Attribute-Based Access Control Frameworks for Granular Data Access in Cloud-Based Insurance Systems
Keywords:
Attribute-Based Access Control (ABAC), granular data accessAbstract
The rapid adoption of cloud-based infrastructure in the insurance sector has intensified the need for robust access control mechanisms to manage sensitive datasets securely. Traditional access control models, such as Role-Based Access Control (RBAC) and Mandatory Access Control (MAC), exhibit limitations in addressing the dynamic and granular access requirements of modern insurance platforms. Attribute-Based Access Control (ABAC), characterized by its reliance on attributes—user, object, environmental, and contextual—emerges as a highly adaptable framework for managing access to sensitive information while adhering to stringent regulatory standards such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
This paper investigates the integration of ABAC frameworks into cloud-based insurance systems to enable fine-grained, dynamic, and policy-driven access management. The study begins by delineating the key challenges faced by insurance providers in securing sensitive datasets, particularly in a multi-tenant cloud environment. These challenges include mitigating insider threats, ensuring compliance with complex regulatory requirements, and providing scalable access mechanisms without compromising system performance.
The core contribution of this research is a detailed analysis of ABAC's operational principles and its application in insurance platforms. The ABAC model evaluates access requests based on multi-dimensional attributes, providing unparalleled granularity in defining and enforcing access policies. For instance, policies can be formulated to grant access to medical records only to licensed professionals during working hours or to restrict sensitive customer information based on geographical regulations. Such capabilities surpass the rigidity of RBAC, which depends solely on predefined roles.
The paper also explores the role of advanced technologies, such as machine learning and natural language processing, in enhancing ABAC frameworks. These technologies are pivotal in automating policy management, detecting anomalies, and adapting to evolving security threats. A case study involving a simulated insurance platform demonstrates how an ABAC-based system can enforce real-time, attribute-driven policies to manage access to claims data while maintaining regulatory compliance. This implementation showcases the potential of ABAC in reducing unauthorized access, improving operational efficiency, and mitigating risks associated with data breaches.
To address implementation challenges, the paper provides a comprehensive discussion on the technical requirements and considerations for deploying ABAC in cloud-based environments. Key aspects include attribute classification and management, policy creation and lifecycle management, and performance optimization in high-traffic scenarios. The scalability of ABAC systems is evaluated, highlighting their capacity to handle large datasets and diverse user bases, which are intrinsic to insurance platforms.
The research further evaluates the compatibility of ABAC with privacy-preserving technologies, such as homomorphic encryption and secure multi-party computation, to strengthen data protection in compliance with GDPR and HIPAA mandates. Additionally, the paper identifies potential barriers, such as the complexity of attribute definition, policy conflicts, and the computational overhead associated with dynamic policy enforcement. Solutions and best practices are proposed to mitigate these challenges, including the adoption of standardized policy languages like XACML and the integration of policy simulation tools to validate and optimize access policies before deployment.
Future directions for research are explored, emphasizing the need for adaptive ABAC systems that leverage artificial intelligence to dynamically adjust policies based on contextual and behavioral analytics. The importance of interoperability among ABAC systems and other access control mechanisms is also underscored to ensure seamless integration across heterogeneous cloud environments. Furthermore, the study highlights the necessity of establishing a regulatory framework that explicitly acknowledges the role of ABAC in safeguarding sensitive data within the insurance sector.
References
M. D. Dikaiakos, D. Katsaros, P. Mehra, and Y. P. Manolopoulos, "Cloud computing: Distributed internet computing for IT and scientific research," IEEE Internet Computing, vol. 13, no. 5, pp. 10-13, Sept.-Oct. 2009.
E. Bertino, E. Sandhu, and D. Ferraiolo, "The role of access control in cloud computing," IEEE Transactions on Cloud Computing, vol. 6, no. 2, pp. 387-399, Apr.-June 2018.
R. Sandhu and P. Samarati, "Access control: Principle and practice," IEEE Communications Magazine, vol. 32, no. 3, pp. 40-48, Mar. 1994.
M. B. Othman, B. S. Ali, and R. F. Safavi, "A survey of attribute-based access control models for cloud computing," IEEE Access, vol. 8, pp. 107073-107088, 2020.
Z. M. Ali and R. E. V. Cox, "A systematic review of the role of privacy in the healthcare sector and its integration with cloud computing," IEEE Access, vol. 8, pp. 147432-147445, 2020.
