Contents
Mobile Forensic 3
Introduction 3
What It Is 3
How It's Used 3
Steps in Mobile forensics 4
Seizure 4
Airplane mode 4
Phone jammer 4
Faraday bag 4
Acquisition 5
Examination and analysis 6
Invasive methods 6
Chip-off 6
Micro read 7
Case study 7
CSI wife killers case Ireland 7
Phone evidence settled the conviction of a liar and a wife-killer 7
Mobile records checking 8
Conclusion 9
References 10
Mobile Forensic
Introduction
Mobile forensics is obtaining information on a mobile device such as a smartphone or tablet. The technology has grown in sophistication, and it can be used to uncover hidden content on devices, including text messages, apps and wifi connections. Mobile forensics goes beyond mere wireless security breaches. Today's mobile forensic tools can uncover true digital evidence and unlock devices with few endpoints or no recovery partitions to access."
The importance of mobile forensics is rising in the connected world of today. Discover further regarding mobile forensics, its applications, and the significance and procedures of a mobile investigation with a strong forensic foundation in this course.What It Is
Mobile forensics is a digital forensics subfield that focuses well on data extraction from electronic origin. Recovery of evidence from portable digital devices such as tablets, smartwatches, and smartphones is the focus of mobile forensics. Mobile devices are used by numerous people these days, so it seems reasonable that they would hold a large quantity of evidence that might be helpful to investigators. These gadgets search for data and collect and transmit data (Moreb, 2022).
Mobile devices can reveal numerous important pieces of information, such as messages, GPS data, call logs, and internet search activity that discloses the owner's probable whereabouts anywhere at any given moment.How It's Used
The secret to gathering digital evidence is following forensically sound procedures, regardless of who utilizes mobile forensics or how it is applied. According to Duke University's Electronic Discovery Reference Model, the word "forensically sound" refers to "procedures employed for gathering electronic information in a way that assures it is "as originally discovered" and is dependable enough to be allowed into evidence."
This implies that mobile evidence is treated so that it will be admissible in court and that it is not compromised during the forensic procedure. The idea of being forensically sound is based on the fundamental idea that transportable evidence should be kept in the same condition as when it was first discovered.
A defined procedure that helps to guarantee law enforcement or anyone collecting the data follows best practices for doing so lies behind forensically sound mobile evidence collection. Let's examine those actions (
Kumar, 2021,p.102).
Steps in Mobile forensics
Seizure
The cornerstone of digital forensics is the principle that evid.
ContentsMobile Forensic3Introduction3What It Is3How I.docx
1. Contents
Mobile Forensic 3
Introduction 3
What It Is 3
How It's Used 3
Steps in Mobile forensics 4
Seizure 4
Airplane mode 4
Phone jammer 4
Faraday bag 4
Acquisition 5
Examination and analysis 6
Invasive methods 6
Chip-off 6
Micro read 7
Case study 7
CSI wife killers case Ireland 7
Phone evidence settled the conviction of a liar and a wife-killer
7
Mobile records checking 8
Conclusion 9
References 10
Mobile Forensic
Introduction
Mobile forensics is obtaining information on a mobile device
such as a smartphone or tablet. The technology has grown in
sophistication, and it can be used to uncover hidden content on
devices, including text messages, apps and wifi connections.
Mobile forensics goes beyond mere wireless security breaches.
2. Today's mobile forensic tools can uncover true digital evidence
and unlock devices with few endpoints or no recovery partitions
to access."
The importance of mobile forensics is rising in the connected
world of today. Discover further regarding mobile forensics, its
applications, and the significance and procedures of a mobile
investigation with a strong forensic foundation in this
course.What It Is
Mobile forensics is a digital forensics subfield that focuses well
on data extraction from electronic origin. Recovery of evidence
from portable digital devices such as tablets, smartwatches, and
smartphones is the focus of mobile forensics. Mobile devices
are used by numerous people these days, so it seems reasonable
that they would hold a large quantity of evidence that might be
helpful to investigators. These gadgets search for data and
collect and transmit data (Moreb, 2022).
Mobile devices can reveal numerous important pieces of
information, such as messages, GPS data, call logs, and internet
search activity that discloses the owner's probable whereabouts
anywhere at any given moment.How It's Used
The secret to gathering digital evidence is following
forensically sound procedures, regardless of who utilizes mobile
forensics or how it is applied. According to Duke University's
Electronic Discovery Reference Model, the word "forensically
sound" refers to "procedures employed for gathering electronic
information in a way that assures it is "as originally discovered"
and is dependable enough to be allowed into evidence."
This implies that mobile evidence is treated so that it will be
admissible in court and that it is not compromised during the
forensic procedure. The idea of being forensically sound is
based on the fundamental idea that transportable evidence
should be kept in the same condition as when it was first
discovered.
A defined procedure that helps to guarantee law enforcement or
3. anyone collecting the data follows best practices for doing so
lies behind forensically sound mobile evidence collection. Let's
examine those actions (
Kumar, 2021,p.102).
Steps in Mobile forensics
Seizure
The cornerstone of digital forensics is the principle that
evidence should always be correctly handled, preserved, and
acceptable in court. Just a few legal issues are related to seizing
a mobile device.
The two major risks involved with this step of a mobile forensic
method are the cellular connection and the lock activation (by
operator, suspect, or inadvertent related parties). Isolating a
network is usually a great idea, and you have two different ways
to accomplish it: either 1) deactivate wifi and hotspots on the
phone and set it in aeroplane mode, or 2) duplicate the SIM card
from your smartphone.Airplane mode
The best approach to transport mobile devices is to attempt to
keep devices powered on to prevent a shutdown that could
inevitably alter files. This is because maintaining evidence is
the purpose of their seizure (Kaushik, 2022, p46).Phone
jammer
A Faraday box/backpack plus an external power supply are
typical pieces of gear for forensics. The former is a box
specifically designed to separate mobile phones from
communication networks whilst still helping with the safe
handling of evidence in a lab, in contrast to the latter, which is
a source of power installed on the inside of the Faraday box.
Upon placing the device in the Faraday box, disconnect the
device from the network, disable all connectivity (GPS, wifi,
etc.), and turn on flight mode to secure the information's
integrity.Faraday bag
A Faraday bag is a device that isolates electronic devices from
electromagnetic interference (
Kumar, 2021,p.102). The main benefit of a Faraday bag
is that it prevents signals on a phone or computer: phone calls,
4. messages and data transfers. In the legal environment in
particular, not only must investigators/lawyers protect their cell
phones but also all related devices like laptops and tablets."
Acquisition
The goal of this phase is to remove data from the mobile gadget.
A locked screen could be opened with the correct credentials,
PIN, passwords, pattern, biometrics or trend. According to the
Virginia Circuit Court, passwords are secured, but fingerprints
aren't. Furthermore, comparable lock capabilities may be
present in programs, images, Sms messages, and messengers.
On the other hand, encryption provides security that is often
difficult to breach at quite a hardware, program, or even both
level.
Since the data is movable, managing it on smartphones is
difficult. Once documents or texts are sent via a smartphone,
management is lost. Even though a wide range of gadgets can
store much information, the information may be elsewhere. For
instance, data synchronization between programs and devices
can occur locally and via the cloud. It is possible to obtain data
from mobile device owners who regularly utilize services,
including Apple's iCloud or Microsoft's One Onedrive
(Kaushik, 2022, p45).
Software and hardware may close any data gap since data is
constantly being synchronized. Consider Uber as an illustration;
it contains both an application and a working website. All the
information obtained through the Uber app on a smartphone can
be viewed on the Uber website and through Uber's software
suite, downloaded onto a computer and installed.
Irrespective of the phone model, finding the data may be more
challenging due to the dispersion of operating systems and item
specifications. The open-source Android operating system has
numerous releases, and even Apple's iOS may vary from one
release to the next. Another challenge for forensic specialists is
mobile applications' abundance and ongoing innovation. Make
an exhaustive list of all installed programs. Some programs
5. archive and back up their data.
Once the data sources have been determined, the next step is to
collect the data properly. There are specific challenges to
collecting data in the setting of mobile technologies. Many
smartphones could undergo a process known as data acquisition
rather than being obtained through image generation. There are
numerous methods for collecting data from portable devices
because some design constraints might only allow for a specific
type of acquisition. To create a replica of a SIM Card's data, the
forensic investigator should use a technique known as SIM Card
imagining. Like past replicas, the underlying evidence would be
kept safe while employing the duplicate image for assessment.
All image files must be hashed to ensure the information is
accurate and undamaged.Examination and analysis
The forensic expert must first determine the type of mobile
device(s) involved in any digital investigation involving a
mobile device or devices, such as a tablet, smartphone, GPS,
etc. There are GSM, CDMA, and TDMA networks accessible.
Provider of carrier services (Reverse Lookup)
The investigator may require various forensic tools to get and
analyze data saved on the machine. Due to the variety of mobile
devices, there is currently no collection of mobile forensic tools
that is universally applicable. Therefore, it is advised to use
various equipment when performing an assessment. EnCase,
Sleuthkit, and AccessData are well-known forensic software
programs with analytical capabilities. The optimal tool or tools
are chosen based on the type and brand of the device. A
timeline plus link assessment, available in so many mobile
forensic systems, can link all of the significant events from the
viewpoint of a forensic investigator.Invasive methods
Usually, they are longer and more intricate. It is possible that
manually removing and imaging the phone's flash memory cards
may be the only way to retrieve data from a gadget when it has
become completely non-functional due to serious damage.
