Active access control (AAC) with fine-granularity and scalability

Strong access control mechanisms become most critical when we need security services in large-scale computing environments of sensitive organizations. Furthermore, if users join or leave such computing environment frequently, requiring different access control decisions based on their current job responsibilities and contexts, the need for advanced access control is pressing. Although the currently available access control approaches have a great potential for providing reliable service, there are still critical obstacles to be solved, especially in large-scale, dynamic computing environments. In this paper we introduce an advanced access control mechanism, Active Access Control (AAC), which accounts for the ability to make dynamic access control decisions based not only on pre-defined privileges, but also on the current situation of the user. The framework of the proposed AAC approach provides fine-grained access control, by considering a variety of attributes about the user and the current computing environment, especially, when the users contexts are frequently changed. Although the outputs of the AAC approach can be integrated with any other existing access control mechanisms and improve the overall fine-granularity, as a full demonstration of our approach for fine-granularity as well as scalability, in this particular paper we focus on large-scale computing environments and integrate the AAC results with the role-based approach. Finally, in order to prove the feasibility of our proposed idea we implement the AAC approach with roles and discuss the evaluation results with existing approaches. Copyright © 2010 John Wiley & Sons, Ltd.

[1]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[2]  Naftaly H. Minsky Selective and locally controlled transport of privileges , 1984, TOPL.

[3]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[4]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[5]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Rajeev Motwani,et al.  On the decidability of accessibility problems (extended abstract) , 2000, STOC '00.

[7]  Joon S. Park,et al.  Trusted P2P computing environments with role-based access control , 2007, IET Inf. Secur..

[8]  Joon S. Park,et al.  Composite Role-Based Monitoring (CRBM) for Countering Insider Threats , 2004, ISI.

[9]  Elisa Bertino,et al.  X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control , 2005, TSEC.

[10]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[11]  Robert H. Anderson Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. , 1999 .

[12]  Michael Hayden The Insider Threat to U.S. Government Information Systems , 1999 .

[13]  Ninghui Li,et al.  Administration in role-based access control , 2007, ASIACCS '07.

[14]  Joon S. Park,et al.  Access Control Requirements for Preventing Insider Threats , 2006, ISI.

[15]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[16]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[17]  Mikhail J. Atallah,et al.  Provable bounds for portable and flexible privacy-preserving access , 2005, SACMAT '05.

[18]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.

[19]  Sandra Kay Miller Facing the Challenge of Wireless Security , 2001, Computer.

[20]  Joon S. Park,et al.  WLAN Security: Current and Future , 2003, IEEE Internet Comput..

[21]  Jianping Fan,et al.  Access control, confidentiality and privacy for video surveillance databases , 2006, SACMAT '06.

[22]  Ravi S. Sandhu,et al.  Binding identities and attributes using digitally signed certificates , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[23]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[24]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[25]  Ninghui Li,et al.  Beyond proof-of-compliance: safety and availability analysis in trust management , 2003, 2003 Symposium on Security and Privacy, 2003..

[26]  Ravi S. Sandhu,et al.  The Extended Schematic Protection Model , 1992, J. Comput. Secur..

[27]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[28]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[29]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2002, ACM Trans. Inf. Syst. Secur..

[30]  Axel Kern,et al.  Rule support for role-based access control , 2005, SACMAT '05.

[31]  Ravi S. Sandhu,et al.  Secure Cookies on the Web , 2000, IEEE Internet Comput..

[32]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[33]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[34]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[35]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[36]  Mustaque Ahamad,et al.  A context-aware security architecture for emerging applications , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[37]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[38]  Atul Prakash,et al.  Methods and limitations of security policy reconciliation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[39]  Trent Jaeger,et al.  Policy management using access control spaces , 2003, TSEC.

[40]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[41]  Joon S. Park,et al.  A composite rbac approach for large, complex organizations , 2004, SACMAT '04.

[42]  Carrie Gates,et al.  Defining the insider threat , 2008, CSIIRW '08.

[43]  He Wang,et al.  Delegation in the role graph model , 2006, SACMAT '06.

[44]  Elisa Bertino,et al.  Fine-grained role-based delegation in presence of the hybrid role hierarchy , 2006, SACMAT '06.

[45]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[46]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[47]  Angelos D. Keromytis,et al.  Requirements for scalable access control and security management architectures , 2007, TOIT.

[48]  Ravi S. Sandhu,et al.  Safety analysis for the extended schematic protection model , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.