ABSTRACT
Policy override is gaining traction in the research community to improve the efficiency and usability of authorization mechanisms. These mechanisms turn the conventional privileges into a soft boundary that may be overridden by users in exceptional situations. The challenge for the practical deployment of the policy override mechanisms often is whether policy override is adequate and, if so, to which extent. In this paper, we propose a calculus to support this decision-making process. The calculus is based on proven risk assessment practices and derives a qualitative result on the adequacy for specific roles and override extents. Moreover, we developed a tool to support the policy override risk assessment. The calculus and the tool are briefly evaluated in two distinct contexts.
- C. Alberts, A. Dorofee, J. Stevens, and C. Woody. Introduction to the OCTAVE Approach. Carnegie-Mellon, Pittsburgh, PA, USA, August 2003.Google ScholarCross Ref
- Association of Certified Fraud Examiners (ACFE). Report to the nation on occupational fraud & abuse. 2006.Google Scholar
- Audit Commission. Opportunity Makes a Thief: an Analysis of Computer Abuse. Audit Commission Publication, London, UK, 1994.Google Scholar
- L. Badger. Providing a flexible security override for trusted systems. In CSFW, pages 115--121, 1990.Google ScholarCross Ref
- R. Baskerville. Information systems security design methods: implications for information systems development. ACM Comput. Surv., 25(4):375--414. 1993. Google ScholarDigital Library
- D. W. Britton and I. A. Brown. A security risk measurement for the RAdAC model. Master's thesis. Naval Postgraduate School Monterey, CA, March 2007.Google Scholar
- Bundesamt für Sicherheit in der Informationstechnik (BSI). BSI-Standard 100-2. IT-Grundschutz-Vorgehensweise. Version 2.0, 2008.Google Scholar
- P. L. Campbell and J. E. Stamp. A classification scheme for risk assessment methods. Technical Report SAND2004-4233, Sandia National Laboratories, 2004.Google Scholar
- D. Cappelli, A. Moore, R. F. Trzeciak, and T. J. Shimeall. Common sense guide to prevention and detection of insider threats 3rd edition - version 3.1 Technical report, CarnegieMellon, January 2009.Google Scholar
- P.-C. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 222--230, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- R. Choudhary. A policy based architecture for NSA RAdAC model. In Information Assurance Workshop (IAW 05), pages 294--301, June 2005.Google ScholarCross Ref
- I. Denley and S. W. Smith. Privacy in clinical information systems in secondary care. BMJ, 318(7194):1328--31, May 1999.Google ScholarCross Ref
- N. N. Diep, L. X. Hung, Y. Zhung, S. Lee, Y.-K. Lee and H. Lee. Enforcing access control using risk assessment. In Universal Multiservice Networks, 2007. ECUMN '07. Fourth European Conference on, pages 419--424, feb. 2007. Google ScholarDigital Library
- N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody. Using trust and risk in role-based access control policies. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 156--162, New York, NY, US2004. ACM. Google ScholarDigital Library
- T. Gilovich, D. W. Griffin, and D. Kahneman, editors, Heuristics and biases: the psychology of intuitive judgement. Cambridge University Press, 2002.Google ScholarCross Ref
- F. A. Hayek. The use of knowledge in society. American Economic Review, 35:519--530, September 1945. Reprinted in F.A. Hayek (ed.), Individualism and Economic Order. London: Routledge and Kegan Paul.Google Scholar
- HIPAA. Break glass procedure: Granting emergency access to critical ePHI systems. Retrieved on Jan, 1, 2009, 2009.Google Scholar
- J. Jaisingh and J. Rees. Value at risk: A methodology for information security risk assessment. In In Proceedings of the INFORMS Conference on Information Systems and Technology, 2001.Google Scholar
- B. Karabacak and I. Sogukpinar. Isram: information security risk analysis method. Computers & Security 24(2):147--159, 2005.Google ScholarDigital Library
- A. K. Lenstra and T. Voss. Information security risk assessment, aggregation, and mitigation. In H. Wang, J. Pieprzyk, and V. Varadharajan, editors, ACISP, volume 3108 of Lecture Notes in Computer Science, pages 391--401. Springer, 2004.Google Scholar
- J. J. Longsta, M. A. Lockyer, and M. G. Thick. A model of accountability, confidentiality and override for healthcare and other applications. In RBAC '00: Proceedings of the fifth ACM workshop on Role-based access control, pages 71--76, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
- G. Magklaras and S. Furnell. Insider threat prediction tool: Evaluating the probability of it misuse. Computers & Security, 21(1):62--73, 2002.Google ScholarDigital Library