6. Regardless of whether the apparatus or item is in good
condition, the forensic expert may still be required to acquire
the details of the chip manually.Chip-off
A process that outlines extracting data directly from the mobile
device's memory chip. Data from the gadget under investigation
is recovered using a chip reader or perhaps a different phone
after the chip has been taken from the gadget in a manner
appropriate for this level. It should be acknowledged that the
sheer variety of chip varieties in the phone industry makes this
process technically challenging. To de-solder and burn the
microchip during the chip-off method, the investigator must
purchase specialized apparatus, undergo training, and incur
additional costs. Uncoded and uninterpreted, bits and bytes of
unprocessed metadata continue to be retrieved from the storage.
There are five steps in all in the process:
Identify the device's memory chip type;
physical removal of a chip (by, for instance, unwelding it);
Utilizing software for reading/programming the chip to
interface;
reading and sending information from the microchip to a
computer;
reverse engineering is used for data interpretation;Micro read
With this method, the entire microchip is manually viewed
through the lenses of an electron microscope to examine the
data visible therein, particularly the physical circuits on the
microchip. Micro reading is a costly, drawn-out process that
needs the maximum expertise and is only employed in dire
national security situations.Case study
CSI wife killers case Ireland
The most famous wife killers in Ireland are the "CSI wife
killers," guys whose murder cases captivated the country and
whose heinous acts sent shivers down the public's bones.
Joe O'Reilly, Eamonn Lillis, and Brian Kearney are currently
being physically assaulted in jail for the murder of the women
they spent their days with.
Kearney and O'Reilly are presently on life sentences for
7. homicide, while Lillis was finally judged responsible for the
murder of his spouse. Senior gardai built complex cases against
all these three criminals, but despite their disparate offences,
they had many things in common.
Although to solve these crimes, police had to rely heavily on
advances in forensic technology and scientific research. There
is little uncertainty that obtaining convictions in such cases just
20 years ago could have been practically impossible for the
gardai. Gardai nowadays are adequately equipped to investigate
significant crimes thanks to advancements in forensics,
Surveillance, and the ability to get evidence from smartphones
and email.Phone evidence settled the conviction of a liar and a
wife-killer
Detectives were aware that their investigation into Joe O'Reilly
would shed light on a branch of forensic science that could aid
criminals in eluding the law. The prosecution considered expert
testimony on the locations and times O'Reilly used his cell
phone to be crucial to convincing the jury of his guilt (Harkin,
2012).
In a prosecution primarily based on corroborating evidence, the
wife-phone murderer could show that he could not be in two
locations at once, and it would ultimately be his downfall.
O'Reilly's narrative of his actions on the day of the murder
conflicted with the whereabouts of his smartphone, according to
communications specialists who testified in court.
According to a garda source, professional criminals will never
consider using cell devices linked to them or their colleagues.
Joe O'Reilly wasn't a convicted felon, and it's obvious that he
was unaware that his phone might be used to monitor and locate
him near the crime site when he purported to be elsewhere
(Harkin, 2012). The trial had, I think, served as a reminder that
this kind of tech is available to us. It's not even necessary to
utilize a smartphone to indicate where anything is. For instance,
a person's phone will register to the nearby mast as they move
around a metropolis. Although it cannot pinpoint a specific
8. place, it can disprove a fake alibi.Mobile records checking
"Checking mobile records is now standard protocol in so many
cases, particularly those involving missing persons and
homicide. Joe O'Reilly didn't appear to be aware of it."
The use of cell phone evidence, frequently referred to as the
"new fingerprint"—by gardai in high-profile litigation is not
new. Probably the most well-known incident is the 1998
explosion of Omagh by the Real IRA, which claimed 29 lives.
Colm Murphy, a father of four, was convicted of planning the
crime in January 2002 by the Central Criminal Court. During
his 25-day trial, he alleged that he had given the terrorists two
phones under credit. At the time of the incident, RUC and
gardai followed the travels of the cellphones first from Republic
to Omagh, then back with the assistance of cellphone
specialists. According to the prosecution's argument, Murphy
gave the attackers the phones, knowing they might be misused.
Later, Murphy was successful in their appeal. A trial has indeed
been scheduled after his conviction was overturned. His
attorneys are currently making the case-dropping argument that
he is too unwell to stand trial again. However, the case
established a new benchmark for garda investigation.Conclusion
Among Britain's most renowned killers, cellphone evidence
helped to accept responsibility for their crimes. Ian Huntley
abducted and killed Holly Wells and Jessica Chapman, both 10-
year-old school children from the English village of Soham, in
August 2002. According to the investigators, Jessica's cell
phone was off when it was within or near Huntley's house.
O'Reilly's cell phone could also cause his death because it
showed he had lied to his lover, Nikki Pelley. Investigators
discovered that 18 talks and SMS were sent between his phone
and Ms Pelley's cellphones on the same day he murdered his
wife, despite stating the connection had ended in his report to
garda authorities (Kaushik, 2022, p45).
References
9. Appendix A Mapping to Cybersecurity Framework - NIST SP
1800-27 documentation. (n.d.). Retrieved October 17, 2022,
from
https://www.nccoe.nist.gov/publication/1800-
27/VolB/vol-b-appendix.html
Kaushik, K. (2022). Investigation on Mobile Forensics Tools to
Decode Cyber Crime. In
Security Analytics (pp. 45-56). Chapman and Hall/CRC.
https://www.taylorfrancis.com/chapters/edit/10.1201/978100320
6088-4/investigation-mobile-forensics-tools-decode-cyber-
crime-keshav-kaushik
Kumar, M. (2021). Mobile Forensics: Tools, Techniques and
Approach. In Crime Science and Digital Forensics (pp. 102-
116). CRC Press.
https://www.taylorfrancis.com/chapters/edit/10.1201/978042932
2877-8/mobile-forensics-manish-kumar
CSI wife Killers Ireland. independent. (n.d.). Retrieved October
17, 2022, from
https://www.independent.ie/regionals/herald/news/csi-
wife-killers-ireland-28850927.html
Harkin, G. (2012, November 25).
Phone evidence clinched conviction of lying wife-killer.
independent. Retrieved October 17, 2022, from
https://www.independent.ie/irish-news/phone-evidence-
clinched-conviction-of-lying-wife-killer-26306506.html
Moreb, M. (2022). Introduction to Mobile Forensic Analysis. In
Practical Forensic Analysis of Artifacts on iOS and
Android Devices (pp. 1-36). Apress, Berkeley, CA.
https://link.springer.com/chapter/10.1007/978-1-4842-
8026-3_1
2
11. controls access to objects by eval-
uating rules against the attributes
of entities (subject and object), op-
erations, and the environment rel-
evant to a request. ABAC enables
more precise AC by allowing for a
higher number of discrete inputs
into an AC decision and thereby providing a larger set
of possible combinations of those variables to reflect a
larger and more definitive set of possible rules to express
policies, which are limited only by the computational
language and the richness of the available attributes.
This flexibility enables creation of access rules with-
out specifying individual relationships between each
subject and each object. For example, a subject is as-
signed a set of subject attributes upon employment, such
as Nancy Smith is a Nurse Practitioner in the Cardiology
Department. An object is assigned its object attributes
upon creation, such as a folder with Medical Records of
Heart Patients. Objects may receive their attributes ei-
ther directly from the creator or as a result of automated
scanning tools. The administrator or owner of an object
creates an AC rule using attributes of subjects and objects
to govern the set of allowable capabilities—for example,
Attribute-Based
Access Control
Vincent C. Hu, D. Richard Kuhn, and David F. Ferraiolo,
National Institute of Standards and Technology
Attribute-based access control (ABAC) is a
flexible approach that can implement AC
12. policies limited only by the computational
language and the richness of the available
attributes, making it ideal for many distributed
or rapidly changing environments.
r2sec.indd 85 1/22/15 5:25 PMAuthorized licensed use
limited to: University of Canberra. Downloaded on September
03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions
apply.
86 C O M P U T E R W W W . C O M P U T E R . O R G / C
O M P U T E R
SECURITY
all Nurse Practitioners in the Cardiol-
ogy Department can View the Medical
Records of Heart Patients.
Under ABAC, access decisions can
change between requests simply by
altering attribute values, without re-
quiring changes to the subject/object
relationships defining the underly-
ing rule sets. This provides a more
dynamic AC management capability
and limits long-term maintenance re-
quirements of object protections.
Further, ABAC enables object own-
ers or administrators to apply AC policy
13. without prior knowledge of the specific
subject and for an unlimited number
of subjects that might require access.
As new subjects join the organization,
rules and objects need not be modified,
and as long as the subject is assigned
the attributes necessary for access to
the required objects—for example, all
Nurse Practitioners in the Cardiology
Department are assigned those attri-
butes—no modifications to existing
rules or object attributes are required.
This accommodation of the external
(unanticipated) user is one of the pri-
mary benefits of employing ABAC.1,2
As a result of this flexibility, ABAC
has attracted interest across indus-
try and government, and is the fast-
est-growing AC model today.3 It has
been integrated with other approaches,
such as the International Committee
for Information Technology Stan-
dards (INCITS) standard for role-based
access control,4 and has become the
basis for an increasing range of prod-
ucts. But beyond the basic scheme of
associating attributes with subjects,
objects, and environments, there has
been little consistency among ABAC
implementations.
