Analyzing Quality Criteria in Role-based Identity and Access Management

Michael Kunz, Ludwig Fuchs, Michael Netter, Günther Pernul

Abstract

Roles have turned into the de facto standard for access control in enterprise identity management systems. However, as roles evolve over time, companies struggle to develop and maintain a consistent role model. Up to now, the core challenge of measuring the current quality of a role model and selecting criteria for its optimization remains unsolved. In this paper, we conduct a survey of existing role mining techniques and identify quality criteria inherently used by these approaches. This guides organizations during the selection of a role mining technique that matches their company-specific quality preferences. Moreover, our analysis aims to stimulate the research community to integrate quality metrics in future role mining approaches.

References

  1. Agrawal, R., ImieliÁski, T., and Swami, A. (1993). Mining association rules between sets of items in large databases. In SIGMOD Record, volume 22, pages 207-216. ACM.
  2. Basel Comittee on Banking Supervisions (2010). Basel III: Int. framework for liquidity risk measurement, standards and monitoring.
  3. Blundo, C. and Cimato, S. (2010). A simple role mining algorithm. In Proc. of the 2010 Symp. on Applied Computing. ACM.
  4. Blundo, C. and Cimato, S. (2013). Constrained role mining. In 6th Int. Workshop on Security and Trust Management, pages 289-304. Springer.
  5. Chu, V. W., Wong, R. K., and Chi, C.-H. (2012). Overfitting and error detection for online role mining. Int. Journal of Web Services Research, 9(4):1-23.
  6. Colantonio, A., Di Pietro, R., and Ocello, A. (2008a). A cost-driven approach to role engineering. In Proc. of the 2008 Symp. on Applied Computing. ACM.
  7. Colantonio, A., Di Pietro, R., and Ocello, A. (2008b). Leveraging lattices to improve role mining. In Proc. of The IFIP TC 11 23rd Int. Information Security Conf. Springer.
  8. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. (2009). A probabilistic bound on the basic role mining problem and its applications. In Emerging Challenges for Security, Privacy and Trust, pages 376-386. Springer.
  9. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. (2010). Taming role mining complexity in rbac. Computers & Security, 29(5):548-564.
  10. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. (2012). Visual role mining: A picture is worth a thousand roles. IEEE Transactions on Knowledge and Data Engineering, 24(6):1120-1133.
  11. Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R. E. (2008). Fast exact and heuristic methods for role minimization problems. In Proc. of the 13th Symp. on Access Control Models and Technologies. ACM.
  12. Eucharista, A.and Haribaskar, K. (2013). Visual elicitation of roles: using a hybrid approach. Oriental Journal of Computer Science & Technology, 6(1):103-110.
  13. European Union (2012). General data protection regulation.
  14. Frank, M., Basin, D., and Buhmann, J. M. (2008). A class of probabilistic models for role engineering. In Proc. of the 15th ACM Conf. on Computer and Communications Security. ACM.
  15. Frank, M., Buhman, J. M., and Basin, D. (2013). Role mining with probabilistic models. ACM Transactions on Information and System Security, 15(4):15:1-15:28.
  16. Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. (2009). A probabilistic approach to hybrid role mining. In Proc. of the 16th ACM Conf. on Computer and communications security, pages 101-111. ACM.
  17. Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. (2012). Multi-assignment clustering for boolean data. Journal of Machine Learning Research, 13(1):459- 489.
  18. Fuchs, L., Kunz, M., and Pernul, G. (2014). Role model optimization for secure role-based identity management. In Proc. of the 22nd European Conf. on Information Systems.
  19. Fuchs, L. and Meier, S. (2011). The role mining process model - underlining the need for a comprehensive research perspective. In Proc. of the 6th Int. Conf. on Availability, Reliability and Security. IEEE.
