EnglishSvenskaNorsk
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Multi-Stakeholder Access Control in Data Ecosystems
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Embedded Internet Systems Lab.ORCID iD: 0009-0009-9695-2308
2026 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

In multi-stakeholder data ecosystems, digital resources (e.g. shared datasets) are often co-owned by independent organizations, making access governance a collaborative challenge. Each stakeholder brings its own security and business constraints, so agreeing on concrete access rules across organizational boundaries is hard. For example, in an industrial IoT supply chain, machine data can be valuable to the factory operator, the equipment supplier, and a maintenance provider, each must consent to who can access what. Manual agreement is slow and contentious, motivating an automated negotiation mechanism to help stakeholders efficiently converge on a shared set of acceptable rules. 

Consensus is only half the problem, once access rules are agreed upon, they must be enforced reliably in a distributed system with no single authority to push updates. Nodes go offline, networks partition, and rule updates arrive out of order. Without careful design, different parts of the system will enforce different decisions. Ensuring that all parties can consistently uphold the agreed rules under stated assumptions requires robust, fault-tolerant mechanisms. This licentiate thesis tackles both agreement and enforcement, providing methods to reach common ground on access rules and to apply them securely despite distributed-systems challenges.

The thesis makes three contributions. First, it introduces a utility-based negotiation method that lets multiple stakeholders collaboratively arrive at a common access-rule set by quantifying preferences and using optimization to automate consensus, supporting more structured and reproducible agreement compared to informal negotiation. Second, it develops a formal verification toolchain for cloud-native infrastructures (shown on Kubernetes) to prevent misconfiguration and privilege escalation; RBAC and admission rules are translated into logical constraints, an SMT solver checks for unsafe conditions, and only verified rules are deployed; an integrated deny-overrides enforcement path then applies them consistently at runtime. Third, it outlines EQuack (to be detailed in forthcoming work), an offline-capable access control model for distributed ecosystems where continuous connectivity cannot be assumed. It ensures that even if nodes diverge while offline, they eventually converge to the same authorized state via deterministic deny-wins replay over update logs and tamper-evident audit trails, without relying on blockchains or other heavy consensus mechanisms.

Taken together, the results suggest a path toward more secure collaboration by supporting structured agreement over access rules and providing enforcement mechanisms that can remain consistent in distributed settings, within the limits of the evaluated scenarios and stated assumptions.
Place, publisher, year, edition, pages
Luleå tekniska universitet, 2026.
Series
Licentiate thesis / Luleå University of Technology, ISSN 1402-1757
Keywords [en]
Multi-stakeholder, Access Control, Federated data ecosystems, Formal verification, Offline / edge enforcement, Verifiable credentials, Decentralized and Distributed
National Category
Computer Systems
Research subject
Cyber-Physical Systems
Identifiers
URN: urn:nbn:se:ltu:diva-115769ISBN: 978-91-8048-966-9 (print)ISBN: 978-91-8048-967-6 (electronic)OAI: oai:DiVA.org:ltu-115769DiVA, id: diva2:2020653
Presentation
2026-02-26, A109, Luleå University of Technology, Luleå, 09:00 (English)
Opponent
Supervisors
Available from: 2025-12-11 Created: 2025-12-11 Last updated: 2026-02-05Bibliographically approved
List of papers
1. Objective-and Utility-Based Negotiation for Access Control
Open this publication in new window or tab >>Objective-and Utility-Based Negotiation for Access Control
2025 (English)In: Proceedings of the 11th International Conference on Information Systems Security and Privacy / [ed] Roberto Di Pietro; Karen Renaud; Paolo Mori, Science and Technology Publications, Lda , 2025, Vol. 2, p. 493-501Conference paper, Published paper (Refereed)
Abstract [en]

Access control in modern digital ecosystems is challenging due to dynamic resources and diverse stakeholders. Traditional mechanisms struggle to adapt, causing inefficiencies and inequities. We propose a novel algorithm that automates access control policy negotiation via objective optimization and utility-based methods. It enables stakeholders to jointly select policies aligned with their preferences, provided a suitable policy exists. Suggested criteria guide the evaluation of predefined policies, and a mathematical formulation quantifies stakeholder preferences with utility functions, using optimization to achieve consensus. The algorithm’s multilinear scalability is demonstrated through time and space complexity analysis. An evaluation tool supports practical testing, and the approach enhances efficiency and trust by ensuring equitable data access within digital ecosystems.
Place, publisher, year, edition, pages
Science and Technology Publications, Lda, 2025
Series
ICISSP, ISSN 2184-4356
Keywords
Negotiation, Access Control, Automation, Digital Ecosystems, Stakeholder Collaboration, Interoperability
National Category
Electrical Engineering, Electronic Engineering, Information Engineering Computer and Information Sciences
Research subject
Cyber-Physical Systems
Identifiers
urn:nbn:se:ltu:diva-112436 (URN)10.5220/0013130000003899 (DOI)2-s2.0-105001734630 (Scopus ID)
Conference
11th International Conference on Information Systems Security and Privacy, Porto, Portugal, February 20-22, 2025
Funder
European Regional Development Fund (ERDF)Norrbotten County CouncilLuleå University of Technology
Note

