Skip to main content
SpringerLink
Log in

Preventative Directions For Insider Threat Mitigation Via Access Control

  • Chapter
Insider Attack and Cyber Security

Part of the book series: Advances in Information Security ((ADIS,volume 39))

Abstract

Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world” practitioners desire and what the research and vendor communities can offer. Basing our arguments on this ethnographic research (which targets both technology and the human business systems that drive and constrain it), we present the theoretical underpinnings of modern access control, discuss requirements of successful solutions for corporate environments today, and offer a survey of current technology that addresses these requirements. The paper concludes by exploring areas of future development in access control that offer particular promise in the struggle to prevent insider attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. American Dental Association. “Insurance: Medicare and Medicaid,” ADA Official Website. http://www.ada.org/public/manage/insurance/medicare.asp.

    Google Scholar 

  2. Anderson, R. E. “Matrix Redux,” Business Horizons, Nov.-Dec. 1994, 6-10.

    Google Scholar 

  3. Blaze, M; Feigenbaum, J.; Ioannidis, J.; and Keromytis, A. “The Role of Trust Management in Distributed Systems”. Secure Internet Programming. Springer-Verlag LNCS 1603, pp 185-210. 1999.

    Google Scholar 

  4. Blaze, M.; Feigenbaum, J.; and Lacy, J. “Decentralized Trust Management”. Proceedings of the 1996 IEEE Symposium on Security and Privacy. pp. 164-173.

    Google Scholar 

  5. British Broadcasting Corporation. “Passwords Revealed by Sweet Deal”. BBC News, UK Edition, April 20, 2004. http://news.bbc.co.uk/1/hi/technology/3639679.stm.

    Google Scholar 

  6. Burns, L. R. and Wholey, D. R. “Adoption and Abandonment of Matrix Management Programs: Effects on Organizational Characteristics and Inter-organizational Networks”. Academy of Management Journal, Vol. 36, 1, 106-139.

    Google Scholar 

  7. Chadwick, D. “The PERMIS X.509 Role Based Privilege Management Infrastructure”. 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002). 2002.

    Google Scholar 

  8. Chadwick, D. 1994. Understanding X.500: The Directory. London: Chapman & Hall, Ltd.

    Google Scholar 

  9. Chadwick, D.; Otenko, A.; and Ball, E. “Role-Based Access Control with X.509 Attribute Certificates”. IEEE Internet Computing. March-April2003.

    Google Scholar 

  10. Department of Defense Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. December 1985.

    Google Scholar 

  11. Donner, M.; Nochin, D.; Shasha, D.; and Walasek, W. “Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations”. Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security. Kluwer, 2001

    Google Scholar 

  12. Ferrailio, D.F. and Kuhn, D.R. “Role Based Access Control”. 15th National Computer Security Conference. 1992.

    Google Scholar 

  13. Ferrailio, D.F.; Kuhn, D.R.; and Chandramouli, R. 2007. Role-Based Access Control. Norwood, Massachusetts: Artech House Publishers.

    Google Scholar 

  14. Harrison, M.A.; Ruzzo, W.L.; and Ullmann, J.D. “Protection in Operating Systems”. Communications of the ACM. 19(8): 461—470. 1976.

    Article  MATH  Google Scholar 

  15. Housley, R.; Polk, W.; Ford, W.; and Solo, D. 2002 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Internet RFC 3280.

    Google Scholar 

  16. Lampson, B.W. “Protection”. ACM Operating Systems Review. 8(1): 18—24. January 1974.

    Article  Google Scholar 

  17. NIST. Role Based Access Control. http://csrc.nist.gov/rbac/

    Google Scholar 

  18. Neuman, B. C. and Ts’o, T. “Kerberos: An Authentication Service for Computer Networks”. IEEE Communications,. 32(9):33-38. September 1994

    Article  Google Scholar 

  19. Povey, D. “Optimistic Security: A New Access Control Paradigm”. Proceedings of the 1999 New Paradigms Workshop. 40-45.

    Google Scholar 

  20. Richards, J. ; Allen, R. ; and Lowe-Norris, A. G. Active Directory, Third Edition. O’Reilly Media, January 2006.

    Google Scholar 

  21. Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L; and Youman, C.E. “Role-Based Access Control Models”. IEEE Computer. 29(2): 38—47. 1996.

    Google Scholar 

  22. Sasse, M.A. “Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems”. IEEE Security and Privacy. 5(3): 78—81. May/June 2007.

    Google Scholar 

  23. Smith, S. W. “Probing End-User IT Security Practices—via Homework”. The Educause Quarterly. 24 (4): 68—71. November 2004.

    Google Scholar 

  24. Smith, S. W.; and Marchesini, J. 2008. The Craft of System Security. Indianapolis, Indiana: Addison Wesley Professional.

    Google Scholar 

  25. Weeks, S. “Understanding Trust Management Systems”. Proceedings of the 2001 IEEE Symposium on Security and Privacy. pp. 94-105.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Dartmouth College, Hanover, NH 03755, USA

    Sara Sinclair & Sean W. Smith

Authors
  1. Sara Sinclair
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sean W. Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue MC 0401, New York, NY 10027-7003, USA

    Salvatore J. Stolfo , Steven M. Bellovin , Angelos D. Keromytis  & Shlomo Hershkop , ,  & 

  2. Department of Computer Science, Dartmouth College, Hanover, NH 03755-3510, USA, 6211 Sudikoff Laboratory

    Sean W. Smith  & Sara Sinclair  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Sinclair, S., Smith, S.W. (2008). Preventative Directions For Insider Threat Mitigation Via Access Control. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds) Insider Attack and Cyber Security. Advances in Information Security, vol 39. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77322-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-77322-3_10

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-77321-6

  • Online ISBN: 978-0-387-77322-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation