Semantic Access Control for Cloud Computing Based on E-Healthcare

8/11/2019 Semantic Access Control for Cloud Computing Based on E-Healthcare

1/7

Proceedings of the 2012 IEEE 16th Inteational Conference on Computer Supported Cooperative Work in Design

Semantic access control for cloud computing based

on e-Healthcare

L u, Ru

Centre for Systems BiologyUniversity of Southern Queensland

Toowoomba, Australia

J Y Gux u

{sun, wang}@usq.edu.au

School of Information SystemsUniversity of Southern Queensland

Toowoomba, [email protected]

School of Computer Science andEngineering & Key Laborator for

Computer Network and InformationIntegration, Southeast Univeristy

[email protected]

bstrat- With the increased development of cloud computing,access control policies have become an important issue in the

security led of cloud computing. Semantic web is the extensionof current Web which aims at automation, integration and reuse

of data among different web applications such as cloudingcomputing. However, Semantic web applications pose some newrequirements for security mechanisms especially in the accesscontrol models. In this paper, we analyse existing access controlmethods and present a semantic based access control modelwhich considers semantic relations among different entities in

cloud computing environment. We have enriched the research forsemantic web technology with role-based access control that isable to be applied in the eld of medical information system or e

Healthcare system. This work demonstrates how the semantic

web technology provides ecient solutions for the management

of complex and distributed data in heterogeneous systems, and itcan be used in the medical information systems as well.

Kywords manti wb ass ontro Hathar od

omting

I. INTRODUCTION

With the development of Inteet and computer sowaretecnology, cloud computing become a new variation oftraditional distributed computing and grid computing [9, 27].Cloud computing allows users to put all data and services intocloud and gets all kinds of services om cloud. The term"cloud computing denotes the use of cloud or Inteet-basedcomputers for a variety of services. That makes remotecollaboration easier. Applications and storage of informationwill be signicant changed in cloud computing environment.

However, the development of cloud computing is stillfacing enormous challenges. Cloud computing, with a greatexibility and ease of use, makes the safety of data andapplications becoming one of the biggest problems [9]. In fact,applications and information using of cloud hosting have the

risk of loss of data or illegal access. Therefore, it needs to haveappropriate permissions when users to access the applicationsor data. At present, there are already many securitspecication and tecnologies [5]. However, access control isa critical component in many enviroments, such as cloudcomputing. Cloud computing cannot apply the traditionalaccess control models to achieve access control because of its

978-1-4673-1212-712/$31.00 2012 IEEE

512

characters. Traditional access control methods cannot providethe semantic interoperabilit for many soware networkenvironments since in the distributed environment, accesscontrol policies are used among various computers and servers

in various places. In the cloud computing enviroment, oneorganization seeking to share information with authorized

personel om other organizations has to deal with semanticheterogeneity across the information sources in theseorganizations [14, 21, 25]. An example is a medical centrewhere a patient is under the treating of a medical centre doctor.Assume the doctor needs to consult an expert who works in ahospital, since some abnormality detected in the capturedpatient's physiological parameters such as temperature,hearbeat, blood oxygen, blood pressure, etc. The consultingexpert receives physiological data trough his laptop or P. Asignicant challenge in this situation is to control who can see

the data and what conditions. Due to the ability of remotelyaccessing the patients vital signs it is important that this

information not be remotely accessible at all times the patientin the hospital, but perhaps only under particular situationslike the expert worked more than ve years. There is ascenario is shown in Figure 1. In this scenario, a patient, Jen,is at a medical centre with a doctor, Harrison. There is a webservice attached to Jen in order for Haison to monitor

physiological data. Harrison requires rther assistant om anexpert Joan. Joan can access the web service via his browser to

receive and analyse patient's physiological data and give someadvices to doctor Harrison. The target is to permit the sharingof resources among the participants, whether or not they are at

the same site. For a conventional access control model, thiscan be easily done within the same site, such as only a doctorin medical centre. Also the differences in the vocabulary used

by the hospitals have to be resolved before patientsinformation can be shared meaninglly among the different

hospitals. To overcome these challenges, there is a need forsemantic aware access control systems consistent with thesemantic data models under the semantic web in the cloudcomputing environment.

