Preventative Directions For Insider Threat Mitigation Via Access Control

Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world” practitioners desire and what the research and vendor communities can offer. Basing our arguments on this ethnographic research (which targets both technology and the human business systems that drive and constrain it), we present the theoretical underpinnings of modern access control, discuss requirements of successful solutions for corporate environments today, and offer a survey of current technology that addresses these requirements. The paper concludes by exploring areas of future development in access control that offer particular promise in the struggle to prevent insider attack.

[1]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[2]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[3]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[4]  D. Sharp British Broadcasting Corporation , 1984 .

[5]  Sean W. Smith,et al.  The Craft of System Security , 2007 .

[6]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[7]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[8]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[9]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[10]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[11]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[12]  Dennis Shasha,et al.  Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations , 2000, DBSec.

[13]  L. Burns,et al.  Adoption and abandonment of matrix management programs: effects of organizational characteristics and interorganizational networks. , 1993, Academy of Management journal. Academy of Management.

[14]  Jan Vitek,et al.  Secure Internet Programming , 1999 .

[15]  David W. Chadwick Understanding X.500 - the directory , 1994 .

[16]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[17]  Sean W. Smith Probing End-User IT Security Practices--Through Homework. , 2004 .

[18]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[19]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[20]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[21]  Harold Joseph Highland,et al.  15th National Computer Security Conference , 1993 .

[22]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[23]  M. Angela Sasse,et al.  Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems , 2007, IEEE Security & Privacy.