IMPLEMENTING ABAC IN THE
ENTERPRISE ENVIRONMENT
Due to a lack of consensus on ABAC
14. features, users can’t accurately assess
the benefits and challenges associ-
ated with the model. To help address
this problem, the National Institute
of Standards and Technology (NIST)
released Special Publication (SP) 800-
162, Guide to Attribute Based Access
Control (ABAC) Definition and Consid-
erations.1 This document serves a two-
fold purpose. First, it provides federal
agencies with a definition of ABAC
and a description of its functional
components. Second, it describes
planning, design, implementation,
and operational considerations for
employing ABAC within an enter-
prise to improve information sharing
while maintaining control of that in-
formation. The guide focuses on the
Credential
issuance
Enterprise policy manager
Enterprise identity/
credential manager
Subject
attribute
issuance
Subject
Enterprise subject
attribute
15. administration
point
Enterprise object
attribute manager
Local object attribute
administration point
Optional enterprise
object attribute binding
and validation service
Enterprise access
control policy
repository
Enterprise
access
control policy
administration point
Af�liation
Etc.
Clearance
Name
Owner
Etc. Classi�cation
TypeEnterprise subject
16. attribute sharing
Local subject attribute
administration point
Hierarchical policy
pushed to
subordinate
organizations
Local subject
attribute repository
Local subject
attribute repository
Object attribute
repository
Local access control
policy repository
Object
Owner
Etc. Classi�cation
Type
Af�liation
Etc.
Clearance
Name
17. GroupRole
Rules
Decision Enforce
ABAC
access control
mechanism
Environmental
conditions Local access control policy
administration point
Set of available
attributes
for policy
development
Optional enterprise
policy decision service
Figure 1. Attribute-based access control (ABAC) example.
Adapted from V.C. Hu et al., Guide to Attribute Based Access
Control (ABAC)
Definition and Considerations, NIST Special Publication 800-
162, Nat’l Institute of Standards and Technology, Jan. 2014.
r2sec.indd 86 1/22/15 5:53 PMAuthorized licensed use
limited to: University of Canberra. Downloaded on September
03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions
apply.
18. F E B R U A R Y 2 0 1 5 87
challenges of implementing ABAC
rather than on balancing the cost and
effectiveness of other capabilities ver-
sus ABAC.
When deployed across an enter-
prise to increase information shar-
ing among diverse organizations,
ABAC implementations can become
complex, requiring an attribute man-
agement infrastructure, machine-
enforceable policies, and an array of
functions that support access deci-
sions and policy enforcement. As Fig-
ure 1 shows, in addition to the basic
policy, attribute, and AC mechanism
requirements, the enterprise must
support management functions for
enterprise policy development and
distribution, enterprise identity and
subject attributes, subject attribute
sharing, enterprise object attributes,
authentication, and AC mechanism
deployment and distribution.
Enabling these capabilities re-
quires careful consideration of nu-
merous factors that will influence the
design, security, and interoperability
of an enterprise ABAC solution. These
19. factors can be summarized around a
set of activities:
› establish the business case for
ABAC implementation;
› understand the operational
requirements and overall ABAC
enterprise architecture;
› establish or refine business pro-
cesses to support ABAC;
› develop and acquire an interop-
erable set of ABAC capabilities;
and
› operate with efficient ABAC
processing.
NIST SP 800-162 helps ABAC sys-
tem planners, architects, managers,
and implementers carry out these ac-
tivities in four phases. The initiation
phase includes building the business
case for deploying ABAC capabilities;
scalability, feasibility, and perfor-
mance requirements; and developing
operational requirements and archi-
tecture. The acquisition/development
phase includes business process gen-
eration and deployment preparation,
system development and solution
acquisition considerations, and other
enterprise ABAC capabilities. The
20. implementation/assessment phase in-
cludes attribute caching, attribute
source minimization, and ABAC in-
terface specifications. Finally, the op-
erations/maintenance phase includes
availability of quality ABAC data.
ATTRIBUTE ASSURANCE
The metadata of ABAC attributes
communicate aspects that are im-
portant for attribute standardiza-
tion. By coupling a common set of
mandatory and optional metadata
with attribute assertions, ABAC sys-
tems can query attribute information
to make their own risk-based deci-
sions, especially when delivered via
a broker connected to many systems.
In general, attribute metadata fall
into three categories:
› Accuracy establishes the policy
and technical underpinnings for
semantically and syntactically
correct use of these attributes
TABLE 1. Level of attribute assurance (LOAA) mappings
example.
LOAA Accuracy Integrity Availability
1 Attributes are properly verified
for veracity through provision
and management.
21. Secure attribute repository.
Secure communication between
attribute providers (APs) and
relying parties (RPs).
Attribute refresh frequency
meets the system performance
requirement.
2 Includes level 1.
Documented rule or standards for
attribute value assignment and
definition (syntax and semantic
rule).
Includes level 1.
Dedicated attribute repositories.
Includes level 1.
Attribute caching during
runtime meets the system
performance requirement.
3 Includes level 2.
Attributes cover all of the
organization’s protection policy
requirements (semantically
complete).
Includes level 2.
22. Encrypted attribute values and
communications between APs
and RPs.
Includes level 2.
Failover or backup attributes
support.
4 Includes Level 3.
Attributes under federated or
unified governance.
Includes level 3.
Formal rules or policy (or
standards) for create, update,
modify, and delete attributes.
Includes level 3.
Log for attribute changes and
access.
r2sec.indd 87 1/22/15 5:25 PMAuthorized licensed use
limited to: University of Canberra. Downloaded on September
03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions
apply.
88 C O M P U T E R W W W . C O M P U T E R . O R G / C
O M P U T E R
SECURITY
23. and environmental conditions,
and ensures that the reported
attributes are trustworthy,
based on the trust established in
the measurement and reporting
processes.
› Integrity considers different
standards and protocols used for
secure sharing of attributes be-
tween systems in order to avoid
compromising the integrity and
confidentiality of the attributes
or exposing vulnerabilities in at-
tribute provider (AP) or relying
party (RP) systems or entities.
› Availability ensures that the up-
date and retrieval of attributes
support the RP. In addition,
attribute repositories’ failover
and backup capability must be
considered. Note that some attri-
butes might change regularly or
over time.
An AP is any person or system that
provides subject, object (or resource),
or environmental condition attributes
regardless of transmission method.
The AP could be the original authori-
tative source or receiving information
from an authoritative source for re-
packing and storing-and-forwarding
to the ABAC system. Attribute values
24. can be human generated (for example,
an employee database) or derived from
formulas (for example, a credit score).
Regardless of the attribute source, the
system should ensure that the attri-
bute value received from an AP is ac-
curately associated with the subject,
object, or environmental condition to
which it applies.2 Table 1 illustrates
example levels of attribute assurance
(LOAA) based on the accuracy, integ-
rity, and availability properties.
A ttribute-based access control
is a flexible approach that can
implement AC policies limited
only by the computational language
and the richness of the available at-
tributes. This flexibility enables the
greatest breadth of subjects to ac-
cess the greatest breadth of objects
without specifying individual rela-
tionships between each subject and
each object, making ABAC ideal for
many distributed or rapidly changing
environments.
ABAC has the potential to dramat-
ically improve AC in modern appli-
cations such as e-commerce and the
Internet of Things. In the meantime,
a consensus definition of ABAC is
needed, and work remains to be done
in assuring attribute accuracy and re-
25. liability. For more information on on-
going efforts, see http://csrc.nist.gov
/projects/abac/index.html.
REFERENCES
1. V.C. Hu et al., Guide to Attribute Based
Access Control (ABAC) Definition and
Considerations, NIST Special Pub-
lication 800-162, Nat’l Institute of
Standards and Technology, Jan. 2014;
http://nvlpubs.nist.gov/nistpubs
/specialpublications/NIST.sp.800
-162.pdf.
2. V.C. Hu, D.F. Ferraiolo, and D.R. Kuhn,
Assessment of Access Control Systems,
NIST Interagency Report 7316, Nat’l
Institute of Standards and Technol-
ogy, Mar. 2006; http://csrc.nist.gov
/publications/nistir/7316/NISTIR
-7316.pdf.
3. Avatier Corp., “Leveraging Today’s
Megatrends to Drive the Future of
Identity Management,” video presen-
tation, Gartner Identity and Access
Management (IAM) Summit, 2012;
www.avatier.com/products
/identity-management/resources
/gartner-iam-2020-predictions.
4. D.R. Kuhn, E.J. Coyne, and T.R. Weil,
“Adding Attributes to Role Based
Access Control,” Computer, vol. 43,
no. 6, 2010, pp. 79–81.
26. VINCENT C. HU is a computer scien-
tist in the Computer Security Division
at the National Institute of Standards
and Technology. Contact him at [email protected]
nist.gov.
D. RICHARD KUHN is a project
leader and computer scientist in the
Computer Security Division at the
National Institute of Standards and
Technology. Contact him at [email protected]
nist.gov.
