Why current authorization models are not sufficient

In traditional access control, the enforcement of access has been primarily based on identities and attributes of already known users [21, 26]. In a dynamic distributed grid computing environment, digital information is to be used and stored at multiple sites. The information has to be protected regardless of the user location and the information source as well as storage locations. It is also required to control access by previously unknown users in order to have an open network-connected system.

Both problems were solved partially by public key infrastructure and digital right management.

In spite of the adoption of RBAC through HL7 for access control to medical documents, healthcare continues to provide significant challenge for traditional access control, especially with the introducing of new technologies like Body Area Networks [259-261] or with building of new data banks for biomaterial data [262].

The HL7 vision of RBAC with the addition of structural and functional roles is meant to be applied within one domain, i.e. mainly inside the hospital. This approach will fail in a dynamic distributed environment, where the sharing of sensitive patient data goes beyond the hospital walls. In such scenarios, methods for maintaining privacy and property rights, for trust establishment and disclosure risk control are of great important.

The different authorization systems developed or modified for grid computing are mostly driven by the traditional access control methods. These can indeed solve the access control problem of a particular application, i.e. vertical application. Anyhow, such a solution does not handle the grid authorization problem itself. Authorization polices that govern the interactions between VO members are currently expressed in terms of the identities of the individuals and resources [110]. They should also consider the entities roles in the VO as well as other complex states such as accounting and billing information, i.e. other attributes of the entities. Simple access control lists (ACLs) are not expressive enough for these complex authorization polices [32]. The different attempts to extend and/or redesign the existing access

control systems exemplify indeed how current grid access control methods do not suffice [124, 127, 164, 229, 231, 263].

Granularity of the access is a practical problem with all current flavors of access control systems. This is due to the fact that operating systems work with files, which are usually the smallest objects, with which current access control mechanisms can deal. For example, we need application-level mechanisms to ensure that a researcher will see only the information inside a structured document (stored normally as one file), to which she has access permission [1]. Such application-level mechanisms are databank software. Nevertheless, new problems of fine- granularity appear when using databanks on the grid [240, 264].

Several researchers agree that classical access control needs extension, or even a redesign, to be adequate for modern applications. In the Chinese-Wall authorization model, the history of access is considered in the current and future authorization decisions [77]. In provisional authorization, authorization will be completed only when the subject carries out some action to make it effective [160, 265]. Task-based authorization treats right as a one- or n-time permission (consumable rights) [83]. In attribute-based access control, the authorization is based on user and object attributes. The existence of these attributes allows more flexible (fine grained) access control, rather than only the use of the subject identity. In the authorization model of XACML (an attribute-based access control standard from OASIS), the authorization policy administration is federated but the decision is centralized. In the Usage Control authorization model, the status of access to resources can change over time according to some policy, i.e. authorization is an ongoing process [25].

Referring to the latter approach, Park and Sandhu redefined in 2002 the authorization problem and introduced the Usage Control model (UCON) [23, 25, 146, 266]. One of the main advantages of the UCON model is that it handles the authorization as an ongoing process, where the status of access to subjects (resources) can change over time according to some policy. Moreover it adds extensions to model obligations, which should be fulfilled by the user and/or the system before, during, or after gaining access, and to model conditions, which should be present to gain the access. A distinguishing property of UCON beyond

traditional access control models is the mutability of subject attributes and object attributes. Although mutability has its origins in traditional access control models, history-based access control policies can be expressed very good using UCON, where mutability is well defined [25, 144, 146].

Park and Sandhu argued that UCON is a conceptual framework, which provides a general-purpose, unified framework for protecting digital resources, and that “it encompasses traditional access control, trust management, and DRM and goes beyond in its scope” [25]. By having a detailed look at the UCON model, one can indeed comprehend the superiority of this model. The different examples presented by Park and Sandhu demonstrate how UCON can model different situations, which cannot be captured using traditional access control. According to the inventors, the UCON model does capture nearly all aspects of modern IT systems. The designers also provided examples on how to reduce UCON to all other known access control models. We can model RBAC, DAC or MAC systems using UCON. Figure 24 shows the coverage of the UCON model [25, 144, 145]. In this context, analyzing UCON means that all other known access control models are also considered.

Figure 24: The coverage of the Usage Control (UCON) authorization model. UCON encompasses traditional access control, trust management, and DRM [25].

Despite that UCON provides a more complete authorization system than other models, which makes it indeed more adequate for grid computing, it has

shortcomings regarding its application in a grid computing environment. In the following subsection (4.2.2), critiques about and shortcomings of the UCON model regarding the grid computing authorization problem are discussed.