Protecting Data on Service Providers

Abstract

Due to the rapid development of web service based service-oriented architecture (SOA), more and more users are using the services provided by third party service providers. Many users collaborate with each other to carry out complex tasks by invoking the operations of the service providers and by sharing the data stored on the service providers. Traditionally, each service provider specifies an access control policy to control the access to the data stored on the service provider. As a service provider might host data belonging to many users and different users might have different access control policies for their data, maintaining a single access control policy for all users' data become difficult and inflexible. Enforcing the access control policy requires the programmers' careful consideration when implementing the system. The oversights of the programmers might leave security holes in the system. This thesis proposed a User-Centric Data-level Access Control Scheme in which the access control policy of a data item is stored together with the data item. The scheme allows the owners of data to specify the access policies for the data. That is, instead of having a single access control policy for all the data in the system, each data item is given its own access control policy. The scheme also provides a program transformer that can be used by the service providers to insert code at relevant places in the source program for carrying out access control and for tracking the data flow amongst the statements in the system. Compared with other existing schemes, the proposed scheme is more flexible in managing data protection and relieves the programmer from manually enforcing access control and data flow control in their applications. A prototype of the scheme has been implemented and the overhead of the system has been measured.