Adapting usage control as a deterrent to address the inadequacies of access controls

Access controls are difficult to implement and evidently deficient under certain conditions. Traditional controls offer no protection for unclassified information, such as a telephone list of employees that is unrestricted, yet available only to members of the company. On the opposing side of the continuum, organizations such as hospitals that manage highly sensitive information require stricter access control measures. Yet, traditional access control may well have inadvertent consequences in such a context. Often, in unpredictable circumstances, users that are denied access could have prevented a calamity had they been allowed access. It has been proposed that controls such as auditing and accountability policies be enforced to deter rather than prevent unauthorized usage. In dynamic environments preconfigured access control policies may change dramatically depending on the context. Moreover, the cost of implementing and maintaining complex preconfigured access control policies sometimes far outweighs the benefits. This paper considers an adaptation of usage control as a proactive means of deterrence control to protect information that cannot be adequately or reasonably protected by access control.

[1]  Sangkyun Kim,et al.  An Information Engineering Methodology for the Security Strategy Planning , 2004, ICCSA.

[2]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[3]  Wouter Joosen,et al.  Developing secure applications through aspect-oriented programming , 2004 .

[4]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[5]  Hua Chen,et al.  UC-RBAC: A Usage Constrained Role-Based Access Control Model , 2003, ICICS.

[6]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[7]  Bhavani Thuraisingham,et al.  Proceedings of the 12th ACM symposium on Access control models and technologies , 2007 .

[8]  Iliya Georgiev,et al.  A security model for distributed computing , 2001 .

[9]  Juan Manuel Cueva Lovelle,et al.  Dynamic adaptation of application aspects , 2004, J. Syst. Softw..

[10]  William G. Griswold,et al.  Getting started with ASPECTJ , 2001, CACM.

[11]  Patrick Brézillon,et al.  Lecture Notes in Artificial Intelligence , 1999 .

[12]  Xiaohua Jia Proceedings of the 1st international conference on Scalable information systems , 2006 .

[13]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[14]  Wouter Joosen,et al.  Uniform application-level access control enforcement of organizationwide policies , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[15]  Bart De Decker,et al.  Advances in Network and Distributed Systems Security, IFIP TC11 WG11.4 First Annual Working Conference on Network Security, November 26-27, 2001, Leuven, Belgium , 2001, Network Security.

[16]  R. Ramachandran AspectJ for Multilevel Security , 2006 .

[17]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[18]  Yanchun Zhang,et al.  Ubiquitous computing environments and its usage access control , 2006, InfoScale '06.

[19]  Volker Wulf,et al.  A new dimension in access control: studying maintenance engineering across organizational boundaries , 2002, CSCW '02.

[20]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[21]  Mary Ellen Zurko User-centered security: stepping up to the grand challenge , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[22]  Jan H. P. Eloff,et al.  Enhancing Optimistic Access Controls with Usage Control , 2007, TrustBus.

[23]  Alexander Pretschner,et al.  Negotiation of Usage Control Policies - Simply the Best? , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[24]  Jeffrey M. Voas,et al.  Quality Time - Can Aspect-Oriented Programming Lead to More Reliable Software? , 2000, IEEE Softw..

[25]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[26]  Wonil Kim,et al.  A Novel Method to Support User's Consent in Usage Control for Stable Trust in E-business , 2004, ICCSA.

[27]  Ravi S. Sandhu,et al.  A usage-based authorization framework for collaborative computing systems , 2006, SACMAT '06.

[28]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[29]  Sang Bong Yoo,et al.  Secured Web Services Based on Extended Usage Control , 2007, PAKDD Workshops.

[30]  Bettina Kemme,et al.  Fine-granularity access control in 3-tier laboratory information systems , 2005, 9th International Database Engineering & Application Symposium (IDEAS'05).

[31]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[32]  Jung Pil Choi,et al.  Aspect-oriented programming with enterprise JavaBeans , 2000, Proceedings Fourth International Enterprise Distributed Objects Computing Conference. EDOC2000.

[33]  Sandro Etalle,et al.  A posteriori compliance control , 2007, SACMAT '07.

[34]  James A. Landay,et al.  An architecture for privacy-sensitive ubiquitous computing , 2004, MobiSys '04.

[35]  Daniel Mahrenholz,et al.  Program instrumentation for debugging and monitoring with AspectC++ , 2002, Proceedings Fifth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing. ISIRC 2002.