In the last few years, a number of spatial and spatio-temporal accesscontrolmodels have been developed especially in the framework of pervasive computing and location-aware applications. Yet, how useful and effectiv...
详细信息
ISBN:
(纸本)9781605585376
In the last few years, a number of spatial and spatio-temporal accesscontrolmodels have been developed especially in the framework of pervasive computing and location-aware applications. Yet, how useful and effective those models are in real applications is still to be proved. The goal of this panel is to discuss accesscontrol requirements in mobile applications, trying to link research to real business problematic.
We address some fundamental questions, which were raised by Atluri and Ferraiolo at SacmAT'08, on the prospects for and benefits of a meta-model of accesscontrol. We demonstrate that a meta-model for access contr...
详细信息
ISBN:
(纸本)9781605585376
We address some fundamental questions, which were raised by Atluri and Ferraiolo at SacmAT'08, on the prospects for and benefits of a meta-model of accesscontrol. We demonstrate that a meta-model for accesscontrol can be defined and that multiple accesscontrolmodels can be derived as special cases. An anticipated consequence of the contribution that we describe is to encourage researchers to adopt a meta-model view of accesscontrol rather than them developing the next 700 particular instances of accesscontrolmodels.
This panel discusses specific challenges in the usability of accesscontroltechnologies and new opportunities for research. The questions vary from "Why nobody, even experts, uses accesscontrol lists (ACLs)?&qu...
详细信息
ISBN:
(纸本)9781605585376
This panel discusses specific challenges in the usability of accesscontroltechnologies and new opportunities for research. The questions vary from "Why nobody, even experts, uses accesscontrol lists (ACLs)?" to "Shall accesscontrols (and corresponding languages) be totally embedded and invisible and never, ever seen by the users?" to "What should be the user-study methodology for accesscontrol systems?".
accesscontrolmodels are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access co...
详细信息
ISBN:
(纸本)9781605585376
accesscontrolmodels are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of accesscontrol, L e., the underlying policy, is needed. Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques axe usually added on top of standard accesscontrol solutions in an ad-hoc manner and, therefore, lack an integration into the underlying accesscontrol paradigm and the systems' accesscontrol enforcement architecture. We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard accesscontrolmodels and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
Role-based provisioning has been adopted as a standard component in leading Identity Management products due to its low administration cost. However, the cost of adjusting existing roles to entitlements from newly dep...
详细信息
ISBN:
(纸本)9781605585376
Role-based provisioning has been adopted as a standard component in leading Identity Management products due to its low administration cost. However, the cost of adjusting existing roles to entitlements from newly deployed applications is usually very high. In this paper, a learning-based approach to automate the provisioning process is proposed and its effectiveness is verified by real provisioning data. Specific learning issues related to provisioning are identified and relevant solutions are presented.
We address the distributed setting for enforcement of a centralized Role-Based accesscontrol (RBAC) protection state. We present a new approach for time- and space-efficient access enforcement. Underlying our approac...
详细信息
ISBN:
(纸本)9781605585376
We address the distributed setting for enforcement of a centralized Role-Based accesscontrol (RBAC) protection state. We present a new approach for time- and space-efficient access enforcement. Underlying our approach is a data structure that we call a cascade Bloom filter. We describe our approach, provide details about the cascade Bloom filter, its associated algorithms, soundness and completeness properties for those algorithms, and provide an empirical validation for distributed access enforcement of RBAC. We demonstrate that even in low-capability devices such as WiFi network access points, we can perform thousands of access checks in a second.
The existence of on-line social networks that include person specific information creates interesting opportunities for various applications ranging from marketing to community organization. On the other hand, securit...
详细信息
ISBN:
(纸本)9781605585376
The existence of on-line social networks that include person specific information creates interesting opportunities for various applications ranging from marketing to community organization. On the other hand, security and privacy concerns need to be addressed for creating such applications. Improving social network accesscontrol systems appears as the first step toward addressing the existing security and privacy concerns related to on-line social networks. To address some of the current limitations, we propose an extensible fine grained accesscontrol model based on semantic web tools. In addition, we propose authorization, admin and filtering policies that depend on trust relationships among various users, and are modeled using OWL and SWRL. Besides describing the model, we present the architecture of the framework in its support.
Collaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating accesscontrol policies of collaborating parties. Such an integration must be able to su...
详细信息
ISBN:
(纸本)9781605585376
Collaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating accesscontrol policies of collaborating parties. Such an integration must be able to support complex authorization specifications and the fine-grained integration requirements that the various parties may have. In this paper, we introduce an algebra for fine-grained integration of sophisticated policies. The algebra, which consists of three binary and two unary operations, is able to support the specification of a large variety of integration constraints. To assess the expressive power of our algebra, we introduce a notion of completeness and prove that our algebra is complete with respect to this notion. We then propose a framework that uses the algebra for the fine-grained integration of policies expressed in XacmL. We also present a methodology for generating the actual integrated XacmL policy, based on the notion of Multi-Terminal Binary Decision Diagrams.
Publish-subscribe (pub-sub) systems are useful for many applications, including pervasive environments. In the latter context, however, great care must be taken to preserve the privacy of sensitive information, such a...
详细信息
ISBN:
(纸本)9781605585376
Publish-subscribe (pub-sub) systems are useful for many applications, including pervasive environments. In the latter context, however, great care must be taken to preserve the privacy of sensitive information, such as users' location and activities. Traditional accesscontrol schemes provide at best a partial solution, since they do not capture potential inference regarding sensitive data that a subscriber may make. We propose a logic-based pub-sub system, where inference rules are used to both derive high-level events for use in applications as well as specify potentially harmful inferences that could be made regarding data. We provide a formal definition of safety in such a system that captures the possibility of indirect information flows. We show that the safety problem is co-NP-complete;however, problems of realistic size can be reduced to a satisfiability problem that can be efficiently decided by a SAT solver.
暂无评论