These are permitted access, denied access and permitted access with overriding. Permit- ted access and denied access were explained in the previous chapter.
• Permitted Access with Overriding: A user does not have an access privilege to ac- cess the resources but his or her restricted access request will be granted if he or she overrides access policy within some constraints such as location and time. For ex- ample: a nurse tries to override access policy based on the contextual information for emergency data access to the medical record of a patient from another department.
5.4 Access Control Policy
In a medical scenario, data availability is important in both defined and emergency situa- tions. The loss in data availability can result in further decline in patients’ conditions or can possibly lead to death. To address data availability issue in emergency and unanticipated situation, the permitted access with overriding is explained here with example policies. The details of the medical scenario can be seen in the previous chapter. ob1is for a patient from
“Heart” department and ob2is for a patient from “Cancer” department. The policies identi-
fied to evaluated the adaptive access control model are shown in Table 5.1.
Policy Role Department Time Operation Object
1 Doctor Heart Any read ob1
2 Doctor Heart Any read ob2
3 Nurse Heart Any read ob1
4 Nurse Cancer Any read ob2
5 Nurse Cancer 9am < and
<17pm
overrideread ob1
6 Nurse Heart 9am < and
<17pm
overrideread ob
2
Table 5.1 Example of Defined Policy
Policy 1 to 4 are the same as in the previous model. Policy 5 and 6 that have a similar property, are related to the overriding policy. Normally, a nurse from one department does not have permission to access the medical records of patients from departments other than
56 An Adaptive Access Control Model his or hers. In the policy 5, the nurse from “Cancer” department can override access pol- icy to access the medical record of patient from “Heart” department when it is needed for emergency situations. This means that, he or she can override the access policy based on the contextual information, such as time and department, for emergency data access. The same concept is applied to policy 6 for the nurse from “Heart” department. The constraints we consider in this model are that the department of the user has to be the same as where he works for and the access is within the working schedule. Otherwise, the restricted access request will be rejected.
Fig. 5.2 Interface and Decision Outcomes for a Doctor
5.5 Experimental Results
Detailed information of how the proposed adaptive access control model is evaluated by developing a medical scenario in Ponder2 with the above policies is presented with screen shots. Although Policy 1 to 4 are the same as the previous model, the interface of the users is more advanced and more information is required regarding simulation purposes to access the medical records of patients.
5.5 Experimental Results 57
Fig. 5.3 Interface and Decision Outcomes for a Nurse
58 An Adaptive Access Control Model Figure 5.2 shows a user interface and decision outcomes for a doctor “Oliver”. The pa- tient’s path and contextual information are required for the purpose of simulation. In the proposed adaptive access control model, the doctor needs to provide contextual information such as department and time for data access. Based on the decision outcomes, the doctor has the right to access medical records of patients from both “Heart” and “Cancer” departments. This means that, the policy 1 and 2 are achieved in the proposed model.
Figure 5.3 shows how the overriding process can be done in the proposed adaptive ac- cess control model. Based on the decision outcomes from Figure 5.3, the nurse (Maw) from “Heart” department can access medical records of patients from his department regarding policy 3. In the second case, his restricted access has been denied because he did not meet the time criteria from the overriding policy. In the last case, he tried to override his or her policy regarding access the medical record of the patient from another department: “Can- cer”. To override an access policy successfully and for access to be granted, the user needs to satisfy the defined thresholds such as role, department and time. Therefore, the final result shows that the nurse can access the medical record from another department by overriding the denial of access based on policy 5. Policy 6 has the same properties as policy 5 but it is aimed for nurses in “Cancer” department. Figure 5.4 shows the user interface of the nurse (Aung) from “Cancer” department but the expressions are the same as Figure 5.3.
Therefore, data availability is provided at some situations in the proposed model. The decision outcomes in the adaptive access control model are checked for consistency as well as to verify and test the overriding policy based on the different user interface.
5.6 Conclusion and Next Step
In this section, detailed information of the proposed adaptive access control model is pre- sented with user interface and decision outcomes. The advantage of the adaptive access control model over the simple access control model is that it introduced the overriding pol- icy to provide data availability service in emergency and unanticipated situations. One of the weaknesses of the proposed adaptive access control model is that there is no facility or mechanism to detect security policy violations such as unauthorised information release and unnecessary overriding process1. Therefore, data privacy is lost in security policy violations initiated by a malicious or unfaithful user. The questions that now arise are how can the sys-
5.6 Conclusion and Next Step 59 tem handle this kind of situation and what are the courses of action for restricted access in WSNs. Based on the above weakness in the adaptive access control model, an improved version of the model with a prevention and detection mechanism will be proposed in the next chapter.
Chapter 6
Adaptive Access Control Model with a
Prevention and Detection Mechanism
6.1 Introduction
In this chapter, the framework of the previous adaptive access control model is extended with a prevention and detection mechanism to address how security policy violations are handled and detected in Wireless Sensor Networks (WSNs). An introduction of the over- riding policy in the previous model can provide data availability in emergency and unantic- ipated situations but there is a weakness of applying it. The weakness is that the user may always try to override access policy whenever he or she desires data access. If there is no security mechanism to detect the security policy violations, security breaches can occur at any time. There is no prevention or detection mechanism in current WSN access control models for auditing purposes to detect the security policy violations. Sandhu and Samarati [118] mention that the role of auditing is to produce an analysis of data to discover or di- agnose security violations. Therefore, a prevention and detection mechanism is extended to the previous adaptive access control model to detect security policy violations and mis- use of the overriding facility from both authorised and unauthorised users. Additionally, an obligation policy is introduced to identify the courses of action when a restricted access is granted or denied in emergency and unanticipated situations.
The structure of this chapter is as follows: Firstly, the adaptive access control model with a prevention and detection mechanism is presented. Additionally, a medical application is developed under Ponder2 to evaluate and check whether the proposed adaptive access control model with the prevention and detection mechanism has achieved its objectives.
62 Adaptive Access Control Model with a Prevention and Detection Mechanism Finally, this chapter concludes with suggestions for the next step.