Policy extension for data access control

Abstract

In this paper, we propose a security framework, looking at different policies for data access control in the mobile environments. We have started with extending the Platform for Privacy Preferences (P3P) policy for controlling the data access. The aim is to modify the P3P policy and to use it in the security capsule of a mobile handset. The service provider can publish the P3P policy in the WebServices and request the mobile client for the user preferences. With the introduction of P3P policy into the mobile device the access to the data is controlled including user preferences and identity mapping. Service provider data will always be encrypted and successful decryption will be a big challenge. Further we looked at the extensible Access Control Markup Language (XACML) policy as it is the way forward for the mobile environment and XACML is the latest policy that is operational smoothly in the mobile environment. Though XACML is a rich framework, it intentionally does not address how to preserve the privacy of authorization entities. For this, we require well-defined trust relationships between the participants, but first time business partners may not have pre-existing relationships. Therefore, a mechanism for gradual building of trust is needed and the security capsule that is presented in this work will provide this. This paper identifies the steps involved in performing transactions with the service provider through the retrieval of policy information and hence proposes an architecture that verifies the data access control.