DAVID F. FERRAIOLO is a computer
scientist and manages the Secure
Systems and Applications Group in
the Computer Security Division at
the National Institute of Standards
and Technology. Contact him at
[email protected]
IEEE Internet Computing reports emerging tools,
technologies, and applications implemented through the
Internet to support a worldwide computing environment.
For submission information and author guidelines,
please visit www.computer.org/internet/author.htm
Engineering and Applying the Internet
r2sec.indd 88 1/22/15 5:25 PMAuthorized licensed use
limited to: University of Canberra. Downloaded on September
03,2021 at 10:50:52 UTC from IEEE Xplore. Restrictions
apply.
27. Readings/Best Practices, Procedures and Methods for Access
Control Management.pdf
Best Practices, Procedures and Methods for
Access Control Management
Michael Haythorn
July 13, 2013
1
Table of Contents
Abstract
...............................................................................................
......................................................... 2
What is Access?
...............................................................................................
.................................. 3
Access Control
...............................................................................................
29. .................................. 7
Access Control Models
...............................................................................................
........................ 8
Least Privilege
...............................................................................................
................................... 8
Separation of Duties
...............................................................................................
......................... 8
Job Rotation
...............................................................................................
...................................... 9
Mandatory Access Control
................................................................................ ...............
................ 9
Discretionary Access Control
...............................................................................................
....... 9-10
Role Based Access Control
...............................................................................................
.............. 10
Rule Based Access Control
...............................................................................................
.............. 11
Integrated Approach
...............................................................................................
30. ....................... 11
Case Studies
...............................................................................................
..................................... 12
Case Study 1: Government/Military
..............................................................................................
12
Case Study 2: Large Financial Company
.................................................................................... 12 -13
Case Study 3: Small Internet Sales Company
................................................................................. 13
Closing
...............................................................................................
.............................................. 14
References
...............................................................................................
........................................ 15
2
Abstract
Controlling access to information and information systems is a
fundamental responsibility of information
security professionals. The basic need to consume data creates a
31. requirement to provide control over
the access necessary to use that data. It is this subject-object
interaction that introduces risk that must
be mitigated through methodological policy creation and
enforcement. Access controls are managed
through the provision of rules to grant/deny subjects who intend
to access certain objects. These rules
can be defined and enforced through a number of means to
create a manageable layered control
process. The overarching goal of access control is to facilitate
the mitigation of risk to the object.
In order to access data, multiple layers must be passed through
including identification, authentication,
and authorization. Actions of subjects must be monitored,
creating accountability. Depending on the
requirement for policy enforcement and level of sensitivity of
the data to be protected, there are
multiple methods that can be implemented to control access.
The principle of least privilege, separation
of duties, job rotation, mandatory access control, discretionary
access control, role based access control
and rule based access controls are most commonly used.
In addition, industry standards have been established both by
government and private entities to
identify best practices. ISO/IEC 27002 standard outlines the
management of access control policy and
enforcement. The government created standard NIST 800-53
and 800-53(A) identifies methods to
control access by utilizing various models depending on the
circumstances of the need.
32. 3
1 What is Access?
The necessity of control is created by the need for access.
Access is essentially the ability of the subject
and the object to interact. In the terms for this paper, all access
is logical, meaning that it exists on a
system and is typically a file, folder, program, system or
process. The request for access is initiated by
33. the subject and is necessary in all information systems
circumstances.
1.1 Access Control
Access control is essential where there is sensitive data to
protect or privileged actions to be performed.
In order to control the use of these functions, there must be a
way to limit access. Without this control
there would be no ability to prevent unauthorized access to
privileged data inside a system. Imagine if
any employee working for a soft drink company were able to
see the secret formula or if all employees
working for large private financial company were able to see
the salary of their coworkers. These
situations would cause company collapse or employee mutiny
because not all data is intended for
everyone.
Thankfully there is access control in place to prevent the
situations above. By using the proper means to
control who accesses data, along with when and where it is
accessible this data can be protected in
order to maintain a competitive advantage, or establish a level
of division required for an entity to
survive.
1.2 Identification
Identification describes a method of ensuring that the subject is
in fact who they claim to be. An identity
can be assigned to a user a user, program, or process and is used
by the system to associate the subject
with the identity stored on the system. An example of
identification is a user name for a user who is
accessing a desktop through a log in screen. In this case the user
name is unique to that user and is
required for access to be granted. For the purpose of accessing a
34. system or process, the identifier does
not need to be unique to a user, but can be generic. The only
requirement is that this identity be linked
to the process or program on the system so that it can be
identified.
Diagram 1.1 shows a typical identification request where the
system is asking the subject to provide a
user name that it will use to associate with a profile stored on
the system:
4
1.3 Authentication
Identification is half of the typical login process. The next step
is authentication where a user, program
or process must provide some type of password, passphrase,
token, biometric, or key that is matched to
the user name and matched to the credential stored on the
system or on the network that is being
accessed. Once authentication is passed, access is granted or
denied to the system based on the
information provided. For example, a UNIX user provides a
user name and password to log into a UNIX
system. The user is only authenticated at this stage yet still does
not have access to perform and
functions on the system.
Diagram 1.2 shows a typical authentication request on a UNIX
35. System where once the user name “root”
is provided the system requests the password that is associated
with the identifier:
1.4 Authorization
The next piece is the authorization of access that is granted to
that user, program or process. This
control either allows or denies action based on rules that are
defined inside the system pertaining to
that subject. Rules are defined in many ways and can be based
on request, time, location, group, etc. An
example of authorization is a subject requesting access to a
network shared drive. In this example the
subject has successfully identified themselves and authenticated
to the system. Their attempt to
connect to the shared drive must also be authorized by some
control that will grant them this additional
access. If the user is granted the access they will be able to
connect to the shared drive. If the user does
not have the necessary authorization to connect they will be
denied access. Authorization is where
access control is established and can be implemented at both the
macro and micro level depending on
the sensitivity of the data and the policy being enforced.
5
Diagram 1.2 displays the process of identification,
authentication and authorization through the use of a
36. flow chart that can grant or deny access based on the
information given and the rules it has been
supplied:
1.5 Accountability
Finally in order to enforce the misuse of policy once access has
been granted, or prevent repeated
malicious access attempts there must be some form of
accountability. Accountability can use various
methods to record or capture events for additional review. This
event log can include every access
request, both positive and negative, subject login times and
locations, subject actions upon login, etc.
This information is stored and can be used for investigative
purposes or for reporting of usage statistics
for audit. Accountability is essential to be able to provide proof
of action and without this piece it would
much more difficult to reduce risk associated with the access
that has been granted in the earlier stages.
1.6 Put it All Together
Requiring the subject to provide Identification, authentication
and authorization as well as holding them
accountable for their actions allows the integrity of the object to
be maintained at a much higher level
of confidence. As we have seen in the examples above, identity,
authentication and authorization are
required in conjunction before an object can be accessed. There
are cases where a user may be able to
identify themselves, authenticate but may not be authorized to
perform an action beyond that. On the
other hand a user may be authorized to access a resource, but is
37. unable to identify themselves with a
6
proper user name. The same is true for a password credential, a
user may have proper identification
information but is unable to authenticate because the password
the have supplied is either wrong or
expired. In order for the subject to access the object each of
these pieces must be present and
accessible.
38. 7
2 Industry Standards and Best Practices
In order to identify industry best practices and standardize
access control principles there must be an
entity or entities who are responsible for this role. In the case of
access control standards, there are two
main groups focused on these best practices.
2.1 ISO/IEC 27002
39. ISO/IEC 27002 is an information security standard that is
published by the International Organization for
Standardization (ISO) and the International Electrotechnical
Commission (IEC). This standard specifically
defines access control and how access should be managed by
information security personnel. Access
control is included as a section within this standard to define
the best practices to suitably control logical
access to network resources, applications, functions and data.
“The control objectives and controls in ISO/IEC 27002:2005 are
intended to be implemented to meet the
requirements identified by a risk assessment. ISO/IEC
27002:2005 is intended as a common basis and
practical guideline for developing organizational security
standards and effective security management
practices, and to help build confidence in inter-organizational
activities.” [1]
2.1 Requirements for Access Control
Key highlights of this standard include the business
requirements for access control, user access
management, responsibilities and definitions and best practices
of the different types of access. The
standard includes multiple detailed sections aimed at outlining
access control for organizations so that
they can implement these best practices in the most effective
manner.
2.2 NIST 800-53(A)
After the Federal Information Security Management Act
(FISMA) was passed in 2002 a statutory
provision to ensure that agencies comply with mandatory
processing standards. The National Institute
of Standards (NIST) is the technology measurement and
standards department was asked to develop
40. standards and guidelines for the federal government. The NIST
handbook is similar in information
covered to the ISO/IEC 27002 but since it is tied to the
governmental practices is goes into significantly
more detail related to security controls and assessing the
adequacy of the controls.
NIST 800-53 addresses multiples aspects of access, including
management, technical and operational
roles. [2]
8
3 Access Control Models
The standards and best practices from above can be used in a
practical means through several different
methods and models that are deemed appropriate depending on
what type of security a company
wants to maintain. There are many models available to use as a
41. template for access control, but the
most commonly referenced methods include least privilege,
separation of duties, job rotation,
mandatory access control, discretionary access control, role
based access control and rule based access
control. In this section we will go into greater detail about these
models and their usage.