E-healthcare informatics is growing need for healthcareproviders to have effective healthcare services to consumers


2/7


3/7

the terms they all use, then researchers can extract andaggregate information om these different sites. The

researchers can use this aggregated information to answer userqueries or as input data to other applications. Ontologies are

used for modeling the entities along with their semanticinterrelations in four domains of access control, namelysubject domain, object domain, action domain and attributesdomain [14]. In this paper, we use the semantic scopes ofsubject, objects, actions, and attributes to dene the relations

used in ontologies. We present a semantic based access controlmodel that authenticates users based on ontologies with eHealthcare system.

The remainder of this paper is organized as follows:Section 2 provides a brief overview semantic web and accesscontrol ontology system in e-Healthcare services. In Section 3and 4 presents semantic access control policy and semanticaccess control model in cloud computing. Section 5 illustratesaccess control architecture. Section 6 reviews the differences

between the work in this paper and others related works.Finally, Section 7 concludes the paper.

II. SEMANTIC WEB AND ACCESS CONTROL

ONTOLOGY SYSTEM

R and Semantic Web Technologies

BAC model [18] includes set of tree basic elementsusers, roles and permissions. BAC involves individual usersbeing associated with roles as well as roles being associatedwith permissions (each permission is a pair of objects andoperations). As such, a role is used to associate users and

permissions. A user in this model is a human being. A role is ajob nction or job title within the organization associated withauthority and responsibility. Permission is an approval of a

particular operation to be performed on one or more objects.Access control policies speci user's permissions to specicsystem resources trough relationships between user's roles

and permissions.The relationships between users and roles,and between roles and permissions are many-to-many (i.e. apermission can be associated with one or more roles, and arole can be associated with one or more permissions).

Semantic web is the extension of current web which givesinformation a well-dened meaning, better enablingcomputers and people to work in co-operation [23]. Thesemantic web provides a amework for dynamic, distributedand extensible structured knowledge founded on formal logic[16]. Semantic web tecniques, particularly ontologies,facilitate web services with machine understandable semantics.Ontologies providing new features namely automaticcomposition, simulation and discovery of web services [10].Ontologies are essential for semantic interoperabilit andadvanced information processing as web services allowcomputation over the web. Usng ontologies to describe

relationships between data is increasingly used in informationand knowledge management. Ontology is capable ofdescribing concepts that exist in certain domain and

relationships among them. Figure 2 shows a part of E-healthservice ontology. The ovals show subjects and objects(concepts and individuals) and labels on the directed arcsshows actions.

514

Figure 2: A part of Health-Service ontology

B Semantic access control

Semantic access control (SAC) in this paper is based uponBAC. In this paper, we use ontologies for the BAC security

model and implement access control system in semantic webenvironment. Our goal is to request and extend the BACmodel using semantic web technologies. BAC involvesadditional effort om the host organizations in deciding which

roles or users om remote organizations should have access towhich object. Based on BAC, a semantic authorization rule

has the following denition [14]

There is a triple role bjct ct where, role is therole of the user who issues the request; object is the objectdened in onto to which the user requests to access; act is theaction to be executed on the object; onto is the ontology towhich the authorization associates.

Figure 3 shows the graph of the semantic access control

model based on BAC. Role acts an intermediary forassigning permissions (objects and operations) to users whichgreatly simplies authorization administration. Action is a

partial, or class that represents an action that can be performedby a user on a resource. Resource is a dened class,representing the authorization objects. We can identi all theobjects that have been treated like a resource in the domainontology. For example, triple r read indicates thatusers assign to role r can read information form object dened in ontology onto.

In this article, access control ontology system is designedto provide the common understandable semantic basis foraccess control in cloud computing environments. In SAC, the

subjects and objects possess a set of attributes and accesscontrol to resources is based on the specication of a set ofattributes. Like most of the other access control systems,access control ontology system makes its decisions on fourdomains Subject, Object, Action and Attributes. By modelling

the access control domains using ontologies, SAC provides a


4/7

Action

Figure 3: Semantic access control model

set of ontologies SubjectsOntology (SO), ObjectsOntology00) ActionsOntology (AO), and Attributes-Ontology (AtO)[22]. SO is subject ontology where subjects require access toobject. 00 is object ontology where objects are accessed andor modied. Figure 2 shows subject-ontology and objectontology which is based on e-Healthcare system. Actions

depend on the tpe of the actions that subjects aim to executeon an object. Each action tpe is a concept in the ontology andactions are individuals of the concept deed in AO [22].Figure 4 shows an example of action ontology. AtO is theattribute ontology which can be used to the attribute of thesubjects, objects and actions. For example, an authorizationrule in an access control ontology with the form of (s, 0 a) inwhich is an entity in SO, is an entit dened in 00 and ais an action dened in AO. In the other words, a access rledetermines whether a subject which presents a subject can

have the access right a on object or not.

