Privacy Preserving Access Control in Service-Oriented Architecture

Service-oriented Architecture (SOA) comprises a number of loosely-coupled independent services, which collaborate, interact and share data to accomplish incoming requests. A service invocation can involve multiple services, where each service accesses, processes and shares the client's data. These interactions may share data with unauthorized services and violate client's privacy. The client has no means of identifying if a violation occurred because it has no control over the service invocations beyond its trust domain. Such interactions introduce new security challenges which are not present in traditional systems. This paper proposes a data-centric approach for privacy preserving access control in SOA. Benefits of the proposed approach include the ability to dynamically define access polices by the clients and control data access at the time of each service interaction. A realistic healthcare scenario is used to evaluate the implementation of the proposed solution which validates its viability.