3.1 Least Privilege
The principle of least privilege is simple, no user should have
any access above what is required to
perform their tasks at any given time. This approach, when put
into practice in its simplest form is both
difficult to experience from an end user perspective and
difficult to manage from an administrative
perspective. In many cases users do not know what access they
would need to perform their tasks and
without extensive knowledge of the environment, the team
provisioning the access may not know what
access they need either. This method of access control does not
scale well and can be prohibitively
expensive and difficult to implement and maintain. Because of
that, generally when this principle is
used, it is used in conjunction with another approach.
3.2 Separation of Duties
The method of separation of duties states that no one person be
able to handle a transaction from
beginning to end. This method addresses fault or fraud by
preventing someone from maliciously or
accidentally initiating and completing a transaction without an
additional layer of input. This method
reduces the likelihood of fraud by introducing multiple
variables into the process. A line of segregation is
established by creating different layers of responsibility and
ability to perform these transactions. This
42. method is much like an assembly line where no single worker
completely builds the finished product
from start to finish. Instead each worker has their assigned task
that contributes to the final product but
does not create it.
Diagram 3.1 displays this method using the assembly line
example to show that no one user can
complete a transaction from beginning to end:
9
3.3 Job Rotation
The concept of job rotation is similar to separation of duties
where no one person has the ability to
complete a transaction, except in this case a time limit is
introduced. Job rotation requires that
individuals change their roles and thus the functions they can
perform at regular intervals. This rotation
is to prevent exploiting a process or situation for an extended
period of time. This method of access
control is not typically used without the addition of another
method. This method is frequently
employed and has introduced several possible benefits including
an increased diversity of skill and
experience as well an increased job satisfaction through job
change.
3.4 Mandatory Access Control
Mandatory access control or MAC is based on subject and
43. object access level and is frequently
employed in federal government and military instances. The
basic principle of mandatory access control
involves a central authority identifying subject’s and object’s
appropriate access level. Subjects inherit
the access to the objects at their same level. There is no access
granted above their level. In some cases
this method is also applied to prevent access below a subject’s
level as well. This method of access
control is a high security and requires a great detail of
management overhead because each object must
be assigned a label which will then allow or deny access to
subjects depending on the level assigned.
It is important to note that mandatory access control is a non-
discretionary method, meaning that a user
is not able to change the permissions on any object, including
objects they own. Permission assignments
must be performed by the central authority that is responsible
for maintenance of the access control
system. [3]
Diagram 3.2 displays the concept of mandatory access control
where there is a distinct division between
levels of access:
3.5 Discretionary Access Control
Discretionary access control or DAC uses the discretion of the
subject to control access. DAC uses the
permissions assigned by the owners of the objects to grant or
deny access. This model distributes the
load of access control to the subjects which removes the need
for a central authority. This method is
44. less secure than a non-discretionary access control method due
to the lack of centralized authority.
Decisions of access appropriateness are made by the subjects
themselves and can frequently introduce
risk. This method is common in small to medium sized
organizations due to the reduction in overhead
thus reducing cost and time necessary to implement access
controls.
10
Diagram 3.3 displays a user granting access to an object that
they own based on their own discretion:
3.6 Role Based Access Control
Role based access control or RBAC requires a central authority
to determine the access that will be
granted to the role. Access is grouped by role across an
organization and users can be in multiple groups
depending on their role. No access is provided outside of access
that is granted inside of the role. This
practice frequently leads to providing more access than is
required to complete necessary tasks.
Typically, role based access control is part of a multi-level
access system, like in the case of a commercial
entity where there are distinct levels between necessary job
roles.
Role based access control is similar to discretionary access
45. control in that the privileges are associated
with the role of the subject and not controlled by a central
authority. Once a role is achieved all access is
automatically granted to that user for that role.
Diagram 3.4 displays how roles can be divided in an
organization to allow users of the same title to
access the same resources:
3.7 Rule Based Access Control
11
Rule based access control (also known as RBAC) uses a set of
rules provisioned to subjects defined by a
central authority. This method of access control is non-
discretionary and can be extremely granular
depending on the sensitivity of the data. Rules can be defined
inside of access control lists for user
access to each object. Since all permissions are controlled by a
single authority, the overhead can be
similar to mandatory access control. Rule based access control
can also be used to permit access during
a certain period of time, or could require a subject to invoke
access each time they intend to use it.
Diagram 3.5 shows how a central authority can define rules for
subject access to objects:
46. 3.8 Integrated Approach
Although one method identified above can be used as an access
control solution, this is not typically the
case. Most organizations will choose to use a combination of
these methods as they are needed based
on the requirement of the organization. Using an integrated
approach allows companies to base access
control on their own standards and needs.
For example, a company might use role based access control for
anyone with the title of database
administrator, but may also use rule based access control to
grant exception access beyond what is
granted through the role. Additionally, a company may use a
combination of rule based access control
and least privilege access, where users are granted access to the
objects they require only for the period
of time they require them. Once access is invoked the ability to
access the object only lasts for a period
of time until it is automatically removed to prevent improper
use.
47. 12
4 Case Studies
In order to understand how these access control methods are
applied it is best to relate real world
scenarios that can be applied to the concepts introduced in a
best practice. The following section will
exemplify three cases where a combination of methods are used
to create a security policy that is suited
for the situation.
4.1 Case Study 1: Government/Military
In this example we will use the United States Military as the
organization, but these principles can be
applied broadly across governmental entities due to the relation
of privilege groups. Military
organizations have a defined range of classification levels that a
central authority is responsible for
assigning. This non-discretionary access method is the most
demanding, but is necessary given the
sensitivity of the data. These classifications include top secret,
secret, confidential, restricted and
unclassified. Starting at the bottom, unclassified data has been
made available to the public, and top
secret data is only available to the subjects who have the proper
clearance, or access.
This military access control method follows the mandatory
access control model, which prevents
subjects and objects from reading above and in some cases
writing below the access level granted. An
48. engineer with a confidential level clearance is not able to read
data above the confidential classification
and a subject with a restricted level clearance is not able to
write data that is unclassified.
The objective of this mandatory access control is to first
identify what type of data or object you have
and then allow subjects with that equal access to use it. This
type of access control requires a central
authority to make the decisions about the classification of the
subjects as well as classification of the
objects. There is no discretion given to the subjects because
they may not make the right decision about
the access level, even with data they create.
This type of access control method is extremely time
consuming, expensive and has a high level of
overhead to maintain, but it is necessary in order to keep the
most sensitive data secure from
individuals who should not have access to it.
4.2 Case Study 2: Large Financial Company
In this example, we introduce a large financial company with
extremely sensitive personal customer
data to protect. This company does not have the same security
levels defined as the military
organization from the example above. Instead of the use of
mandatory access control, the financial
company will use an integrated approach combining methods
based on the type of access and the user
that will access it. The most common approach will be based on
the role of the subject. Multiple rules
will be defined for a single role, and a user is only allowed to
be in one role at a time. On top of this
access, subjects will be granted exception or rule based access
to objects that are required beyond their
49. role. This type of access is necessary to prevent subjects from
gaining unnecessary access from a role
and maintains this exception access through a central authority.
In order to be added to a role and then given rule exception
access subjects must be granted this
approval by the custodians or owners of the role and
applications inside of rules. This prevents users
from granting access to themselves and provides an audit trail
that access was approved based on a
defined business justification for each user.
13
The most privileged access in this large financial company is
write access on a trading platform, so this
access is managed through a special type of rule based access
control that uses the concept of least
privilege. Users must invoke their access to these functions only
when they need them. Once the access
is invoked, the functions are available to them, but they have a
limited of time (usually less than 24
hours) to perform their required actions before the access is
lost.
Financial companies have a wide range of subjects and objects
which is why a centrally managed
administration authority is essential to enforcing the policy and
mitigating risk to the firm. Users in this
instance also play a key role because they are the most
knowledgeable about what they need to
perform their duties, and any access above this function must be
50. removed.
4.3 Case Study 3: Small Internet Sales Company
The final case study involves less sensitive data and is a typical
scenario for most small businesses like an
internet sales company. For this example the company has a
sales and marketing department, human
resources, and a technology department. Each department has
data that should not be available to the
other groups, but the company lacks the time and money
required to centralize the authority of access
to this data.
Discretionary access allows the subjects to assign the privileges
to the objects they own and maintain. A
human resources analyst who holds the salary information of all
employees will make this document
only available to those in her department because of the
sensitivity of the data. This is done using a
Windows access control rule that allows only a certain number
of employees to access this data.
Similarly the sales manager who has access to company sales
statistics and records does not share this
data with anyone but those who are authorized to see it. In some
cases, data can move between groups
especially in the example of a technology engineer who owns a
database that houses the employee
directory. This data is accessible to everyone because it is
something everyone needs.
DAC has very low overhead in this situation and the
responsibility is on the subjects to maintain access
control. The risk is higher in this type of example for that
reason, but small companies take this type of
risk because is necessary to avoid the cost of another more
51. involved solution.
14
5 Closing
Managing access control can be approached in different ways.
But in the end, in order for the system to
function effectively at its most basic level, a subject must have
access to an object in order to perform
its required task. Controlling this access based on a predefined
rule is essential to mitigate risk of the
object being unprotected.