The role in subject ontology may be used as a subjectattribute, depending by the attributes provided a user is

assigned to a certain role policy set [7]. Other attributes canalso be associated with the subject in order to achieve negrained access control. If a subject is assigned to a role, itcanot access the resources directly. Meanwhile, the roles areorganized in a hierarchy. If a role r1 inherits om role r2 in

the hierarchy, a user with r2 has all the access rights of r1.

III. SEMANTIC ACCESS CONTROL POLICY INCLOUD COMPUTING

In the distributed computing environment, the accesscontrol method has changed om the centralized managementinto a distributed management approach. There has been

policy markup language, such as XACML, to supportdescription and management of distributed policies. In cloudcomputing environment, as the development of distributedcomputing, the same access control policy may be deployedand implanted in many points of the whole or a part of thesecurity domain [14]. SAC has been implemented on the basisof a language to speci the access control criteria and thesemantic integration of exteal authorization entities [10]. In

515

Write

prescriptionRefer patients to do

X-ray text

Figure 4: A part of executable actions on the Clinic-services ontology

an ontology-based semantic access control policy language,we may use subjects, objects, actions and attributes variablesas the basic semantic element and some syntax elements suchas purposes, conditions, rights and priorit are added.

Policies are usually written in the form of rules. In thesemantic access control, each policy must be associated withdomain knowledge. Therefore, it is necessary to apply thedomain knowledge to obtain the semantic elements for thesemantic access control policy. The following gure depicts

the relationships among an access control policy, policy rules,and access control ontology.

Semantic-based access controlpolicy

Access control ontology

Figure 5: Construction of a semantic access control policy

Semantic Policy Language (SPL) is based on the semanticproperties about the resources to be accessed and about theattributes. The language can be applied to access control ofcloud computing environments and the semantic accesscontrol is realized. An SPL policy is composed of a set ofaccess rule elements. In SAC, the user poses a set of attributes,and the access control to resources is based on thespecication of a set of attributes that the user has to present toaccess them [24]. Ever access rule denes a particularcombination of attributes required to gain access, associatedwith an optional set of actions (such as online permission) to

be performed before access is granted. Figure 6 shows anexample of a SPL policy requiring attributes for an authorizeddoctor. This policy includes one access rle indicating thataccess should be granted to all doctors authorized by the

hospital administration authority. Any attributes that is provedequivalent to this one will be accepted because the equivalenceattribute of the spl attribute tag is set to "e=Enable.Furhermore, no information regarding the reason why the

request is denied will be given to users that do not meet theaccess criteria because this access rule is not public (the publicattribute of the spl access_Rule tag is set to "false). This


5/7

feature is used by access control administrator to avoidunauthorized users learning about the existing access policies.


6/7

I

Policies

- " .

, Semantic access XACML\ Jcontrol

' -

-

Web server

Semticknowledge(SPL)

Figure 8: Access control system architecture

The message sequence works as follows1. The web client presents an HTTP request to the web server.2. At web server there is a semantic access control model withincoming requests to the server. The access control model

performs queries to the semantic knowledge base in order tond attributes associated with subjects and objects.3. Web server receives the attributes and translates the request

to the XACML format.4. The XACML evaluates the request against an access control

policy (SPL).5. A response decision is sent back to the web server.6. The web server has a check if the response is "permit; theactual HTTP request is forwarded to the web server.

Otherwise, an appropriate HTTP response is sent to the webclient with an error message.

VI. ELATED WOKS

Our work is related to many areas of privacy preservingaccess control, especially private data management in eHealthcare system. We also exploit the tremendous workcarried out for semantic access control which mainly focuseson secure management of data in e-Healthcare.

