Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지

Integration and Verification of Privacy Policies Using DSML's Structural Semantics in a SOA-Based Workflow Environment

SOA기반 워크플로우 환경에서 DSML의 구조적 접근방법을 사용한 프라이버시 정책 모델의 통합과 검증

  • Published : 2009.08.30
Download PDF
⟨ Previous Next ⟩

Abstract

In order to verify that a lot of legal requirements and regulations are correctly translated into software, this paper provides a solution for formal and computable representations of rules and requirements in data protection legislations with a DSML (Domain Specific Modeling Language). All policies are formally specified through Prolog and then integrated with DSML, According to the time of policy verification, this solution has two kinds of policies: static policies, dynamic policies.

본 논문에서는 데이터 보호 규정에 관련된 요구사항들이나 규칙들이 소프트웨어에 잘 표현되어 있는지를 검증하기 위하여 도메인 고유의 언어인 DSML(Domain Specific Modeling Language)을 사용해 정책을 정규화 혹은 계산적 표현에 관련된 솔루션을 제시하고 있다. 모든 정책들은 공식적으로 프롤로그( Prolog) 언어 기반으로 표현된 후 DSML에 통합되며 정책검증은 요구사항 준수가 언제 평가되어야 하는지에 따라 정적 정책검증과 동적 정책검증의 두가지 정책이 존재한다.

Keywords

References

  1. Digital Imaging and Communications in Medicine Standard. ftp://medical.nema.org/medical/dicom/2008/
  2. Health Level Seven Standard. http://www.hl7.org/
  3. Vogl, R., Breu, M., Schabetsberger, T., Wurz, M.: Architecture for a distributed national electronic health record in Austria aiming at an open source solution. In Proc. 24th International EuroPACS Conference EuroPACS 2006, pp. 67-77, 2006.
  4. Health Insurance Portability and Accountability Act http://www.hhs.gov/ocr/hipaa/
  5. Vogt, G.: Multiple authorization - a model and architecture for increased, practical security. In Proc. IFIP/IEEE Eighth International Symposium on Integrated Network Management (IM2003), Colorado Springs, CO, IFIP/IEEE, Kluwer Academic Publishers, pp. 109-112, 2003.
  6. Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). breakglass – an approach to granting emergency access to healthcare systems. http://www.nema.org/prod/med/security/.
  7. Tzelepi, S.K., Koukopoulos, D.K., Pangalos, G.: A flexible content and context-based access control model for multimedia medical image database systems. In Proc. 2001 Workshop on Multimedia and Security: New Challenges,2001.
  8. Kalam, A.A.E., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: Proc. IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), pp. 120-131, 2003.
  9. Park, J., Sandhu, R..: Towards usage control models: beyond traditional access control. In: Proc. 7th ACM symposium on Access control models and technologies (SACMAT '02), ACM Press, New York, NY pp.57–64, 2002.
  10. Hafner, M., Agreiter, B., Breu, R., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Journal of Internet Research, 2006.
  11. Alam, M., Hafner, M., Memon, M., Hung, P.: Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In: Proc. ACM/IEEE Workshop on Model-Based Design of Trustworthy Health Informaton Systems, 2007.
  12. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: Proc. 2006 IEEE Symposium on Security and Privacy, 2006.
  13. Jackson, E.K., Sztipanovits, J.: Towards a formal foundation for domain specific modeling languages. In: Proc. 6th ACM International Conference on Embedded Software (EMSOFT"6), Seoul, South Korea, 2006.
  14. Mathe, J., Werner, J., Lee, Y., Malin, B., Ledeczi, A.: Model-based design of clinical information systems. Methods of Information in Medicine, pp.399-408, 2008.
  15. Ferraiolo, D., Kuhn, D.R., Hu, V.C.: Assessment of access control systems. Technical Report NISTIR 7316, National Institute of Standards and Technology, US Department of Commerce , 2006
  16. National Institute of Standards and Technology. Role Based Access Control. http://csrc.nist.gov/groups/SNS/rbac/
  17. Mavridis, I., Pangalos, G., Khair, M.: eMEDAC: Role-based access control supporting discretionary and mandatory features. In: Proc. IFIP Workshop on Database Security, pp. 63-78, 1999.
  18. Beznosov, K.: Requirements for access control: US Healthcare domain. In: Proc. 3rd ACM Workshop on Role-Based Access Control, Fairfax, Virginia, 1998.
  19. Hu, J., Weaver, A.C.: Dynamic, context-aware access control for distributed healthcare applications. In: Proc. Pervasive Security, Privacy, and Trust Workshop , 2004.
  20. Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). breakglass – an approach to granting emergency access to healthcare systems. http://www.nema.org/prod/med/security/
  21. Hafner, M., Agreiter, B., Breu, R., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Journal of Internet Research Vol.16, Issue5, pp.491-506, 2006. https://doi.org/10.1108/10662240610710978
  22. K. Balasubramanian, A. Gokhale, G. Karsai, J. Sztipanovits, and S. Neema: Developing applications using model-driven design environments, IEEE Computer, vol. 33, no. 2, pp. 33-40, Feb 2006.
  23. Jackson, E., Schulte, W., Sztipanovits, J.: The power of rich syntax for model-based development. Technical Report MSR-TR-2008-86, Microsoft Research, Redmond, WA, 2008.