In order to achieve this function, the subject must first properly
identify itself, adequately authenticate
52. to the system and then be appropriately authorized to perform
the action it is requesting. In most cases
this is done though an integrated process created based on the
need of the entity responsible for the
objects. Without the methods, there would be no reason to
control access because there would be no
system at all.
53. 15
6 References
[1] Disterer. (2013). Iso/iec 27000, 27001 and 27002 for
information security management. Journal of
Information Security, 4(92-100)
[2] Locke. (2009). Recommended security controls for federal
information systems and organizations.
3(800-53)
[3] Osborn. (n.d.). Mandatory access control and role-based
access control revisited. 31-40.
Ballad, B. (2010). Access control, authentication, and public
key infrastructure. (pp. 238-264). Sudbury,
MA: Jones & Bartlett Learning.
Cascarino, R. (2012). Auditor's guide to it auditing, second
edition. Hoboken, NJ: John Wiley & Sons Inc.
54. Dubrawsky, I. (2009). Eleventh hour security. (pp. 92-101).
Burlington, MA: Elsevier Inc.
Ferraiolo, D., Cugini, J., & Kuhn, R. (n.d.). Retrieved from
http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-
cugini-kuhn-95.pdf
NIST. (n.d.). Retrieved from website:
http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf
Seidl, D. (2013). Comptia security training kit. (pp. 380-386).
Sebastopo, CAl: O'Reilly Media, Inc.
Techotopia.com. (n.d.). Retrieved from
http://www.techotopia.com/index.php/Mandatory,_Discretionary
,_Role_and_Rule_Based_Access_Cont
rol
Readings/understanding ABCA-heathcare.pdf
See discussions, stats, and author profiles for this publication
at: https://www.researchgate.net/publication/339209000
Understanding Attribute-Based Access Control for Modelling
and Analysing
Healthcare Professionals' Security Practices
Article in International Journal of Advanced Computer Science
and Applications · March 2020
55. DOI: 10.14569/IJACSA.2020.0110286
CITATIONS
3
READS
471
4 authors:
Some of the authors of this publication are also working on
these related projects:
INTRICATE-SEC 2017
(https://a9cd724a8d9a1a45152060b49dda0b28a41e78bd.googled
rive.com/host/0Bz5sP2wYmG3HZTRsbndvWjJlN1k/public_html
/index.html) View
project
Formal Methods for Modelling Cyber-Physical Systems and
Other Approaches for Enhancing Critical Infrastructure
Protection View project
Livinus Obiora Nweke
Norwegian University of Science and Technology
22 PUBLICATIONS 47 CITATIONS
SEE PROFILE
Prosper Yeng
Norwegian University of Science and Technology
56. 29 PUBLICATIONS 47 CITATIONS
SEE PROFILE
Stephen Wolthusen
Royal Holloway, University of London
214 PUBLICATIONS 1,766 CITATIONS
SEE PROFILE
Bian Yang
Norwegian University of Science and Technology
115 PUBLICATIONS 1,676 CITATIONS
SEE PROFILE
All content following this page was uploaded by Livinus Obiora
Nweke on 20 February 2020.
The user has requested enhancement of the downloaded file.
https://www.researchgate.net/publication/339209000_Understan
ding_Attribute-
Based_Access_Control_for_Modelling_and_Analysing_Healthca
re_Professionals%27_Security_Practices?enrichId=rgreq-
2b03c66e610d54b6a24a2428b2f89d5e-
XXX&enrichSource=Y292ZXJQYWdlOzMzOTIwOTAwMDtBU
zo4NjA3MzIzMjExNjk0MDlAMTU4MjIyNTk4NTc2OQ%3D%3
D&el=1_x_2&_esc=publicationCoverPdf
https://www.researchgate.net/publication/339209000_Understan
ding_Attribute-
61. Royal Holloway, University of London
Egham, United Kingdom
Information Security and Communication and Technology
Norwegain University of Science and Technology (NTNU)
Gjøvik, Norway
Bian Yang
Information Security and Communication Technology
Norwegian University of Science and Technology (NTNU)
Gjøvik, Norway
Abstract—In recent years, there has been an increase in the
application of attribute-based access control (ABAC) in
electronic
health (e-health) systems. E-health systems are used to store a
patient’s electronic version of medical records. These records
are usually classified according to their usage i.e., electronic
health record (EHR) and personal health record (PHR). EHRs
are electronic medical records held by the healthcare providers,
while PHRs are electronic medical records held by the patients
themselves. Both EHRs and PHRs are critical assets that require
access control mechanism to regulate the manner in which they
are accessed. ABAC has demonstrated to be an efficient and
effective approach for providing fine grained access control to
these critical assets. In this paper, we conduct a survey of the
existing literature on the application of ABAC in e-health
systems
to understand the suitability of ABAC for e-health systems and
the possibility of using ABAC access logs for observing,
modelling
and analysing security practices of healthcare professionals. We
categorize the existing works according to the application of
62. ABAC in PHR and EHR. We then present a discussion on the
lessons learned and outline future challenges. This can serve as
a basis for selecting and further advancing the use of ABAC in
e-health systems.
Keywords—Attribute-Based Access Control (ABAC); E-health
Systems; Personal Health Record (PHR); Electronic Health
Record
(EHR)
I. INTRODUCTION
There has been a growing interest in the application of
ABAC in e-health systems. This is evident by the increasing
number of publications and on-going research activities in
that direction. According to Gartner report [1] it is predicted
that 70% of enterprises will adopt ABAC mechanism as the
most dominant access control mechanism for the protection
of critical assets. In the healthcare industry, e-health systems
interact with critical assets like electronic medical records,
and ABAC has been shown to offer a promising approach to
securing these critical assets.
Traditionally, medical records are paper-based but tremen-
dous progresses in information and communication technology
have led to a shift from paper-based medical records to
electronic version of the medical records. Like the traditional
paper-based medical record, electronic version of the medical
record is a collection of medical history of an individual.
However, unlike the traditional paper-based medical records,
the electronic version is stored in electronic format following
the required standards.
The electronic version of medical records is usually clas-
sified according to their usage i.e., electronic health record
(EHR) and personal health record (PHR). Whilst EHRs are
63. electronic medical records of an individual held by the health-
care providers; PHRs are referred to as electronic medical
records of an individual held by the individual themselves.
Although EHRs can be shared across different healthcare
providers, PHRs have shown to be an effective approach
for individuals to share their electronic medical records with
different healthcare providers, family and friends.
Sharing of electronic medical records raises security and
privacy concerns for both EHR and PHR. For EHR, healthcare
providers are required by regulatory bodies to ensure that
the security and privacy of the electronic medical records
are maintained. In the case of PHR, an individual would
want to ensure that only authorized entities have access to
their electronic medical records. Several approaches have been
proposed to address the security and privacy concerns raised by
EHR and PHR. The approach that have received wide-spread
acceptance is ABAC.
ABAC aims to provide fine-grained access to a resource
or an object based on the attributes of the subject and that
of the object; in addition to the environmental conditions. A
subject refers to an entity such as a person, process or device
that wishes to access a resource or an object. A resource or an
www.ijacsa.thesai.org 1 | P a g e
(IJACSA) International Journal of Advanced Computer Science
and Applications,
Vol. 11, No. 2, February 2020
object is a system-related entity containing information such
as records, that a subject desires to access. The environmental
conditions are the operational contexts such as the time and
64. location of access. Hence, in ABAC, the attributes of the
subject and the requested object as well as the environmental
condition determines the set of operations that can be executed
on the requested object.
A wide range of applications of ABAC in e-health systems
have been proposed in the literature and examined in individual
studies. However, a comprehensive survey of these techniques
that can serve as a basis for selecting and further advancing
the use of ABAC in e-health systems is still missing in the
literature. Abbbas and Khan in [2] presented a review on the
state of the art in privacy preserving techniques for e-health
cloud based systems. The authors in [3], [4] provided a survey
on the security and privacy issues in e-health cloud based
systems. To the best of our knowledge, there is no survey
on the application of ABAC in e-health systems.
In this paper, we present a survey on the application
of ABAC in e-health systems. We categorize the different
applications of ABAC in e-health systems according to those
use in PHR and those apply in EHR. We present a comparison
of the different approaches employ in the existing works. Then,
using some of the key features of the existing approaches, we
present a discussion on their differences. Also, we describe the
lessons learned from the survey and outline future challenge.
Lastly, the concept of modelling and analysing healthcare
professionals’ security practices is discussed.
The rest of this paper is organised as follows. Section
II presents an overview of the security and privacy require-
ments for e-health systems. Also, the dominant access control
mechanisms deploy in e-health systems are explored, and the
justification for wide-spread acceptance of ABAC in e-health
systems is described. Section III presents a literature survey
of the existing works on the application of ABAC in e-health
systems. Section IV discusses the lessons learned from the
65. survey and outline future challenge. In addition a discussion
on modelling and analysing healthcare professionals’ security
practices is presented. Section V concludes the paper.
II. BACKGROUND
In this section, we provide an overview of the security and
privacy requirements for e-health systems. We also examine
the commonly used access control measures for e-health sys-
tems and why ABAC mechanism is the most preferred access
control mechanism for e-health systems.
A. Requirements of E-Health Systems
Several standards and laws have been proposed to specify
the security and privacy requirements for e-health systems. The
most popular of these standards and laws is the American
standard health insurance portability and accountability act
(HIPAA) [5]. HIPAA is mainly concern about the privacy and
security of patient health information (PHI). With the migra-
tion of PHI from paper-based to electronic format, HIPAA
was upgraded to health information technology for economic
and clinical health (HITECH) to address privacy and security
concerns posed by such migration.
