research-article
- Authors:
- Peter Mell National Institute of Standards and Technology, Gaithersburg, MD, USA
National Institute of Standards and Technology, Gaithersburg, MD, USA
View Profile
- James M. Shook National Institute of Standards and Technology, Gaithersburg, MD, USA
National Institute of Standards and Technology, Gaithersburg, MD, USA
View Profile
- Serban Gavrila National Institute of Standards and Technology, Gaithersburg, MD, USA
National Institute of Standards and Technology, Gaithersburg, MD, USA
View Profile
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security ThreatsOctober 2016Pages 13–22https://doi.org/10.1145/2995959.2995961
- 9citation
- 261
- Downloads
Metrics
Total Citations9Total Downloads261Last 12 Months23
Last 6 weeks1
- Get Citation Alerts
New Citation Alert added!
This alert has been successfully added and will be sent to:
You will be notified whenever a record that you have chosen has been cited.
To manage your alert preferences, click on the button below.
See AlsoControl Systems Engineering (8e) - zyBooksBest access control systems of 2024Access Control Systems: 9 Features to ConsiderManage my Alerts
New Citation Alert!
Please log in to your account
- Save to Binder
Save to Binder
Create a New Binder
- Export Citation
- Publisher Site
- Get Access
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats
Restricting Insider Access Through Efficient Implementation of Multi-Policy Access Control Systems
Pages 13–22
PreviousChapterNextChapter
ABSTRACT
The American National Standards Institute (ANSI) has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the authorized access of insiders. However, the specifications describe the required access control capabilities but not the related algorithms. While appropriate, this leave open the important question as to whether or not NGAC is scalable. Existing cubic reference implementations indicate that it does not. For example, the primary NGAC reference implementation took several minutes to simply display the set of files accessible to a user on a moderately sized system. To solve this problem we provide an efficient access control decision algorithm, reducing the overall complexity from cubic to linear. Our other major contribution is to provide a novel mechanism for administrators and users to review allowed access rights. We provide an interface that appears to be a simple file directory hierarchy but in reality is an automatically generated structure abstracted from the underlying access control graph that works with any set of simultaneously instantiated access control policies. Our work thus provides the first efficient implementation of NGAC while enabling user privilege review through a novel visualization approach. These capabilities help limit insider access to information (and thereby limit information leakage) by enabling the efficient simultaneous instantiation of multiple access control policies.
References
- ANSI. American national standard for information technology, role-based access control (RBAC), 2004.Google Scholar
- ANSI. American national standard for information technology - next generation access control - functional architecture (NGAC-FA), 2013.Google Scholar
- ANSI. American national standard for information technology - next generation access control - generic operations and data structures (NGAC-GOADS), 2016.Google Scholar
- K. Belyaev. tinyPM Prototype. www.github.com/kirillbelyaev/tinypm, 2015.Google Scholar
- P. Biswas, R. Sandhu, and R. Krishnan. Label-based access control: An ABAC model with enumerated authorization policy. In Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control, ABAC '16, pages 1--12, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
- B. Bollobas. Random graphs. Cambridge studies in advanced mathematics. Cambridge university press, Cambridge, New York (N. Y.), Melbourne, 2001.Google Scholar
- D. F. Brewer and M. J. Nash. The chinese wall security policy. In Security and Privacy, 1989. Proceedings., 1989 IEEE Symposium on, pages 206--214. IEEE, 1989.Google ScholarCross Ref
- D. Ferraiolo, V. Atluri, and S. Gavrila. The policy machine: A novel architecture and framework for access control policy specification and enforcement. Journal of Systems Architecture, 57(4):412--424, 2011. Google ScholarDigital Library
- D. Ferraiolo, S. Gavrila, and W. Jansen. Policy machine: Features, architecture, and specification. Technical Report NISTIR 7987 Revision 1, National Institute of Standards and Technology, Oct. 2015.Google ScholarCross Ref
- GitHub. Github code repository. www.github.com, 2016.Google Scholar
- X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC, pages 41--55. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. Google ScholarDigital Library
- Medidata Solutions Worldwide. Medidata Policy Machine code on github, version 1.1.0., www.github.com/mdsol/the_policy_machine, 2016.Google Scholar
- NCSC. A Guide to Understanding Discretionary Access Control in Trusted Systems. Number NCSC-TG-003. National Computer Security Center, Fort George G. Meade, Maryland, USA, 1 edition, Sept. 1987.Google Scholar
- NIST. NIST Policy Machine code on github, version 1.5., www.github.com/PM-Master/PM, 2016.Google Scholar
- OASIS. eXtensible access control markup language (XACML) Version 3.0., OASIS Standard, Jan. 2013.Google Scholar
- Organization for the advancement of structured information standards OASIS. www.oasis-open.org, 2016.Google Scholar
- D. Servos and S. L. Osborn. HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control, pages 187--204. Springer International Publishing, Cham, 2015.Google Scholar
- F. Turkmen and B. Crispo. Performance evaluation of XACML PDP implementations. In Proceedings of the 2008 ACM Workshop on Secure Web Services, SWS '08, pages 37--44, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- U.S. Department of Defense. Trusted computer system evaluation criteria DoD 5200.28-STD, 1985.Google Scholar
- E. Yuan and J. Tong. Attributed based access control (ABAC) for web services. In IEEE International Conference on Web Services (ICWS'05), page 569, July 2005. Google ScholarDigital Library
Cited By
View all
Index Terms
Restricting Insider Access Through Efficient Implementation of Multi-Policy Access Control Systems
Security and privacy
Security services
Access control
Recommendations
- A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control Lists
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control
We describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control ...
Read More
- Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
ABAC '16: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control
Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. An objective of both is to provide a standardized way for ...
Read More
- Imposing Fine-grain Next Generation Access Control over Database Queries
ABAC '17: Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control
In this paper, we describe a system that leverages ANSI/INCITS Next Generation Access Control (NGAC) standard called Next-generation Database Access Control (NDAC) for accessing data in tables, rows, and columns in existing RDBMS products. NDAC imposes ...
Read More
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in
Full Access
Get this Publication
- Information
- Contributors
Published in
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats
October 2016
126 pages
ISBN:9781450345712
DOI:10.1145/2995959
- General Chairs:
- Ilsun You
Soonchunhyang University, Republic of Korea
, - Elisa Bertino
Purdue University, USA
Copyright © 2016 Public Domain
This paper is authored by an employee(s) of the United States Government and is in the public domain. Non-exclusive copying or redistribution is allowed, provided that the article citation is given and the authors and agency are clearly identified as its source.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 October 2016
Permissions
Request permissions about this article.
Author Tags
- ABAC
- NGAC
- NIST
- XACML
- access control
- algorithms
- complexity
- computer security
- graph theory
- insider
- policy machine
- simultaneous instantiation
Qualifiers
- research-article
Conference
Acceptance Rates
MIST '16 Paper Acceptance Rate8of22submissions,36%Overall Acceptance Rate21of54submissions,39%
More
Funding Sources
Other Metrics
View Article Metrics
- Bibliometrics
- Citations9
Article Metrics
- View Citations
9
Total Citations
261
Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all
PDF Format
View or Download as a PDF file.
eReader
View online with eReader.
eReader
Digital Edition
View this article in digital edition.
View Digital Edition
- Figures
- Other
Close Figure Viewer
Browse AllReturn
Caption
View Table of Contents
Export Citations
Your Search Results Download Request
We are preparing your search results for download ...
We will inform you here when the file is ready.
Download now!
Your Search Results Download Request
Your file of search results citations is now ready.
Download now!
Your Search Results Download Request
Your search export query has expired. Please try again.