The Challenge of Access Control Policies Quality

Bertino, Elisa; Jabal, Amani Abu; Calo, Seraphin; Verma, Dinesh; Williams, Christopher

doi:10.1145/3209668

Cited by 17 publications

(10 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, accessibility and acquisition (security) are present in Wang and Strong [75] and Ge et al [36]. The use of digital technologies in the construction industry has increased the speed of work, improved communication, allowed for faster access [8] to common data and a decrease in the number of mistakes in documentation [62]. Moreover, the advent of BIM in the construction industry has leveraged the use of digital information which implies improved information flows [51] and decision-making in the design process [65].…”

Section: Incentivesmentioning

confidence: 99%

The Information Resilience Framework

Blay

Yeomans²,

Demian

et al. 2020

J. Data and Information Quality

View full text Add to dashboard Cite

The quality of information is crucial to the success of asset delivery, management, and performance in the Digitised Architecture, Engineering, Construction, and Operations (DAECO) sector. The exposure and sensitivity of information to threats during its lifecycle leaves it vulnerable, affecting the intrinsic, relational, and security dimensions of information quality. A resilient information lifecycle perspective that identifies capabilities and requirements is therefore needed to assure information quality amid threats. This research develops and presents an information resilience (IR) framework by drawing on the theories of resilience, information quality, and vulnerability. In developing the framework, the critical incident technique was employed in interviewing 30 professionals (average of 40 minutes) in addition to reviewing seven project-documents across three digitally-driven infrastructure projects (making up 324 pages of data). The validated capabilities and requirements identified from this study have been collated into the framework and this highlights the need for cognitive-driven capabilities and process-driven requirements in DAECO.

show abstract

Section: Incentivesmentioning

confidence: 99%

The Information Resilience Framework

Blay

Yeomans²,

Demian

et al. 2020

J. Data and Information Quality

View full text Add to dashboard Cite

show abstract

“…2) Quality Assessment and Validation of Policies: The goal of the PCP component of the framework is to check the quality and validity of the generated policies received internally, or of external policies shared by other AMSs in a collaborative environment. Quality of policies can be checked by the Quality component inside the PCP by considering different policy metrics and policy quality requirements such as consistency, completeness, relevance, and minimality [14].…”

Section: A Key Components Of Agenpmentioning

confidence: 99%

“…"Low quality" examples include inconsistent responses to similar requests and requests associated with irrelevant responses which do not reflect appropriate decisions of a policies (i.e., 'not applicable' decision for XACML policies). Formal definitions of "low quality" examples can be adapted from the definitions of "low quality" policies by Bertino et al [14], [31]. These formal definitions enable analyzing policies [31], [32].…”

Section: Access Control Policiesmentioning

confidence: 99%

See 1 more Smart Citation

Generative Policies for Coalition Systems - A Symbolic Learning Framework

Bertino

White²,

Lobo

et al. 2019

2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS)

Self Cite

View full text Add to dashboard Cite

Policy systems are critical for managing missions and collaborative activities carried out by coalitions involving different organizations. Conventional policy-based management approaches are not suitable for next-generation coalitions that will involve not only humans, but also autonomous computing devices and systems. It is critical that those parties be able to generate and customize policies based on contexts and activities. This paper introduces a novel approach for the autonomic generation of policies by autonomous parties. The framework combines context free grammars, answer set programs, and inductionbased learning. It allows a party to generate its own policies, based on a grammar and some semantic constraints, by learning from examples. The paper also outlines initial experiments in the use of such a symbolic approach and outlines relevant research challenges, ranging from explainability to quality assessment of policies.

show abstract

“…All the combined attacks build an attack path that can be used to retrace the attack. Additionally, the specification of dynamic access control policies, such as attribute-based access control (ABAC) [5], is complicated [6] because of the range of possible values, and it is hard to estimate the impact of access control policies on the confidentiality of the system [7]. This holds especially for more subtle consequences like enabling a malicious user to propagate easier through the system.…”

Section: Introductionmentioning

confidence: 99%

Architectural Attack Propagation Analysis for Identifying Confidentiality Issues

Walter

Heinrich

Reussner

2022

2022 IEEE 19th International Conference on Software Architecture (ICSA)

View full text Add to dashboard Cite

Exchanging data between different systems enables us to build new smart services and digitise various areas of our daily life. This digitalisation leads to more efficient usage of resources, and an increased monetary value. However, the connection of different systems also increases the number of potential vulnerabilities. The vulnerabilities on their own might be harmless, but attackers could build attack paths based on the combination of different vulnerabilities. Additionally, attackers might exploit existing access control policies to further propagate through the system. For analysing this dependency between vulnerabilities and access control policies, we extended an architecture description language (ADL) to model access control policies and specify vulnerabilities. We developed an attack propagation analysis operating on the extended ADL, which can help to determine confidentiality violations in a system. We evaluated our approach by analysing the accuracy and the effort compared to a manual analysis using different scenarios in three case studies. The results indicate that our analysis is capable of identifying attack paths and reducing the effort compared to manual detection.

show abstract

The Challenge of Access Control Policies Quality

Cited by 17 publications

References 15 publications

The Information Resilience Framework

The Information Resilience Framework

Generative Policies for Coalition Systems - A Symbolic Learning Framework

Architectural Attack Propagation Analysis for Identifying Confidentiality Issues

Contact Info

Product

Resources

About