HIPAA is applicable to all types of Covered Entity or Busi-
ness Associate that processes PHI. Covered Entity is a health
care provider, a health plan or a health care clearing house who,
in its normal activities, creates, maintains or transmits PHI
[5]. Business Associate is a person or business that provide
a service - or performs certain function or activity for - a
covered entity when that service, function or activity involves
the business associate having access to PHI maintained by the
covered entity [5]. Usually, a business associate is required
to sign business associate agreement with the Covered Entity
stating what PHI they can access, how it would be used and
66. that it will be returned or destroyed once the task it is needed
for is completed [5]. Also, while the PHI is in the custody
of the business associate, the business associate has the same
HIPAA compliance obligations as a Covered Entity.
The two types of rules specified by HIPAA are the privacy
rule and security rule. The privacy rule protects all PHI held or
transmitted by a covered entity or its business associate, in any
form or media, whether electronic, paper or oral [5]. Under the
security rule, covered entities are required to evaluate risks and
vulnerabilities in their environments and to implement security
controls to address those risks and vulnerabilities [6]. There
are three parts to the security rule: administrative safeguards,
which is in the form of policies and procedures that brings the
privacy rule and security rule together; technical safeguards
refer to the technology that is used to protect PHI and provide
access to the data; and physical safeguards, which has to do
with physical access to PHI regardless of its location [6].
An international standard that defines the requirements for
e-health systems is the ISO/IEC 27799 [7]. The ISO/IEC
27799 provides special recommendations on security needs in
the healthcare sector, taking into account the unique nature
of its operating environment. It applies ISO/IEC 27002 to the
healthcare domain with appropriate security controls towards
enhancing the protection of PHI. The development of ISO/IEC
27799 took into consideration, personal data protection leg-
islations, privacy and security best practices, individual and
organizational accountability, meeting the security needs iden-
tified in common healthcare situations, and operating electronic
health information systems in an adequately secured healthcare
environment. Also, ISO/IEC 27799 aims to protect information
such as PHI, pseudonymized data derived from PHI, clinical
or medical knowledge related or not related to any patient,
data on health professionals, staff and volunteers, audit trail
data produced by health information systems, including access
67. control data and other security related system configuration
data, for health information systems.
Other important standards for e-health systems include
OpenEHR [8], the health level 7 clinical document architecture
(CDA) [9], and the continuity of care document (CCD) [9].
The OpenEHR is an open standard that specifies the man-
agement and storage, retrieval and exchange of health data
in EHRs. Also, openEHR defines specifications for clinical
information models, EHR Extracts, demographics, data types
and various kinds of service interfaces [8]. The HL7 CDA
is a document markup standard that specifies the structure
and semantics of clinical documents for the purpose of fa-
cilitating exchange between healthcare providers and patients
[9]. A clinical document is defined by HL7 CDA as having
the following features: persistence, stewardship, potential for
www.ijacsa.thesai.org 2 | P a g e
(IJACSA) International Journal of Advanced Computer Science
and Applications,
Vol. 11, No. 2, February 2020
authentication, context, wholeness, and human readability [9].
And CCD is a joint effort of HL7 International and American
society for testing and materials (ASTM) to enable interop-
erability of clinical data [9]. It allows physicians to send
electronic medical information to other providers without loss
of meaning and as such, improves the overall patient care.
In general, the requirements that are of interest to this
survey are the recommended technical safeguards for e-health
systems. These technical safeguards aim to provide secure,
reliable, access to PHR or EHR; where and when it is
68. requested. The requirements include the following [5]:
• Implement a means of access control
• Introduce a mechanism to authenticate PHR and EHR
• Implement tools for encryption and decryption
• Introduce activity logs and audit controls
B. Access Control Mechanisms
One of the security controls necessary to meet the security
and privacy requirements for e-health systems is the imple-
mentation of access control mechanisms. These are measures
that can be used to regulate access to a given resource.
Earlier implementation of access control mechanisms in e-
health systems employ role-based access control (RBAC) [2].
RBAC restricts access to a resource based on the user’s role.
The use of a role based access control suffers some drawbacks
as the definition of roles is static and it lacks flexibility and
responsiveness. Every user needs to be enrolled in advance in
the system. For example, in an emergency situation where the
patient is outside the local domain where the patient health
information held, a doctor not registered within the local
domain of the patient will not be able to access the patient’s
health information. Therefore, the efficacy of role-based access
control is limited because it cannot handle situations where
unregistered personnel requires access to the system as in the
case of emergency that we described.
Emergency access such as self-authorization and break the
glass (BTG) are basic requirements in healthcare systems. Self-
authorization is a provision in the access control mechanism
that allows healthcare professionals to access the minimum and
necessary healthcare records for therapeutic purposes during
69. emergency situations. Similarly, BTG mechanism is used when
conventional access control mechanisms are inadequate to
access minimum and necessary healthcare information for ther-
apeutic measures [10], [11]. Considering that RBAC policies
rely on permissions that does not often change [12], installing
emergency access mechanisms on static roles may pose a high
security threat. For instance, an adversary who might have
unlawfully acquired health professionals’ credentials under
RBAC, could easily compromise healthcare records by using
the emergency access control windows since there are no other
control variables to authentic the accesses of the malicious
user.
A flexible access control mechanism that provides fine
grained access control to a resource is ABAC. Like RBAC,
ABAC employs a policy driven approach. However, in ABAC,
access to a resource is granted based on the attributes of
the subjects and the objects together with the environmental
attributes. This eliminates the need of having to register a
user into the system before providing access; instead, access
is granted based on the attributes of the user and that of the
requested resource. Thus, ABAC mechanisms would provide
appropriate level of access to healthcare records even for any
extraordinary actions that need to be taken during emergency
situations.
For emergency situations, ABAC ensures that the authenti-
cation mechanism of emergency accesses can be configured
to include more control variables such as attributes of the
user, environment and resources to reduce risk of privacy and
security breaches. For instance, the resource and environmental
attributes such as the patient status and location could indicate
emergency care or intensive-care services. Hence, any accesses
other than the specified attributes would be restricted, to reduce
the risk of exploitation. Therefore, ABAC policies enables
70. flexible configurations for users to override their conventional
access restrictions in a controlled and justifiable manner in
emergency access scenarios.
ABAC have shown to be an effective and efficient mech-
anism for providing fine-grained access to PHRs and EHRs
given the dynamic nature of today’s e-health environment.
Also, it can be combined with different cryptographic schemes
to provide secure and anonymous sharing of PHRs and EHRs
among healthcare providers and patients. So many research
efforts are on-going in developing appropriate ABAC model
for e-health systems. The next section provides a survey of
some of these efforts to further support the assertion that
ABAC is a much better access control mechanism for e-health
systems.
III. LITERATURE SURVEY
In this section, we present a survey of the existing liter-
ature on the application of ABAC in e-health systems. We
categorize the existing work according to the type of patient’s
electronic version of medical records considered. Already we
have observed that the electronic version of a patient health
record is usually classified according to those held by the
patient themselves (PHR) and those held by the healthcare
providers (EHR). We use this understanding to present the
different applications of ABAC in e-health systems.
A. Application of ABAC in Personal Health Record (PHR)
PHR offers a flexible and convenient way for storing
and sharing a patient’s electronic version of medical records.
It empowers the patients by giving them control over their
medical record and deciding with whom to share those records.
However, the current trend in the storage of PHR has shown
that cloud platforms are very popular way of storing PHR.
71. This raises questions of security and privacy of PHR as there
have been wide spread concerns that PHR stored in the cloud
may be exposed to unauthorized parties. Several approaches
that use ABAC in PHR have been proposed in the literature
to address these concerns.
A typical use case scenario of the application of ABAC
in PHR is shown in Figure 1. Li et al [13] describe a unified
fine-grained access control for PHR in cloud computing. In
this system, the patient utilizes the cloud storage platform for
storing the encrypted version their PHRs. The policy manager
www.ijacsa.thesai.org 3 | P a g e
(IJACSA) International Journal of Advanced Computer Science
and Applications,
Vol. 11, No. 2, February 2020
facilitates the encryption of the patient’s PHRs. Also, the
medical staff is able to download the encrypted PHRs from
the cloud and use their private keys to decrypt the PHRs. A
trusted attribute authority is used for all patients and medical
staff to authenticate and verify their attributes.
Fig. 1. Use Case Scenario of ABAC in PHR
[13]
One of the earliest approaches in the use of ABAC to
provide security and privacy for PHR stored in the cloud is
presented in [14]. The authors used a variant of attribute-
based encryption (ABE) referred to as broadcast ciphertext
policy ABE (bABE) which extends the functionality of ABE to
include user revocation. An ABE uses a public key encryption
system, where each user’s key is labelled with a set of
72. attributes, and the ciphertext is linked with an access policy.
The private key of the user can decrypt the ciphertext only if
the attribute set of the user’s key matches the access policy
associated with the ciphertext. Furthermore, the approach
presented assumes trusted cloud provider and the use of a
trusted authority to issue the relevant private keys.
