Combining Pretty Good Privacy and Role-Based Access Control Technologies for Access Protection to Confidential Data
DOI:
https://doi.org/10.20535/2786-8729.4.2024.305130Keywords:
PGP, RBAC, data encryption, information security, access managementAbstract
This article presents a granular access protection model for confidential information, combining PGP (Pretty Good Privacy) and RBAC (Role-Based Access Control) technologies. The aim of the research is to develop and justify a model that ensures a high level of security through efficient data encryption and flexible role-based access management. The article examines the research objects, which include modern information systems processing confidential data, and the subject of the study, which encompasses encryption and access control methods.
To achieve the stated goal, an analysis of modern approaches to data encryption and access management was conducted, their advantages and disadvantages were studied, and current issues related to data security at rest were identified. A protection model combining PGP and RBAC was developed, implemented in real conditions, and tested to evaluate its efficiency and usability. PGP usage ensures data security at rest and during transmission, while RBAC allows flexible configuration of user access rights.
Research results demonstrated that the proposed model provides a high level of security, flexible access management, and improved system performance. The use of public and private keys for encrypting symmetric keys further enhances protection by preventing unauthorized data access. Defining roles and privileges for each user ensures authorized access to confidential information, minimizing the risk of accidental or malicious data access. Despite the complexity of encryption and key management processes, the system showed high performance, optimized encryption and decryption processes, and effective user role and privilege management. The proposed model proved its effectiveness in ensuring a high level of security and flexible access management for confidential data.
References
K. Hong, Y. Chi, L. R. Chao, and J. Tang, “An integrated system theory of information security management”, Inf. Manage. Comput. Secur., vol. 11, no. 5, pp. 243–248, Jan. 2003. https://doi.org/10.1108/09685220310500153
“PostgreSQL: About.” PostgreSQL: The world's most advanced open source database. Accessed: May 24, 2024. [Online]. Available: https://www.postgresql.org/about
D. A. Ulybyshev, “Data protection in transit and at rest with leakage detection”, May 2019. https://doi.org/10.25394/PGS.8024345.v1
S. K. Basak, J. Cox, B. Reaves, and L. Williams, “A comparative study of software secrets reporting by secret detection tools”, in 2023 ACM/IEEE Int. Symp. Empirical Softw. Eng. Meas. (ESEM). 2023, pp. 1–12. https://doi.org/10.1109/ESEM56168.2023.10304853
S. K. Basak, L. Neil, B. Reaves, and L. Williams, “What are the practices for secret management in software artifacts?”, in 2022 IEEE Secure Develop. Conf. (SecDev). 2022, pp. 69–76. doi: 10.1109/SecDev53368.2022.00026
“Vault | HashiCorp Developer.” Vault | HashiCorp Developer. Accessed: May 24, 2024. [Online]. Available: https://developer.hashicorp.com/vault/docs/what-is-vault
S. I. S, M. N. R, and S. V. Sathyanarayana, “A comparative analysis of Secret Sharing Schemes with special reference to e-commerce applications”, in 2015 Int. Conf. Emerg. Res. Electron., Comput. Sci. Technol. (ICERECT). 2015, pp. 17–22. https://doi.org/10.1109/ERECT.2015.7498980
R. S. Sandhu, “Role-based access control” in Advances in Computers, Amsterdam, The Netherlands: Elsevier, vol. 46, pp. 237–286, 1998. https://doi.org/10.1016/S0065-2458(08)60206-5
Y. Luo, Q. Shen, and Z. Wu, PML: An Interpreter-Based Access Control Policy Language for Web Services. 2019. https://doi.org/10.48550/arXiv.1903.09756
R. Sandhu and P. Samarati, “Access control: Principle and practice”, IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994. https://doi.org/10.1109/35.312842