The future of access control: Attributes, automation and adaptation

Access control has been and will always be one of the center pieces of cyber security. This talk will focus on three necessary characteristics of access control in future systems: attributes, automation and adaptation. Future access control policies will be built around attributes, which are properties of relevant entities, so they can apply to large numbers of entities while being fine-grained at the same time. This transition to attribute-based access control has been in process for about two decades and is approaching a major inflection point. Automation and adaptation, however, are newer concepts. Automation seeks to break away from requiring human users to configure access control policies, by delegating more of the routine tasks to smart software. Adaptation recognizes that access control must adjust as circumstances change. This talk will speculate on a future built around these three synergistic elements, and on the research and technology challenges in making this vision a reality. Biography: Ravi Sandhu is Executive Director of the Institute for Cyber Security at the University of Texas at San Antonio, where he holds the Lutcher Brown Endowed Chair in Cyber Security. Previously he was on the faculty at George Mason University (1989-2007) and Ohio State University (19821989). He holds BTech and MTech degrees from IIT Bombay and Delhi, and MS and PhD degrees from Rutgers University. He is a Fellow of IEEE, ACM and AAAS, and has received awards from IEEE, ACM, NSA and NIST. A prolific and highly cited author, his research has been funded by NSF, NSA, NIST, DARPA, AFOSR, ONR, AFRL and private industry. His seminal papers on role-based access control established it as the dominant form of access control in practical systems. His numerous other models and mechanisms have also had considerable real-world impact. He is Editor-inChief of the IEEE Transactions on Dependable and Secure Computing, and founding General Chair of the ACM Conference on Data and Application Security and Privacy. He previously served as founding Editor-in-Chief of ACM Transactions on Information and System Security and on the editorial board for IEEE Internet Computing. He was Chairman of ACM SIGSAC, and founded the ACM Conference on Computer and Communications Security and the ACM Symposium on Access Control Models and Technologies and chaired their Steering Committees for many years. He has served as General Chair, Program Chair and Committee Member for numerous security conferences. He has consulted for leading industry and government organizations, and has