  20. Fuchs, L. and Müller, C. (2009). Automating periodic role-checks: A tool-based approach. In Business Services: Konzepte, Technologien, Anwendungen: 9. Int.e Tagung Wirtschaftsinformatik, volume 246. OCG, Wien.
  21. Fuchs, L., Pernul, G., and Sandhu, R. (2011). Roles in information security-a survey and classification of the research area. Computers & Security, 30(8):748-769.
  22. Gal-Oz, N., Gonen, Y., Yahalom, R., Gudes, E., Rozenberg, B., and Shmueli, E. (2011). Mining roles from web application usage patterns. In Trust, Privacy and Security in Digital Business, volume 6863 of Lecture Notes in Computer Science, pages 125-137. Springe.
  23. Giblin, C., Graf, M., Karjoth, G., Wespi, A., Molloy, I., Lobo, J., and Calo, S. B. (2010). Towards an integrated approach to role engineering. In SafeConfig, pages 63-70. ACM.
  24. Guo, Q., Vaidya, J., and Atluri, V. (2008). The role hierarchy mining problem: Discovery of optimal role hierarchies. In Computer Security Applications Conf. IEEE.
  25. Han, D.-j., Zhuo, H.-k., Xia, L.-t., and Li, L. (2012). Permission and role automatic assigning of user in rolebased access control. Journal of Central South University, 19:1049-1056.
  26. Hingankar, M. and Sural, S. (2011). Towards role mining with restricted user-role assignment. In 2nd Int. Conf. on Wireless Communication, Vehicular Technology, Information Theory and Aerospace Electronic Systems Technology.
  27. Huang, C., Sun, J.-l., Wang, X.-y., and Si, Y.-j. (2010). Minimal role mining method for web service composition. Journal of Zhejiang University SCIENCE C, 11(5):328-339.
  28. Huang, H., Shang, F., and Zhang, J. (2012). Approximation algorithms for minimizing the number of roles and administrative assignments in rbac. In 36th Annual Computer Software and Applications Conf. Workshops. IEEE.
  29. Jafari, M., Chinaei, A., Barker, K., and Fathian, M. (2009). Role mining in access history logs. Journal of Information Assurance and Security, 38.
  30. John, J., Sural, S., Atluri, V., and Vaidya, J. (2012). Role mining under role-usage cardinality constraint. In Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 150-161. Springer.
  31. Kumar, R., Sural, S., and Gupta, A. (2011). Mining rbac roles under cardinality constraint. In Information Systems Security, pages 171-185. Springer.
  32. Levy, Y. and Ellis, T. J. (2006). A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research. Informing Science Journal, 9:181-212.
  33. Li, R., Wang, W., Ma, X., Gu, X., and Wen, K. (2012). Mining roles using attributes of permissions. Int. Journal of Innovative Computing, Information and Control, 8(11):7909-7924.
  34. Lu, H., Hong, Y., Yang, Y., Duan, L., and Badar, N. (2013). Towards user-oriented rbac model. In Data and Applications Security and Privacy XXVII, volume 7964 of Lecture Notes in Computer Science, pages 81-96. Springer.
  35. Lu, H., Vaidya, J., and Atluri, V. (2008). Optimal boolean matrix decomposition: Application to role engineering. In Proc. of the 24th IEEE Int. Conf. on Data Engineering. IEEE.
  36. Lu, H., Vaidya, J., Atluri, V., and Hong, Y. (2012). Constraint-aware role mining via extended boolean matrix decomposition. IEEE Transactions on Dependable and Secure Computing, 9(5):655-669.
  37. Ma, X., Li, R., and Lu, Z. (2010). Role mining based on weights. In Proc. of the 15th Symp. on Access Control Models and Technologies. ACM.
  38. Ma, X., Li, R., Lu, Z., and Wang, W. (2012). Mining constraints in role-based access control. Mathematical and Computer Modelling, 55(1):87-96.
  39. Ma, X., Tian, Y., Zhao, L., and Li, R. (2013). Mining role based on ranks. ICIC Express Letters. Part B, Applications: an Int. Journal of Research and Surveys, 4(2):319-326.
  40. Mandala, S., Vukovic, M., Laredo, J., Ruan, Y., and Hernandez, M. (2012). Hybrid role mining for security service solution. In Proc. of the 9th Int. Conf. on Services Computing. IEEE.
  41. Mitra, B., Sural, S., Atluri, V., and Vaidya, J. (2013). Toward mining of temporal roles. In Data and Applications Security and Privacy XXVII, volume 7964 of Lecture Notes in Computer Science, pages 65-80. Springer.
  42. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. (2008). Mining roles with semantic meanings. In Proc. of the 13th Symp. on Access Control Models and Technologies. ACM.