Funder: Skellefteå Municipality; Digitala Stambanan IndTech;

ISBN for host publication: 978-989-758-735-1;

Full text license: CC BY-NC-ND

Available from: 2025-04-16 Created: 2025-04-16 Last updated: 2025-12-11Bibliographically approved
2. Formal Verification for Preventing Misconfigured Access Policies in Kubernetes Clusters
Open this publication in new window or tab >>Formal Verification for Preventing Misconfigured Access Policies in Kubernetes Clusters
2025 (English)In: IEEE Access, E-ISSN 2169-3536, Vol. 13, p. 141798-141813Article in journal (Refereed) Published
Abstract [en]

Kubernetes clusters now underpin the bulk of modern production workloads, recent 2024 Cloud Native Computing Foundation surveys report >96% enterprise adoption, stretching from 5G edge nodes and AI/ML pipelines to heavily-regulated fintech and healthcare back-ends. Every action in those environments funnels through the API server, so a single access-control slip can jeopardise an entire fleet. Yet most deployments still rely on a patchwork of Role-Based Access Control (RBAC) rules and policy-as-code admission controllers such as OPA Gatekeeper or Kyverno. In practice these controls are brittle: minor syntactic oversights, wildcard privileges, or conflicting rules can silently create privilege-escalation paths that elude linters and manual review. This paper presents a framework that models both RBAC and admission policies as first-order logic and uses an SMT solver to exhaustively search for counter-examples to stated security invariants before policies reach the cluster. The approach detects policy conflicts, unreachable denies, and unintended permissions. Three real-world case studies are presented to illustrate how the framework reveals latent misconfigurations and validates the soundness of the corrected rules. These case studies include a supply-chain image bypass, an RBAC “shadow-admi” escalation, and a multi-tenant namespace breach. To aid replication and further study, we release a fully scripted GitHub testbed: a Minikube cluster, AuthzForce PDP, admission-webhook adapter, and Z3-backed CLI that recreates each scenario and verifies policies end-to-end. While the framework does not address runtime threats, it closes a critical verification gap and substantially raises the bar for attackers targeting the most widely deployed orchestration platform. 
Place, publisher, year, edition, pages
IEEE, 2025
Keywords
Attribute-based access control, cloud-native security, formal verification, kubernetes, policy-as-code, role-based access control, SMT solvers
National Category
Computer Sciences
Research subject
Cyber-Physical Systems; Pervasive Mobile Computing
Identifiers
urn:nbn:se:ltu:diva-114384 (URN)10.1109/access.2025.3597504 (DOI)001551612200016 ()2-s2.0-105013194144 (Scopus ID)
Projects
Green Transition North (GTN)Digitala Stambanan IndTechRemaNet
Funder
EU, Horizon Europe, 101138627European Regional Development Fund (ERDF)Norrbotten County CouncilLuleå University of TechnologyVinnova, 2024-02510
Note

Validerad;2025;Nivå 2;2025-11-04 (u4);

Funder: Skellefteå Municipality;

Full text license: CC BY

Available from: 2025-08-21 Created: 2025-08-21 Last updated: 2025-12-11Bibliographically approved

Open Access in DiVA

fulltext(841 kB)34 downloads
File information
File name FULLTEXT01.pdfFile size 841 kBChecksum SHA-512
dbb3a0e7d7d3885a02610b1b01fd8cc4a8b49a29476f4914892396e8a44f91996e67a41a6fabdc05c29cf2623522dbad8eaddcd5b8d512d53bd1d0770e1871dd
Type fulltextMimetype application/pdf
The full text will be freely available from 2027-08-05 12:00
Available from 2027-08-05 12:00

Authority records

Sissodiya, Aditya

Search in DiVA

By author/editor
Sissodiya, Aditya
By organisation
Embedded Internet Systems Lab
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 4490 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
Researcher: Register
|
Student: Register
|
Contact
|
WCAG