Data Centered and Usage-Based Security Service

摘要

Protecting Information Systems (IS) relies traditionally on security risk analysis methods. Designed for well-perimetrised environments, these methods rely on a systematic identification of threats and vulnerabilities to identify efficient control-centered protection countermeasures. Unfortunately, this does not fit security challenges carried out by the opened and agile organizations provided by the Social, Mobile, big data Analytics, Cloud and Internet of Things (SMACIT) environment. Due to their inherently collaborative and distributed organization, such multi-tenancy systems require the integration of contextual vulnerabilities, depending on the a priori unknown way of using, storing and exchanging data in opened cloud environment. Moreover, as data can be associated to multiple copies, different protection requirements can be set for each of these copies, which may lead the initial data owner lose control on the data protection. This involves (1) turning the traditional control-centered security vision to a dynamic data-centered protection and even (2) considering that the way a data is used can be a potential threat that may corrupt data protection efficiency. To fit these challenges, we propose a Data-centric Usage-based Protection service (DUP). This service is based on an information system meta-model, used to identify formally data assets and store the processes using copies of these assets. To define a usage-entered protection, we extend the Usage Based Access Control model, which is mostly focused on managing CRUD operations, to more complex operation fitting the SMACIT context. These usage rules are used to generate smart contracts, storing usage consents and managing usage control for cloud services.