Two convincing paradigms have emerged for achieving scalability in widely distributed systems: publish/subscribe communication and role-based, policy-driven control of access to the system by applications. A strength of publish/subscribe is its many-to-many communication paradigm and loose coupling of components, so that publishers need not know the recipients of their data and subscribers need not know the number and location of publishers. But some data is sensitive, and its visibility must be controlled carefully for personal and legal reasons. We describe the requirements of several application domains where the event-based paradigm is appropriate yet where security is an issue. Typical are the large-scale systems required by government and public bodies for domains such as healthcare, police, transport and environmental monitoring.
We discuss how a publish/subscribe service can be secured; firstly by specifying and enforcing access control policy at the service API, and secondly by enforcing the security and privacy aspects of these policies within the service network itself. Finally, we describe an alternative to whole-message encryption, appropriate for highly sensitive and long-lived data destined for specific domains with varied requirements. We outline our investigations and findings from several research projects in these areas.