SUNRISE Scientific Publication
RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving Privacy
SUNRISE partners AIT and IMA published a paper in the proceedings of The 18th International Conference on Availability, Reliability and Security (ARES 2023) titled, ‘RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving Privacy’
Abstract
Traditional (physical) access control systems are well-established mechanisms, allowing organizations to determine who should be able to access which physical space. This can either be a facility such as a critical infrastructure with a well-defined set of individuals, e.g., employees, or public spaces where everyone can be subject to access control. During the Covid-19 pandemic, additional features to reduce the risks of individuals when entering spaces became popular or even mandatory, including automatic scanning for protective wear (e.g., whether an individual wears a mask), body temperature checks, or digital health certificates, certifying that one has been negatively tested for, or vaccinated against, Covid-19. We refer to this as risk-based access control (RiBAC).
In the Covid-19 pandemic largely due to the time pressure for implementing these measures, many of such RiBAC extensions to classical AC systems required manual intervention. This, besides posing health risks for the individuals performing these checks, yields a solution which is not scalable. Now that the Covid-19 pandemic no longer constitutes a public health emergency of international concern by the World Health Organization (WHO), it is time to reconsider RiBAC systems. Our main focus in this work is to investigate requirements for such systems and to discuss possible generic architectures for RiBAC systems. In order to be prepared for a future pandemic, the goal should be to implement such systems in a way such that they are scalable and risk-minimizing. We will specifically focus on privacy of the individuals subject to access control in RiBAC, while preserving the functionality of the system. Moreover, our focus is on the European setting where digital health certificates were considered as a central risk-reducing mechanism. In this context, we discuss the use of privacy-preserving cryptography in order to be able to have RiBAC systems that are privacy-preserving already in place for any potential future pandemic.