S. L. Menezes, J. L. Franco, and J. J. S. Oliveira, "Efficient implementation of Attribute-Based Access Control (ABAC) for cloud applications," IEEE Transactions on Cloud Computing, vol. 8, no. 3, pp. 735-748, July-Sept. 2020.
E. G. Ardagna, M. A. Nascimento, and V. K. Prakash, "Cloud computing and regulatory compliance," IEEE Security & Privacy, vol. 9, no. 4, pp. 16-24, July-Aug. 2011.
W. S. Liu, L. J. S. Tan, and F. Wang, "Privacy-preserving attribute-based access control in cloud computing," IEEE Transactions on Cloud Computing, vol. 4, no. 1, pp. 86-96, Jan.-March 2016.
K. G. Shashidhar and K. R. Kumar, "A review on cloud security and its regulatory challenges in the health domain," IEEE Transactions on Cloud Computing, vol. 7, no. 2, pp. 325-338, Apr.-June 2019.
G. Grasso and M. D. Santis, "GDPR compliant attribute-based access control policies for cloud computing environments," IEEE Transactions on Cloud Computing, vol. 8, no. 4, pp. 1130-1139, Oct.-Dec. 2020.
E. Bertino and C. Sandhu, "Role-based access control: A historical overview," IEEE Security & Privacy, vol. 8, no. 5, pp. 19-28, Sept.-Oct. 2010.
B. D. M. Gagliardi and R. D. T. Riaz, "Designing ABAC systems for cloud-based applications," IEEE Cloud Computing, vol. 7, no. 3, pp. 40-47, May-June 2020.
P. S. D. Abadi and M. T. Z. Kumar, "Integrating ABAC with cloud-native services for enhanced security," IEEE Access, vol. 9, pp. 87654-87667, 2021.
M. A. Galvan, R. G. Franco, and V. M. Kumar, "Performance and scalability analysis of ABAC models in cloud computing," IEEE Transactions on Cloud Computing, vol. 8, no. 2, pp. 539-547, Apr.-June 2019.
K. T. Xu and P. Y. Zeng, "Attribute-based encryption with policy enforcement for secure access control in cloud," IEEE Transactions on Information Forensics and Security, vol. 13, no. 6, pp. 1484-1495, June 2018.
T. Z. Wang and H. M. Li, "Adaptive and context-aware access control models in cloud computing," IEEE Transactions on Cloud Computing, vol. 6, no. 1, pp. 76-85, Jan.-March 2018.
S. M. Shah, M. M. Z. Raza, and S. J. Jamil, "Data privacy and security challenges in cloud-based insurance systems," IEEE Transactions on Network and Service Management, vol. 17, no. 3, pp. 1321-1330, Sept. 2020.
L. M. Patel and C. S. Dhakal, "ABAC policies for GDPR compliance in healthcare systems," IEEE Transactions on Information Privacy and Security, vol. 15, no. 4, pp. 370-383, Oct.-Dec. 2019.
M. S. Raghavan, H. S. Ray, and P. G. Shah, "A detailed survey on machine learning for adaptive access control," IEEE Access, vol. 8, pp. 141573-141589, 2020.
K. R. Ahrens, "Standardization of ABAC policies in cloud environments for financial sectors," IEEE Cloud Computing, vol. 9, no. 2, pp. 53-61, Apr.-June 2021.
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
License Terms
Ownership and Licensing:
Authors of this research paper submitted to the journal owned and operated by The Science Brigade Group retain the copyright of their work while granting the journal certain rights. Authors maintain ownership of the copyright and have granted the journal a right of first publication. Simultaneously, authors agreed to license their research papers under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License.
License Permissions:
Under the CC BY-NC-SA 4.0 License, others are permitted to share and adapt the work, as long as proper attribution is given to the authors and acknowledgement is made of the initial publication in the Journal. This license allows for the broad dissemination and utilization of research papers.
Additional Distribution Arrangements:
Authors are free to enter into separate contractual arrangements for the non-exclusive distribution of the journal's published version of the work. This may include posting the work to institutional repositories, publishing it in journals or books, or other forms of dissemination. In such cases, authors are requested to acknowledge the initial publication of the work in this Journal.
Online Posting:
Authors are encouraged to share their work online, including in institutional repositories, disciplinary repositories, or on their personal websites. This permission applies both prior to and during the submission process to the Journal. Online sharing enhances the visibility and accessibility of the research papers.
Responsibility and Liability:
Authors are responsible for ensuring that their research papers do not infringe upon the copyright, privacy, or other rights of any third party. The Science Brigade Publishers disclaim any liability or responsibility for any copyright infringement or violation of third-party rights in the research papers.