Role-based access control is commonly accepted as themost appropriate paradigm for the implementation of accesscontrol in complex scenarios. Reid et al. [17] presented that

BAC has received considerable attention in the context ofhealth care, particularly in the hospital environment. Withthese models, the roles are organized hierarchically and thespecialized roles iherit the privileges of the more general

roles. If certain privilege is assigned to an employee role,possession of any of the superior roles enables the sameprivilege. However, the structure of groups in BAC isusually assumed static; it is not exible enough to cope withthe requirements of more dynamic systems. On the other hand,BAC is that the mechanisms are built on tree components

517

"user, "role and "group. Roles and groups can facilitatemanagement in corporate infoation systems. In most caseswe need new resources which are incorporated to the systemcontinuously and each resource may possibly need a differentgroup structure and access control policy. Other traditionalaccess control schemes such as Mandatory Access Control(MAC), Discretionary Access Control (DAC) are notappropriate for the system with a very large number ofregistered users. By considering attributes and access controlontology system to the basis of the access control model, theSemantic access control (SAC) model [23, 28] provides anappropriate solution for large environments such as cloudcomputing. The SAC model has been implemented on the

basis of the Semantic Policy Language (SPL) to speci theaccess control criteria, and the semantic integration of anexteal authorization entity. Our approach has more powerland suitable to implement mutual understanding and semanticinteroperability of distributed policy in cloud computingenvironments.

Extensible Access Control Markup Language (XACML)[13] is a standard access control policy description language.XACML can be applied to represent the nctionalities of

most policy representation mechanisms and express accesscontrol statements [13]. Damiani et al. [6] extended theXACML by adding the capabilit to designate subjects andobjects via generic DF statements. Priebe et al. [16] extend

the XACML architecture with an ontology-based inferencefacilit for attributes management and mapping. Because theseapproaches rther complicate the access control process ofXACML and XACML has some features provided by thoselanguages are not appropriate in WS scenarios.

VII. CONCLUSIONS AND FUTUE WOK

In this article we have proposed the semantic approach of

SAC is the foundation to achieve access control in cloudcomputing environment. The SAC model is scalable,applicable to different environment and covers other accesscontrol models. SAC extends BAC by considering thesemantics of objects and associates permission with conceptsinstead of objects. Ontology is used for cloud computingenvironment with highly heterogeneous and structuredvocabularies. Considering the limitations of traditional accesscontrol method in the cloud computing, this paper introduces

the semantic web technologies to the distributed role-basedaccess control method and an ontology-based semantic accesscontrol in e-Healthcare system. In the SAC, we use somesyntax elements, such as subjects, objects based on attributesand action; and we add more elements purposes, conditions,

rights and priority in the SAC model. This approach caneasier solve the problem of access in heterogeneous,distributed and large enviroments and ideal for doing thecross organizational work in cloud computing environment.We are also working on the implement of this approach in eHealthcare applications.

ACKNOWLEDGEMENT

This paper is partially supported by the Open Research Fundom the Key Laboratory for Computer Network and


7/7

Infoation Integration (Southeast University), Ministry ofEducation, P. R. China.

EFEENCES

[] nderson, J., " Security of the distributed electronic patient record: acase-based approach to identiing policy issues, International Joualof Medical Informatics, vol. 60, no. 2 ,pages 11-118, 2000.

[2] Australian Charter of Healthcare Rights.hp://www.health.gov.auinternetsafety/publishing.nsContentPriorit

Program-O

[3] Byun, J.-W., Bertino, E. and Li, N., "Purpose based access control ofcomplex data for privacy protection, 'SACMA05 Proceedings of

tenth ACM symposium on Access control models and technologies,ACM. New York, NY,USA, pp.102-110,2005.

[4] Cheng, V. S. Y., Hung, P. C. K., "Health insurance portability andaccountability act (HIPAA) compliant access control model for webservices, International Journal of Healthcare information systems andInformatics, Vol , Issue , pp. 22-39,2005

[5] Cirio, L., Cruz, T. F., and Tamassia, R., "A role and attribute basedaccess control system using semantic web technologies,Lecture Notesin Computer ScienceVolume 4806/2007,pp. 1256-1266,2007.

[6] Damiani, E., De Capitani di Vimercati, S., Fugazza, C. and Samarati, P.,"Extending po licy languages to the semantic web, In Processings of the

4 International Conference on Web Engineering, Munich, Germany, pp.330-343,2004.

[7] Ferrini, R. d Bertino, E., "Supporting BAC with XACML+WL,SACMAT09,2009.

