CASSANDRA : flexible trust management and its application to electronic health records

• Main Author: Becker, M. Y. W.-Y.
• Published: University of Cambridge 2005
• Subjects: 610.21
• Online Access: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.596509

The emergence of distributed applications operating on large-scale, heterogeneous and decentralised networks poses new and challenging problems of concern to society as a whole, in particular for data security, privacy and confidentiality.  Trust management and authorisation policy language have been proposed to address access control and authorisation in this context. Still, many key problems have remained unsolved. Existing systems are often not expressive enough, or are so expressive that access control becomes undecidable; their semantics is not formally specified; and they have not been shown to meet the requirements set by actual real-world applications. This dissertation addresses these problems. We present CASSANDRA, a role-based language and system for expressing authorisation policy, and the results of a substantial case study, a policy for a national electronic health record (HER) system, based on the requirements of the UK National Health Service’s National Programme for Information Technology (NPfIT). CASSANDRA policies are expressed in a language derived from Datalog with constraints. CASSANDRA supports credential-based authorisation (e.g. between administrative domains), and rules can refer to remote policies (for credential retrieval and trust negotiation). The expressiveness of the language (and its computational complexity) can be tuned by choosing an appropriate constraint domain. The language is small and has a formal semantics for both query evaluation and the access control engine. There has been a lack of real-world examples of complex security policies: our NPfIT case study fills this gap. The resulting CASSANDRA policy (with 375 rules) demonstrates that the policy language is expressive enough for a real-world application. We thus demonstrate that a general-purpose trust management system can be designed to be highly flexible, expressive, formally founded and meet the complex requirements of real-world applications.