Chapter 2. Related Works
2.1 Related works of CWSM
Chapter 2. Related Works
2.1 Related works of CWSM
Many access control techniques have been proposed. Traditional access control models such as the static access control of the ACM is insufficient in WfMSs [14].
Olivier et al. proposed an approach for dynamically granting access rights to subjects during the execution of a workflow [43]. Knorr reported dynamic access control matrices for WfMSs that used the Petri net to model WfMSs, with access rights changing with the marking of the Petri net [44].
Thomas and Sandhu proposed modeling access controls from a task-oriented rather than a subject-object perspective [45]. Their approach constantly monitors access permissions, which are activated and deactivated in accordance with emerging context associated with progressing tasks. The approach applies task-based access control (TBAC) to WfMSs and enables the granting and revoking of permissions to be automated and coordinated with the progression of activities in a WfMS. Dong et al.
also proposed an access control model based on TBAC that took two basic dynamic factors into account: the state of the authorization processes and the state of the process instances [46].
Multilevel security (MLS) has posed a challenge to the computer security community since the 1960s [47]. In MLS, security levels are assigned to subjects and objects.
Higher level users must have access permission to lower level objects, and higher level objects must not leak to lower level subjects or objects. Kang et al. worked on implementing the MLS model in a WfMS [48,49]. Wietrzyk et al. proposed an approach to security distributed workflow database management system based on MLS [50].
RBAC has been employed to implement access control mechanism in WfMSs. Atluri and Huang proposed a workflow authorization model that allows subjects to gain access to required objects during the execution of a specific task [51]. The authorization can be synchronized with the execution of the workflow process. Bertino et al. presented a language for defining constraints on role assignment and user assignment to tasks in a workflow to allow the separation of duties to be specified in a WfMS [16]. The many studies that have addressed workflow security issues have generally focused on access control and separation-of-duty issues. Park et al. addressed the security services for a secure workflow system to support dynamic collaboration for interorganizational enterprises [52]. Payne et al. proposed a solution that incorporates Napoleon – a multilayered RBAC modeling environment for distributed computing systems [53] – in a WfMS [17]. Huang and Atluri introduced a Web-enabled WfMS called SecureFlow [54], with their work showing that the security specification and enforcement could be placed on top of an existing WfMS to provide security using RBAC. Park and Sandhu described how to use role information on the Web using smart certificates [55]. Their work showed that role information can be used to authorize Web-based transactions between a client and a Web server. Ahn et al. defined a simplified RBAC model to describe the security architecture to be applied to an existing Web-based WfMS [18].
Basin et al. combined unified modeling language (UML) and RBAC to protect process components [56]. They showed how to integrate their security modeling language SecureUML with UML process models. SecureUML is a UML-based language for modeling access control requirements that generalizes RBAC. Park and Hwang proposed an approach that supports RBAC services for collaborative enterprise in
peer-to-peer computing environments, where the access control information is interpreted by a middleware among peers [57]. Chou et al. proposed an access control model for WfMSs named WfACL [19]. They focused on dynamically specifying role-subject and role-permission binding. In their paper they used the terms “dynamic role change” and “role association change”. WfACL should be embedded in a workflow to control access when a workflow instance is executing.
Some researchers have studied the use of cryptography to secure WfMSs. The Meteor workflow system utilizes encryption algorithms, digital signatures, and access control, in which workflows are statically prepartitioned in the central server in a distributed CORBA-based system [58,59]. Hwang et al. proposed a WfMS that operates in a purely distributed manner without needing a centralized workflow engine [60]. It is an XML-based document-routing system that implements major required security features such as authentication, confidentiality, data integrity, and nonrepudiation based on cryptographic algorithms in distributed or large-scale network environments.
Previous work that has introduced the ACM, MLS, TBAC, RBAC, or cryptography to secure WfMSs has not addressed the goal of the CWSM; that is, avoidance of COI.
One of the proposed access control models is called attribute-based access control (ABAC) where the central idea asserts that access can be determined based on various attributes presented by a subject [61]. UCON is a kind of ABAC model where authorizations are predicates defined on subject and object attributes, while conditions are environmental restrictions represented by system attributes, such as time, location, load, etc [62]. Authorizations and conditions are enforced not only when a subject generates an access request, but also during the whole ongoing stage of the usage session.
As the side-effects of the usage, subject and object attributes can be updated; this is referred to as attribute mutability in UCON. Kuhn et al. summarized access control schemes which employ attributes to determine the permission of accesses into several models including ABAC-basic, ABAC-RBAC hybrid, ABAC-ID, RBAC-A (dynamic roles), RBAC-A (attribute-centric), and RBAC-A (role-centric) [63]. Yao et al. proposed the RCBAC model which extends the RBAC with context constraints [64]. The RCBAC mechanisms dynamically grant and adapt permissions to users based on a set of contextual information collected from the grid environments. Strembeck and Neumann presented an approach that uses special purpose RBAC constraints to base certain access control decisions on context information [65]. A context constraint is defined as a dynamic RBAC constraint that checks the actual values of one or more contextual attributes for predefined conditions. ABAC and context-based RBAC provide dynamic characteristic. If we want to implement CWSM in ABAC or context-based RBAC, the run-time history of data accesses and company information should be represented as attributes or context in the access control system and the access control system should be able to encode BN read and write rules.
There has been little work on implementing the CWSM in WfMSs. Sandhu proposed to employ the lattice model to implement the CWSM [66]. Lattice labels which are actually access arrays and are used to record the access history need to be associated to all the subjects and objects. He thought that the BN model is too restrictive and did not discuss how to enforce the BN write rule in the lattice model. Also, there is no discussion about how to apply the CWSM in WfMS. Atluri et al. extended the CWSM for decentralized workflow execution [67]. They impose access restrictions on
sensitive data by restrictive partitioning, which ensures that no two task agents of the same COI class are in one partition. However, their partitioning scheme requires the binding of subjects and companies to be static. The preliminary result of this research is published in [68]. We extended it in this paper including related work, more examples and discussion, and general access control model.