  43. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. (2010). Mining roles with multiple objectives. In ACM Transactions on Information and System Security. ACM.
  44. Molloy, I., Park, Y., and Chari, S. (2012). Generative models for access control policies: Applications to role mining over logs with attribution. In Proc. of the 17th Symp. on Access Control Models and Technologies. ACM.
  45. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. Computer, 29(2):38-47.
  46. Schlegelmilch, J. and Steffens, U. (2005). Role mining with orca. In Proc. of the 10th Symp. on AccessControl Models and Technologies. ACM.
  47. SOX (2002). Sarbanes-oxley act of 2002, pl 107-204, 116 stat 745.
  48. Takabi, H. and Joshi, J. B. (2010). Stateminer: An efficient similarity-based approach for optimal mining of role hierarchy. In Proc. of the 15th Symp. on Access Control Models and Technologies. ACM.
  49. Uzun, E., Atluri, V., Lu, H., and Vaidya, J. (2011). An optimization model for the extended role mining problem. In Data and Applications Security and Privacy XXV, pages 76-89. Springer.
  50. Vaidya, J., Atluri, V., and Guo, Q. (2007). The role mining problem: finding a minimal descriptive set of roles. In Proc. of the 12th Symp. on Access Control models and Technologies. ACM.
  51. Vaidya, J., Atluri, V., and Guo, Q. (2010a). The role mining problem: A formal perspective. ACM Transactions on Information and System Security, 13(3):27.
  52. Vaidya, J., Atluri, V., and Warner, J. (2006). Roleminer: Mining roles using subset enumeration. In Proc. of the 13th ACM Conf. on Computer and Communications Security. ACM.
  53. Vaidya, J., Atluri, V., Warner, J., and Guo, Q. (2010b). Role engineering via prioritized subset enumeration. IEEE Transactions on Dependable and Secure Computing, 7(3):300-314.
  54. Wang, J., Zeng, C., He, C., Hong, L., Zhou, L., Wong, R. K., and Tian, J. (2012). Context-aware role mining for mobile service recommendation. In Proc. of the 27th Annual Symp. on Applied Computing. ACM.
  55. Wong, R. K., Chu, V. W., Hao, T., and Wang, J. (2012). Context-aware service recommendation for moving connected devices. In Int. Conf. on Connected Vehicles and Expo.
  56. Xu, Z. and Stoller, S. D. (2012). Algorithms for mining meaningful roles.
  57. Xu, Z. and Stoller, S. D. (2013a). Mining attribute-based access control policies from rbac policies.
  58. Xu, Z. and Stoller, S. D. (2013b). Mining parameterized role-based policies.
  59. Ye, W., Li, R., and Li, H. (2013). Role mining using boolean matrix decomposition with hierarchy.
  60. Zhang, D., Ramamohanarao, K., and Ebringer, T. (2007). Role engineering using graph optimisation.
  61. Zhang, D., Ramamohanarao, K., Ebringer, T., and Yann, T. (2008). Permission set mining: Discovering practical and useful roles.
  62. Zhang, W., Chen, Y., Gunter, C., Liebovitz, D., and Malin, B. (2013a). Evolving role definitions through permission invocation patterns.
  63. Zhang, X., Han, W., Fang, Z., Yin, Y., and Mustafa, H. (2013b). Role mining algorithm evaluation and improvement in large volume android applications.
  64. Zhu, H. and Zhou, M. (2008). Roles in information systems: A survey. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, 38(3):377-396.
Download


Paper Citation


in Harvard Style

Kunz M., Fuchs L., Netter M. and Pernul G. (2015). Analyzing Quality Criteria in Role-based Identity and Access Management . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 64-72. DOI: 10.5220/0005232100640072


in Bibtex Style

@conference{icissp15,
author={Michael Kunz and Ludwig Fuchs and Michael Netter and Günther Pernul},
title={Analyzing Quality Criteria in Role-based Identity and Access Management},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2015},
pages={64-72},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005232100640072},
isbn={978-989-758-081-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Analyzing Quality Criteria in Role-based Identity and Access Management
SN - 978-989-758-081-9
AU - Kunz M.
AU - Fuchs L.
AU - Netter M.
AU - Pernul G.
PY - 2015
SP - 64
EP - 72
DO - 10.5220/0005232100640072