Risk-Based Access Control for Personal Data Services

In the context of ubiquitous computing, small mobile devices are used as a platform for consuming various services. Specifically, personal data and information of a person (called data owner) are distributed over many third party organizations (data/service provider), and are being made available as Web services, such as monthly financial statements, personal medical data services (e.g., X-ray results), etc. Very often, the personal information Web services are not just used by the data owner, but by third party data consumers who work on the cases on behalf of the data owner, such as financial advisers or doctors. In this environment, the data consumers often are not the same as the data owner. Access control is enforced to prevent confidential personal information from falling into the hands of "unauthorized" users. However, in many critical situations, such as emergencies, relevant information may need to be released even if users are not explicitly authorized. In this paper, we present the notion of situational role and propose a risk-based access control model that makes the decisions by assessing the risk in releasing data in the situation at hand. Specifically, it employs the "access first and verify later" strategy so that needed personal information is released without delaying access for a decision making third-party, and yet providing an adequate mechanism for appropriate release of personal information by a third party provider. Our approach employs the notion of situation role and uses semantics in building situation role hierarchies. It computes the semantic distance between the credential attributes required by the situational role and the actual role of a user requesting access, which essentially is used in assessing the risk.