Li et al in [15] propose a patient-centric framework and
approach which exploits ABE techniques to provide fine-
grained access control to PHR in cloud environment. In the
proposed model, the system is divided into several security
domains according to the different users’ data access require-
ments. ABE is deployed to cryptographically enforce patient
centric PHR access. In additional, the PHR is assumed to be
stored on a semi-trusted service provider and the proposed
framework supports access revocation. Another patient-centric
cloud-based secured PHR system is presented in [16]. The
proposed system enables secure storage of PHR data on a
semi-trusted cloud service provider and allows the patient to
selectively share their PHR data with wide range of users. The
authors reduced key management complexity for both owners
and users by dividing the users into two security domains,
namely: public domain and personal domain. Also, they show
that PHR owners can encrypt PHR data for the public domain
using ciphertext-policy ABE scheme, while the PHR data for
the personal domain can be encrypted using anonymous multi-
receiver identity encryption scheme.
A fine-grained access of interactive, PHR, that extends
a secure composite document format i.e., Publicly Posted
Composite Documents (PPCD) is described in [17]. PPCD
is a SQLite-based serialization which is developed for busi-
ness workflows and is able to contain multiple documents
of different sensitivity and formatting. The method proposed
in this work includes both the original PPCD-type and an
73. additional new entry table to provide for password-based
and private key access. The authors employ Password Key
Derivation function as the privacy preserving technique and
the method also supports access revocation. Ray et al in [18]
apply attribute based access control for preserving the privacy
of PHR. The authors show how the privacy of PHR can
be expressed and enforced through the use of an attribute
based access control supported by extensible access control
markup language (XACML). In this paper, the XACML is
used to model the different types of policies and expressing
the patient’s privacy preference for subsequent enforcement by
the attribute based access policies.
There are constraints imposed on cloud based PHR
schemes that use ABE. An approach to address these con-
straints is proposed in [19]. The method adopted in this
work involves the use of multi-authority system architecture,
unlike existing methods that utilize single trusted authority. In
addition, a proxy re-encryption scheme is deployed to ensure
that only authorized users are able to decrypt the required PHR
files. A more recent work by Li et al [13] present a unified
fine-grained access control for PHR in cloud environment. The
proposed approach is able to store PHR for multiple patients.
It consists of ABE layer and symmetric layer. Whilst the ABE
layer facilitates a multi-privilege access control for PHR from
multiple patients; in the symmetric layer, symmetric keys that
match medical workers’ access privileges and the keys with
higher privilege can override keys with lower privilege but not
the other way around. Also, the authors use ciphertext policy
ABE as the privacy preserving technique for the proposed
method.
B. Application of ABAC in Electronic Health Record (EHR)
EHR is handled by healthcare providers and also, it pro-
vides them with the opportunity of sharing those records
74. among different healthcare providers. EHR is usually stored
on-premise under the administrative control of the healthcare
provider but recent trends have shown a gradual shift from on-
premise storage of EHR to cloud. This further increases the
risk of exposing EHR to unauthorized parties. However, ABAC
has demonstrated to be a promising approach to mitigating
the risk of exposing EHR to unauthorized parties. Different
methods that employ ABAC in EHR have been discussed in
existing works.
The system architecture as shown in Figure 2, depicts a
use case scenario of the application of ABAC in EHR. Joshi
et al [20] in this work provide users access to the system using
Access Broker Unit. The Access Broker Unit consists of the
organizational Knowledge Base, the Rule Based Engine and
the Policy Unit. The Organization Knowledge Base stores all
the details of the users in the form of an ontology - the EHR
Ontology. The Policy Unit stores all the access policies. And
the Rule Based Engine uses the user and document attributes
from the ontology for implementing the access control policies.
The authors use ABE for encryption, and the Key Generation
Unit generates the private keys required for the ABE. Then,
the encrypted data are stored in the cloud, which hosts, the
EHR Ontology.
Pussewalage and Oleshchuk in [21] propose an ABAC
scheme for secure sharing of EHR. The scheme uses selective
www.ijacsa.thesai.org 4 | P a g e
(IJACSA) International Journal of Advanced Computer Science
and Applications,
Vol. 11, No. 2, February 2020
75. Fig. 2. Use Case Scenario of ABAC in EHR
[20]
disclosure that meets the security requirement of EHR. An
access requester supplies a valid set of attributes that satisfies
the underlying policy of the requested object using attribute
and private key commitments. The proposed approach is said
to be collision resistant; such that it is impossible to collude
attributes of more than one user to gain access to EHR. This
is achieved by giving a unique identifier to every user and
including it to every attribute key owned by the respective
users. In addition, the proposed method supports on demand
user revocation and it is applicable to on-premise storage
platform.
Several standards have been developed to facilitate inter-
operability of EHR. The most recent effort in that direction is
the Fast Health Interoperability Resources (FHIR) [22], which
specifies requirements for fast and efficient storage/retrieval
of EHR. The authors in [23] exploit ABAC to create owner-
centric methodology for granting access to EHR. They fo-
cussed on FHIR and suggested ways to allow incremental and
batch release of EHR stored using FHIR to any requesting
party, based on access policies defined by the resource-owners.
Cloud based storage are currently being adopted by health-
care providers for storing EHR. Joshi et al. in [20] develop
an ABAC mechanism for cloud-based EHR that uses ABE
to securely store EHR at field level. The developed system
extracts the user and EHR filed attribute from a HIPAA
complaint knowledge graph which facilitates easy querying
and faster data access operation. Also, in [24] the authors
propose ABAC which uses Hidden Vector Encryption system
to encrypt EHR in cloud environment. The approach presented
is able to protect EHR from insider attacks as EHR can only be
view by those that are able to supply the appropriate attributes.
76. Seol et al in [25] present a cloud-based EHR model that
performs ABAC using XACML. The combination of XML
encryption and XML digital signatures are used as security
and privacy preserving technique.
There are situations where EHR is shared among different
providers. It is possible for an adversary to infer the health
condition of a patient by observing the frequency in which the
EHR is accessed by a particular healthcare provider. This type
of situation violates the privacy of the patient. The authors
in [26] propose an efficient multi-show unlinkable access
for collaborative e-health environment that exploits attribute-
based credential scheme. They utilize anonymous attribute
credentials which ensure that users can anonymously prove
the ownership of a set of attributes to a verifier and by so
doing, obtain access to the protected resources. The method
involves randomization of the users credential along with its
signature before being disclosed to a verifier. Similarly, Micha-
las and Weingarten in [27] describe the use of HealthShare, a
secure approach for sharing EHR between multiple organiza-
tions hosting patient’s data in different cloud environments.
In the proposed method, a revocable key-policy ABE is
used to ensure that access by a malicious or compromised
user/organization can easily be revoked without generating new
encryption keys.
IV. DISCUSSION
In this section, we present a comparison of the different
approaches used in the existing works. We then use some of the
key features of the existing approaches to present a discussion
on their differences. Also, we describe the lessons learned from
the survey and outline future challenge. Lastly, the concept
of modelling and analysing healthcare professionals’ security
practices is discussed.
77. A. Comparison of the Different Approaches
A detailed summary of the existing works on the applica-
tion of ABAC in e-health systems that we have presented in
this work is shown in Table I. Some of the key features of the
existing approaches are employed to discuss the differences in
the approaches. Also, we describe the lessons learned from the
survey and outline future challenge.
1) Privacy Preserving Techniques: refer to approaches that
may be exploited to provide confidentiality of PHR and EHR.
It involves the encryption of the health data to be stored using
cryptographic methodologies such that only an individual that
possess the decryption key can have access to the health data.
It can be observed from Table I that whilst the existing works
employ different privacy preserving techniques, ABE and its
variants appears to be the most popular approach.
ABE is a type of public key encryption where the private
key and the ciphertext are related with a set of attributes or an
access policy over the attributes of the users. There are two
main variants of ABE, and they are: ciphertext-policy ABE
[28] and key-policy ABE [29]. A combination of ciphertext
with access policy specifying the attributes of legitimate users
is employ in ciphertext-policy ABE, while key-policy ABE
uses a set of attributes and private keys associated with the
access policy to specify which ciphertexts the key holder can
access. Li et al. in [13] argue that ciphertext-policy ABE is
more flexible and appropriate for PHR than key-policy ABE
in practice. This is evident from the summary in Table I as
most application of ABAC in PHR use ciphertext-policy ABE
for privacy protection.
Another privacy preserving technique that is used in the
existing works is XACL. XAMCL defines a declarative fine-
78. grained, ABAC control policy language which describes how
to evaluate access requests according to rules stated in access
policies [30]. The authors in [18] use XAMCL to show how a
patient’s privacy preferences could be expressed and enforced
in PHR. XAMCL is deploy in [23] as the privacy preserving
technique for EHR. The authors utilize XAMCL for providing
www.ijacsa.thesai.org 5 | P a g e
(IJACSA) International Journal of Advanced Computer Science
and Applications,
Vol. 11, No. 2, February 2020
TABLE I. SUMMARY OF EXISTING WORKS ON
APPLICATION OF ABAC IN E-HEALTH SYSTEMS
Work Type of Health
Record Considered
Privacy Preserving
Technique
Access Revocation Storage Platform
Used
Adversarial Model
Assumption
[15] PHR ABE Supported Cloud Semi-trusted
Service Provider
[16] PHR Ciphertext-Policy
ABE