Skip to content

Proposal

Jump to bottom Edit New page
João Moura edited this page Nov 5, 2015 · 3 revisions

#Overview

Our objective is to create a system of authorization to some medical records database. This system will be able to change the authorization hierarchy dynamically in order to be flexible and offer secure and reliable authorization.

#Motivation

In every system that records sensitive data, privacy and access security should be a concern. Medical records aren’t an exception and should be properly managed in order to assure the patient, the medical staff and also the hospitals that all data isn’t incorrectly utilized and doesn’t reach the wrong hands. This kind of system becomes especially interesting in the scope of this course because it is a real world scenario of security issues discussed during the lectures. Achieving a good, robust and secure system like this will need to apply knowledge acquired during the course but also learning new methods to solve this common issue that is experienced in many areas and applications.

#Goals

  • Create the record access system without authorization policy
  • Add static authorization policy
  • Change the authorization policy to be dynamic
  • Enforce other security mesaures like:
  • Ensure confidentiality of the records
  • Prevent from SQL Injection
  • Ensure Integrity of the records

#Proposed solution

In this solution the system should have a database which stores the records and the hierarchy of the roles and their permissions. It should also have an application that acts as an access layer for these records, depending on the user’s role the access to the records should be granted or denied. This access layer should ensure that the communication between the database and the users is secure, preventing from security issues/attacks such as:

  • Identity Spoofing
  • Man in the middle attacks that record confidential data, tamper it or prevent it from reaching its original destination
  • SQL Injection

To achieve that the roles are dynamically managed there should always exist an Administrator user profile that can add, remove or change the other profiles.

#Work plan

| David	| Ricardo	| João

2 Nov | Project Proposal

9 Nov | Record access system without authorization policy

16 Nov | Add static authorization policy

23 Nov | Change authorization policy to be dynamic

30 Nov | Ensure records confidentiality | Ensure record integrity | Prevent from SQL Injection

#Tool references (libraries, etc. that will be used in the project)

Add a custom footer
Add a custom sidebar
Clone this wiki locally