- J. A. Miller, M. Fan, S. Wu, I. B. Arpinar, A. P. Sheth, and K. J. Kochut. Security for the METEOR workflow management system. Technical report, UGA-CS-LDIS, University of Georgia, 1999.Google Scholar
- A. Moore, D. Cappelli, and R. F. Trzeciak. The "big picture" of insider IT sabotage across U.S. critical infrastructures. Technical Report CMU/SEI-2008-TR-009, CarnegieMellon, May 2008.Google ScholarCross Ref
- NIST. Fips 65: Guidelines for automatic data processing risk analysis. Technical report, NIST, 1975.Google Scholar
- NIST. Fips 191: Guideline for the analysis local area network security. Technical report, NIST, 1994.Google Scholar
- T. R. Peltier. Information security risk analysis. CRC press, 2005. Google ScholarDigital Library
- D. Povey. Optimistic security: a new access control paradigm. In NSPW '99: Proceedings of the 1999 workshop on New security paradigms, pages 40--45, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
- M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore. Insider threat study: Illicit cyber activity in the banking and finance sector. Technical Report CMU/SEI-2004-TR-021. CarnegieMellon, June 2005.Google Scholar
- E. Rissanen, B. S. Firozabadi, and M. J. Sergot. Towards a mechanism for discretionary overriding of access control. In B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, editors, Security Protocols Workshop, volume 3957 of Lecture Notes in Computer Science, pages 312--319. Springer, 2004. Google ScholarDigital Library
- L. Røstad and O. Edsberg. A study of access control requirements for healthcare systems based on audit trails from access logs. In ACSAC, pages 175--186. IEEE Computer Society, 2006. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63--9, 1975.Google ScholarCross Ref
- R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
- E. E. Schultz. A framework for understanding and predicting insider attacks. Computers & Security, 21(6):526--531, 2002.Google ScholarDigital Library
- W. Stallings and L. Brown. Computer security: principles and practice. Pearson Prentice Hall, 2008. Google ScholarDigital Library
- G. Stevens and V. Wulf. A new dimension in access control: studying maintenance engineering across organizational boundaries. In CSCW '02: Proceedings of the 2002 ACM conference on Computer supported cooperative work, pages 196--205, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems - NIST special publication 800-30. Technical report, National Institute of Standards and Technology, 2002.Google Scholar
- The CRAMM Manager. Cramm user guide issue 5.1. Technical report, Insight Consulting, 2005.Google Scholar
- R. Willison. Understanding the perpetration of employee computer crime in the organisational context. Information and Organization, 16(4):304--324, 2006. Google ScholarDigital Library
- R. Willison and J. Backhouse. Opportunities for computer crime: considering systems risk froma criminological perspective. European Journal, 15(4), 2006.Google Scholar
- B. Wood. An insider threat model for adversary simulation. In R. H. Anderson, T. Bozek, T. Longsta, W. Meitzler, M. Skroch, and K. Van Wyk, editors, Research on Mitigating the Insider Threat to Information Systems #2. RAND, 2000.Google Scholar
- X. Zhao and M. E. Johnson. Access flexibility with escalation and audit. In WISE 2008: Twentieth Workshop on Information Systems and Economics, 2008.Google Scholar
- X. Zhao and M. E. Johnson. The value of escalation and incentives in managing information access. In Managing Information Risk and the Economics of Security. Springer-Verlag New York, Inc., 2009.Google ScholarCross Ref
Index Terms
- A calculus for the qualitative risk assessment of policy override authorization
Recommendations
Policy override in practice: model, evaluation, and decision support
The predominant strategy in restricting permissions in information systems is to limit users on the basis of the 'need-to-know' principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, ...
Conflicts in Policy-Based Distributed Systems Management
Modern distributed systems contain a large number of objects and must be capable of evolving, without shutting down the complete system, to cater for changing requirements. There is a need for distributed, automated management agents whose behavior also ...
An attribute-based authorization policy framework with dynamic conflict resolution
IDTRUST '10: Proceedings of the 9th Symposium on Identity and Trust on the InternetPolicy-based authorization systems are becoming more common as information systems become larger and more complex. In these systems, to authorize a requester to access a particular resource, the authorization system must verify that the policy ...
Comments