Provenance-Based Analytics Services for Access Control Policies

Successful collaborations require information and resource sharing and thus adequate access control policy management systems that control sharing among the collaborating entities. Such management systems need to be flexible in order to adapt to different environments and thus be able to support access control policy evolution. However, when dealing with large sets of evolving policies it is critical that policies meet certain "policy quality requirements". Specifically, policies of interest must be up-to-date, complete, free of inconsistencies, relevant. In this paper, we propose an approach to analyze policies in order to determine whether policies meet such requirements. Our approach is based on the use of provenance techniques that collect comprehensive data about actions executed by users in the context of workflows, that is, sets of tasks executed according to some ordering by users. Provenance data are used by services that support various types of analysis to determine whether the policies of interest verify the quality requirements.

[1]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[2]  Elisa Bertino,et al.  Access Control for Databases: Concepts and Systems , 2011, Found. Trends Databases.

[3]  Elisa Bertino,et al.  QL-SimP: Query Language for Secure Interoperable Multi-Granular Provenance Framework , 2016, 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC).

[4]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[5]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[6]  Elisa Bertino,et al.  A Cognitive Policy Framework for Next-Generation Distributed Federated Systems: Concepts and Research Directions , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Elisa Bertino,et al.  SimP: Secure interoperable multi-granular provenance framework , 2016, 2016 IEEE 12th International Conference on e-Science (e-Science).

[9]  Kamel Adi,et al.  Detecting incompleteness in access control policies using data classification schemes , 2010, 2010 Fifth International Conference on Digital Information Management (ICDIM).

[10]  Luigi Logrippo,et al.  Access Control Policies: Modeling and Validation , 2005 .

[11]  Jorge Lobo,et al.  EXAM: a comprehensive environment for the analysis of access control policies , 2010, International Journal of Information Security.

[12]  Elisa Bertino,et al.  Distributed Intelligence: Trends in the Management of Complex Systems , 2017, SACMAT.

[13]  Elisa Bertino,et al.  CRIS — Computational research infrastructure for science , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[14]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[15]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[16]  BertinoElisa,et al.  Privacy-aware role-based access control , 2010 .

[17]  Elisa Bertino,et al.  Framework for behavioral analytics in anomaly identification , 2017, Defense + Security.

[18]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[19]  Kamel Adi,et al.  Inconsistency detection method for access control policies , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[20]  Jorge Lobo,et al.  Toward a Formal Characterization of Policy Specification & Analysis , 2007 .

[21]  Luc Moreau,et al.  The Open Provenance Model , 2007 .

[22]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[23]  Luigi V. Mancini,et al.  On the specification and evolution of access control policies , 2001, SACMAT '01.

[24]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.