METAPOLICIES AND CONTEXT-BASED ACCESS CONTROL
Ronda R. Henning
2005
Abstract
An access control policy mediates access between authorized users of a computer system and system resources. Access control policies are defined at a given level of abstraction, such as the file, directory, system, or network, and can be instantiated in layers of increasing (or decreasing) abstraction. In this paper, the concept of a metapolicy, or policy that governs execution of subordinate security policies, is introduced. The metapolicy provides a method to communicate updated higher level policy information to all components of a system; it minimizes the overhead associated with access control decisions by making access decisions at the highest level possible in the policy hierarchy. This paper discusses how metapolicies are defined and how they relate to other access control mechanisms.The rationale for revisiting metapolicies as an access control option for federated enterprise architectures is presented, and a framework for further research in metapolicy use as a context based access control representation is described.
References
- Abadi, M. B., et al (1993). A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, Vol. 15(No. 4), 706-734.
- Baskerville, R., and Siponen, Milo. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, Vol. 15(No. 5/6), 337-346.
- Bell, D. E. (1994, February 1994). Modeling the "multipolicy machine". Paper presented at the New Security Paradigms Workshop, Little Compton, RI, US.
- Bertino, E. C., et al (2001, 3-4 May, 2001). A logical framework for reasoning about access control models. Paper presented at the SACMAT'01, Chantilly, VA, USA.
- Brézillon, P., and Mostéfaoui, Ghita Kouadri. (2004). Context-based security policies: A new modeling approach. Paper presented at the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW'04).
- Ferraiolo, D. and. Kuhn., D.M. (1995, October 1999). Role-based access controls. Paper presented at the Fifteenth Annual National Computer Security Conference (NCSC), Baltimore, MD.
- Gligor, V. (1995). Characteristics of role-based access control. Paper presented at the Proceedings of the first ACM Workshop on Role-based access control, Gaithersburg, MD, USA.
- Government, U.S. (2001) Defense Authorization Act, Government Information Security Reform Act (GISRA), U.S. Congress, 106 Sess.(2001).
- Government, U. S. (2003). The 9/11 commission report, final report of the National commission on terrorist attacks upon the United States. New York, NY: W.W. Norton & Company Inc.
- Hafmann, U.; and Kuhnhauser, Winfried. (1999). Embedding security policies into a distributed computing environment. SIGOPS Operating System Review, Vol. 33(No. 2), pp. 51-64.
- Han, Y. F., Liu; Hong, Zhang. (2000). An object-oriented model of access control based on role. ACM SIGSOFT Software Engineering Notes, Vol. 25(No.2), 64-68.
- Hosmer, H. H. (1991, 3 December 1991). Metapolicies I. Paper presented at the ACM SIGSAC Special Workshop on Data Management Security and Privacy Standards, San Antonio, TX.
- Hosmer, H. H. (1993). The multipolicy paradigm for trusted systems. Paper presented at the New Security Paradigms Workshop, Little Compton, RI, US.
- Jaeger Trent, et al (2003). Policy management using access control spaces. ACM Transactions on Information and System Security (TISSEC), Vol. 6(No. 3), 327-364.
- Jaeger, Trent. Treadwell., Jonathon. (2001). Practical safety in flexible access control models. ACM Transactions on Information and System Security, Vol. 4(No. 2), pp. 158-190.
- International Committee for IT Standards/ANSI. (2004). Information technology -- role based access control: ANSI/INCITS.
- Park, J. S.; et al (2004, 2-4 June). A composite RBAC approach for large, complex organizations. Paper presented at the SACMAT'04, Yorktown Heights, NY, U.S.
- Press, Microsoft. (2004). Microsoft Encarta dictionary for Office 2003, Windows XP edition.
- Sandhu, R. (2004). A logical specification for usage control. Paper presented at the Proceedings of the ninth ACM symposium on Access control models and technologies, Yorktown Heights, New York, USA.
- Sandhu, R. et al (1996). Role-based access control models. IEEE Computer, Vol. 29(No. 2), pp. 38-47.
- Sandhu, R.;et al (2000, 26-27 July 2000). The NISTt model for role-based access control: Towards a united standard. Paper presented at the Fifth ACM Workshop on Role-based Access Control, Berlin, Germany.
- Schell, R. R. (1979). Computer security -- the Achilles' heel of the electronic air force. Air University Review, Vol. XXX(No. 2), pp. 16-33.
- Strembeck, M. &. N., Gustaf. (2004). An integrated approach to engineer and enforce context constraints in RBAC environments. ACM Transactions on Information and System Security, Vol. 7(No. 3), 392- 427.
- U.S. Government, National Institute of Standards and Technology. (2005). NIST special publication 800-73, interfaces for personal identity verification (Draft Standard), 31 January 2005 Washington, DC: Department of Commerce.
- Wang, H. J.,et al (2004). Security policy reconciliation in distributed computing environments. Paper presented at the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (Policy'04).
Paper Citation
in Harvard Style
R. Henning R. (2005). METAPOLICIES AND CONTEXT-BASED ACCESS CONTROL . In Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 972-8865-19-8, pages 355-359. DOI: 10.5220/0002579203550359
in Bibtex Style
@conference{iceis05,
author={Ronda R. Henning},
title={METAPOLICIES AND CONTEXT-BASED ACCESS CONTROL},
booktitle={Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2005},
pages={355-359},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002579203550359},
isbn={972-8865-19-8},
}
in EndNote Style
TY - CONF
JO - Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - METAPOLICIES AND CONTEXT-BASED ACCESS CONTROL
SN - 972-8865-19-8
AU - R. Henning R.
PY - 2005
SP - 355
EP - 359
DO - 10.5220/0002579203550359