Obstruction-free Authorization Enforcement: Aligning Security and Business Objectives
Research Area: | Uncategorized | Year: | 2011 |
---|---|---|---|
Type of Publication: | In Proceedings | ||
Authors: |
|
||
Book title: | 24th Computer Security Foundations Symposium (CSF 2011) | ||
Pages: | 99-113 | ||
Address: | Cernay-la-Ville, France | ||
Month: | 06 | ||
ISBN: | 978-0-7695-4365-9 | ||
BibTex: |
|||
Note: | partner: ETH; projects: NESSoS; TIER: A; CITE (09/04/14): 12 |
||
Abstract: | Abstract—Access control is fundamental in protecting
information systems but it also poses an obstacle to
achieving business objectives. We analyze this tradeoff and
its avoidance in the context of systems modeled as
workflows restricted by authorization constraints including
those specifying Separation of Duty (SoD) and Binding of
Duty (BoD).To begin with, we present a novel approach to
scoping authorization constraints within workflows with
loops and conditional execution. Afterwards, we consider
enforcement’s effects on business objectives. We identify
the notion of obstruction, which generalizes deadlock
within a system where access control is enforced, and we
formulate the existence of an obstruction-free enforcement
mechanism as a decision problem. We present lower and upper
bounds for the complexity of this problem and also give an
approximation algorithm that performs well when
authorizations are equally distributed among users. |
||
[Bibtex] |