Managing Data Security in E-Markets through Relationship Driven Access Control

Data security in e-markets is vital to maintaining trust among trading partners. In an e-market, companies must share information to improve operational efficiency in their supply chains, while at the same time, access to sensitive information by rival companies should be prevented. In today’s highly dynamic business environment, the relationships among companies in e-markets are constantly changing while these relationships determine how company information should be shared with other companies. In this paper, the authors show that existing access control models are not designed for managing data security in e-markets with dynamic company relationships and propose a Relationship Driven Access Control (RDAC) model to provide a better solution. In particular, the authors design a rule-based approach for managing dynamic company relationships and a secure query processing mechanism to filter shared information based on company relationships. A prototype system is developed to demonstrate and validate the authors’ RDAC model. DOI: 10.4018/jdm.2012040101 2 Journal of Database Management, 23(2), 1-21, April-June 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. delivery of services over the web (Beneventano & Magnani, 2004; Yen & Kong, 2002). The growth of business-to-business ecommerce has highlighted the importance of maintaining inter-organizational trust in developing and maintaining business-to-business relationships. Furthermore, access control in e-commerce transactions has been identified as an important means for maintaining trust between trading partners (Lee, 2008; Li, Du, & Wong, 2007; Ratnasingham & Kumar, 2000; Wang, Cheng, & Zhao, 2004; Wang, Zhao, & Cheng, 2007). That is, managing data security in e-markets is a critical issue as the data owners have varying relationships with the e-marketplace and between one another (Kuller, 2005). Consequently, development of new techniques for managing data security in e-markets is an important research area. One such research area focuses on advanced access control mechanisms that support security management in Web and e-commerce applications (Joshi, Aref, Ghafoor, & Spafford 2001; Lee, 2008; Thuraisingham, Clifton, Gupta, Bertino, & Ferrari, 2001). In supply chain management, companies typically form alliances for the purposes of information sharing and strategic cooperation (Seidmann & Sundararajan, 1997; Thomas & Griffin, 1996). This requires more advanced access control mechanisms that ensure the sharing of information align properly with the complex and dynamic relationships among the companies to maintain trust and confidentiality (Chakraborty & Ray, 2006; Kang, Park, & Froscher, 2001; Zhao, Wang, & Huang, 2008). Existing access control models are mostly concerned with data and application security within a uniform organization where the relationships between companies are of little concern. The main focus of those access control models such as role-based access control (RBAC), task-based access control (TBAC), coalition-based access control (CBAC), and workflow-based access control (WBAC) are on how to efficiently mapping users to their access authorizations. As will be discussed in detail in later sections, TBAC, CABC, and WBAC models are extensions of the RBAC by including tasks, coalitions, and workflows into the mapping between users and roles. We will demonstrate that in an e-market, company relationships are a new dimension that has not been emphasized in previous access control model, and e-market data security must take into account company relationships. In this study, we propose a novel model that enables efficient data security management in e-markets. Our model is unique in that it is driven by the complex, dynamic relationships among the companies participating in the e-market, and thereby our access control model is referred to as Relationship Driven Access Control (RDAC) Model. We demonstrate in this paper how the RDAC model can be used to control access in the context of integrated e-catalogs where multiple companies share information with suppliers, buyers, and partners while at the same time prevent sensitive information from going to their rival companies. The main contributions of this paper are as follows: First, we propose a new access control model named Relationship Driven Access Control (RDAC), which adds company relationship as a new dimension to existing access control methods. Second, we develop a rule-based approach for managing dynamic company relationships and a secure query processing mechanism to filter shared information based on company relationships. These innovative techniques enable the element-level data protection for e-catalogs in e-markets based on dynamic company relationships. Third, we develop a prototype system based on a rule engine and a database system to demonstrate and validate RDAC model, which provides practical insights into projects on advanced e-market security management. The remainder of the paper is organized as follows. Next, we first give an overview of prior research results that motivate and guide our study. After that, we discuss the information sharing dilemma, dynamic company relationships in e-markets, and need for secure data filtering. Then, the basic concepts and the key techniques of the RDAC are presented. After that, advanced issues in the design and 19 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/managing-data-security-marketsthrough/65539?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Library Science, Information Studies, and Education. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2