is downstream usage, i.e., with whom and under which data handling restrictions data can be shared.

An Infrastructure for Gaining Trust in Context Information

In order to use context information for security decisions it is desired to have confidence that context information really represents the actual context of an entity. Existing context-aware architectures that are able to acquire context information upon request by an application are not capable of gaining this confidence. We propose a new context-aware architecture that embeds a trust evaluation infrastructure to establish a trust relationship to the source of context information and to analyze and assess context information for its plausibility. The trust evaluation infrastructure is generic in the sense that it can be applied to various fields of application since the trust evaluation methods that are tailored to a specific field of application can be added and removed dynamically

Privacy for Service Oriented Architectures

This chapter describes requirements for privacy in service-oriented architectures. It collects 39 legal and technical requirements, grouped in the five categories. These requirements are the starting point for a technical framework that brings privacy-enhanced data handling to multi-layered, multi-domain service compositions. We describe an abstract framework that is technology agnostic and allows for late adoption also in already existing SOA applications. We describe the general building blocks that are necessary on a PII provider’s side and on a PII consumer’s side. Finally, we look at the technical implementation of a very common, yet complicated aspect: the composition of policies when composing information artifacts. We describe how the composition of data influences the composition of policies.