[8] Hung, P. C. K., 'owards a privacy access control model for eHealthcare services, In Proce edings of the third annual conference onprivacy, security and trust. ctober,2005, pp. 12-14.

[9] Hu, L. K., Ying, S., Jia, X. Y. and Zhao, K., "Towards an approach ofsemantic access control for clouding Computing, Proceedings of the 1stInternational Conference on Cloud Computing,pp. 145-156,2009.

[10] Kagal, L., Finin, T. and Joshi, A., "A policy based approach to securityfor the semantic Web, 2nd International semantic web conference,ISWC03,Springer-Verlag, 2003.

[] Li, M., Sun, X., Wang, H., Zhang, Y., d Zhang, J., "Privacy-awareaccess control with trust management in web service, World Wid e Web,14 (4). pp. 407-430. ISSN 1386-45X.

[12] Natalya F. Noy and Deborah L. McGuinness, "ntology Development

101: A Guide to Creating Your First ntology, Stanford KnowledgeSystems Laboratory Technical Report KSL-O-05 and Stanford MedicalInformatics Technical Report,SM-2001-0880,March 200.

[13] ASIS, Extensible access control markup languagec(XACML) Version2.0

hp://docs.oasis-open.orxacmI2.0/access control-xacml-2.0-coresoec-os.pdf 2005.

[14] Pan, C. c Mitra, P. d Liu, P., "Semtic access control forinformation interoperation, Proceedings of the eleventh ACMsymposium o n Access control models and technologies, June 2006, pp.7-9.

[15] Park, J., Sandhu, R., Schifalacqua, J., "Security archite ctures forcontrolled digital information dissemination, In Proceedings of 16

nnual Computer Securi Application Conference, December 2003.

[16] Priebe T., Dobmeier W. and Kamprath N., "Supporting Attribute-basedAccess Control in Authorization and Authentication Infrastructures withntologies,Journal of Soware, 2(1), pp. 27-38,2007.

[17] Reid, F., Cheong,1, Henricksen, M. P. and Smith, "A novel use ofRBAC to protect privacy in distributed health care information systems,In: 8th Australasian Conference on Information Security and Privacy(ACISP 2003),July 9-11,2003,Wollongong.

[18] Sandhu, R. S., Coyne, E. F einstein, H. L. and Younman, C. E.,"Role-based access control models, IEEE Compter, Vol. 29 No. 2, pp.38-47, 1996.

[19] Sun, L. and Wang, H., "A purpose based access control in native XMLdatabases, Concurrency and Computation: Practice d Experience,DOl: II2/pe77

518

[20] Sun, L. and Wang, H., "A Purpose Based Usage Access Control Model,International Joual of Computer d Information Engineering, 4: 12010,44-51.

[21] Sun, L. and Wang, H., "Access control and authorization for protectingdisseminative information in E-earning workow, Concurrency andComputation: Practice and Experience, Vo.23, pp.20342042, DOl:2/pe748

[22] Javanmardi, S., mini, M., Jalili, R. and Ganjisaffar, Y., "SBAC: Asemtic based access control model, In Proceedings of the th Nordic

Workshop on Secure IT -Systems Conference ordSec06), pp. 157-168,

2006.[23] W3C Semantic Web

http.www.w3.org2001/sw/Activity/Activity Statement,

[24] Wang, H., Cao, and Zhang, Y., "Access control management forubiquitous computing Future Generation Computer Systems journal.870-878(24),2008.

[25] Wang, H., Zhang, Y. and Cao, J., "Eective collaboration withinformation sharing in virtual universities, IEEE Transactions onKnowledge and Data Engineering, Vol. 21,No. 6, pages: 840-853, June,2009.

[26] Wang, H., Cao, J., and Zhang, Y., "A exible payment scheme and itsrole based access control, IEEE Transactions on Knowledge an d DataEngineering (TKDE), Vol. 17 ,No. 3, pages:425-436, March,2005.

[27] Wang, H., Cao, and Zhg, Y.,"Delegating revocations andauthorizations in collaborative business environments, InformationSystems Frontiers,(3): 293-305,2009.

[28] Yague, M. 1, Mana, A. and Lopez,J., "A metadata-based access controlmodel for web services, Internet research, Vol. 15 No. , pp. 99-116,2005.

Documents

Semantic Access Control for Cloud Computing Based on E-Healthcare