Balancing Security and Flexibility in Federated Collaboration

by Eric Brown

Arif Ghafoor has developed a sophisticated authentication scheme designed to enable closer collaboration between organizations while protecting against the insider threat.

With the rise of elaborate supply chains and the growing need for collaboration among companies, organizations that have invested heavily in their security infrastructures are now being asked to open them up. Yet, they also need to keep sensitive operations secure from competitors and malicious hackers.

Arif Ghafoor, professor of electrical and computer engineering, has an answer for this dilemma in the form of new security models for federated cyber-based systems. His research enables more flexible multi-domain, federated collaboration policies for supporting large-scale business processes that do not expose critical data to unauthorized individuals.

Ghafoor has been a pioneer in multimedia databases and multimedia networking, and he continues as the director of Purdue’s Distributed Multimedia Systems Laboratory. Yet over the last decade, his research has focused on information authorization and security.

There are common themes to both research lines, including context-driven modeling and developing system architecture. In his multimedia research, for example, Ghafoor is known for his multimedia composition model and motion-based modeling and indexing of video data using video semantic directed graphs that track video objects over time. In his federated security research, he’s making authorization and access control decisions more granular by adding factors such as where and when information is being requested in addition to who is making the request.

Smartening up Access Policies With GTBRAC

With his research in access policy protocols and authorizations for inter-organizational collaboration, Ghafoor started by improving upon the Role Based Access Control (RBAC) scheme developed at the National Institute of Standards and Technology (NIST). “The original RBAC model was fairly simple in that access was based on different roles and there was no consideration about time, context and space,” says Ghafoor. “We have developed a variation called Generalized Temporal RBAC (GTRBAC), which offers a spatial extension that takes these variables into account. For example, in order to safeguard privacy in a hospital environment, the model might give doctors access to patient data when they’re in their offices, but not when they’re sitting in the lobby.”

With GTRBAC, a role can be in one of three states at any time: disabled, enabled to active. GTRBAC supports the fine-grained specification of various types of constraints, including temporal and periodicity for role enabling, activation and assignments. It also considers triggers and run-time events, as well as Separation of Duties (SoD) constraint for preventing fraud.

Typically, organizations opt for a loosely coupled collaborative arrangement. Each institution maintains its own access policies, but shares data via a service level agreement, says Ghafoor. “A loosely coupled approach enables each enterprise to be more autonomous,” he explains. “The challenge is that it relies on somebody asking permission for access, and then someone else considering the request and approving it on the fly. It’s not obvious to a user whether access will be granted or how long it might take.”

To establish more effective and timely collaboration, organizations are increasingly seeking more tightly coupled relationships with automated processes and integrated federation policies. “The advantage of tightly coupled collaboration is that you can give your users fast access to data via an integrated global policy with centralized control,” says Ghafoor.

“Yet because all policies must be considered together, integration and interoperation of multiple policies is a more complex problem. You need to perform conflict resolution and devise a single meta policy model, and maintaining autonomy of an individual policy becomes more challenging.”

While GTRBAC modeling can be used for both loosely and tightly coupled arrangements, it plays a greater role in more automated, tightly coupled collaborations. Among other benefits, the technology makes it easier to ferret out potential security gaps and conflicts.

“In federated systems, policy conflicts can occur from inconsistent role mappings, whether they’re generated automatically or administratively defined,” says Ghafoor. Conflicts tend to appear more in organizations that have hierarchical structures. Here, the biggest security threat is not accidental exposure of sensitive data to people in the collaborating organization, but to malicious insider agents within one’s own organization.

“The most critical security issue is the insider threat,” says Ghafoor. “If you offer access to another enterprise’s systems, there is a risk that you can have cross accesses that cross-link back to your own organization and provide access that the users could not acquire within their own organizations.”

In a tightly coupled hierarchical environment, Ghafoor’s approach “can translate a RBAC policy integration problem into an optimization model that lets you express policy constraints and analyze the violations more easily,” he says. “The solution lies in either meeting the constraints while achieving an optimal process to maximize access, or else adapting certain constraints. With GTRBAC modeling, we can help organizations identify these loopholes through analysis of the policies. Once you identify conflicts, you can determine how to resolve them.”

In a recent presentation recorded on YouTube that covers Ghafoor’s multimedia research in addition to his authorizations work, he offers an example of using GTRBAC concepts for information sharing between county offices. A county clerk’s office dealing with sales tax and redemption issues and a county treasurer’s office that handles tax billing and collection need to share data, but it’s also essential that certain data be kept separate. To identify and resolve conflicts, the GTRBAC model considers “optimality” measures, such as maximum data share, maximum role mapping, maximum prioritized accesses and minimum policy representation overhead.

Privacy and Authorization Issues in Electronic Health Records

A related project uses GTRBAC concepts to develop a scheme that ensures user privacy. The research is aimed primarily at creating private electronic medical records, but it could also be used for other applications, such as cloud-based shared services.

“We are looking into the concept of anonymization by generalization,” says Ghafoor. “With anonymization, you group data together to provide a more abstract representation of data to preserve privacy. Yet in doing so, you often lose the utility of the data from the user perspective. We are also working on an access control model that involves the controlled sharing of information to preserve privacy.”

Ghafoor has initially implemented this scheme in an Intelligent Privacy Manager (iPM) tool that lets users control privileges and share information with colleagues and friends. “We are looking into using the iPM tool for electronic health records, so patients can have online access to health records, including scans, medical reports and prescriptions,” he explains. “There are multiple stakeholders: physicians can provide information about patients and hospitals, and users (patients) can choose who can access information on a particular need basis. Access rules can dictate where and what time the information is accessed.”

He concludes, “As cyber threats are growing in both volume and complexity, robust models and architectures are needed for developing information protection technologies.”