Preventative Directions For Insider Threat Mitigation Via Access Control

  • Sara Sinclair
  • Sean W. Smith
Part of the Advances in Information Security book series (ADIS, volume 39)


Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world” practitioners desire and what the research and vendor communities can offer. Basing our arguments on this ethnographic research (which targets both technology and the human business systems that drive and constrain it), we present the theoretical underpinnings of modern access control, discuss requirements of successful solutions for corporate environments today, and offer a survey of current technology that addresses these requirements. The paper concludes by exploring areas of future development in access control that offer particular promise in the struggle to prevent insider attack.


Access Control Access Control Policy Threat Model Access Control Mechanism Access Control System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    American Dental Association. “Insurance: Medicare and Medicaid,” ADA Official Website. Scholar
  2. [2]
    Anderson, R. E. “Matrix Redux,” Business Horizons, Nov.-Dec. 1994, 6-10.Google Scholar
  3. [3]
    Blaze, M; Feigenbaum, J.; Ioannidis, J.; and Keromytis, A. “The Role of Trust Management in Distributed Systems”. Secure Internet Programming. Springer-Verlag LNCS 1603, pp 185-210. 1999.Google Scholar
  4. [4]
    Blaze, M.; Feigenbaum, J.; and Lacy, J. “Decentralized Trust Management”. Proceedings of the 1996 IEEE Symposium on Security and Privacy. pp. 164-173.Google Scholar
  5. [5]
    British Broadcasting Corporation. “Passwords Revealed by Sweet Deal”. BBC News, UK Edition, April 20, 2004. Scholar
  6. [6]
    Burns, L. R. and Wholey, D. R. “Adoption and Abandonment of Matrix Management Programs: Effects on Organizational Characteristics and Inter-organizational Networks”. Academy of Management Journal, Vol. 36, 1, 106-139.Google Scholar
  7. [7]
    Chadwick, D. “The PERMIS X.509 Role Based Privilege Management Infrastructure”. 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002). 2002.Google Scholar
  8. [8]
    Chadwick, D. 1994. Understanding X.500: The Directory. London: Chapman & Hall, Ltd.Google Scholar
  9. [9]
    Chadwick, D.; Otenko, A.; and Ball, E. “Role-Based Access Control with X.509 Attribute Certificates”. IEEE Internet Computing. March-April2003.Google Scholar
  10. [10]
    Department of Defense Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. December 1985.Google Scholar
  11. [11]
    Donner, M.; Nochin, D.; Shasha, D.; and Walasek, W. “Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations”. Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security. Kluwer, 2001Google Scholar
  12. [12]
    Ferrailio, D.F. and Kuhn, D.R. “Role Based Access Control”. 15th National Computer Security Conference. 1992.Google Scholar
  13. [13]
    Ferrailio, D.F.; Kuhn, D.R.; and Chandramouli, R. 2007. Role-Based Access Control. Norwood, Massachusetts: Artech House Publishers.Google Scholar
  14. [14]
    Harrison, M.A.; Ruzzo, W.L.; and Ullmann, J.D. “Protection in Operating Systems”. Communications of the ACM. 19(8): 461—470. 1976.MATHCrossRefGoogle Scholar
  15. [15]
    Housley, R.; Polk, W.; Ford, W.; and Solo, D. 2002 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Internet RFC 3280.Google Scholar
  16. [16]
    Lampson, B.W. “Protection”. ACM Operating Systems Review. 8(1): 18—24. January 1974.CrossRefGoogle Scholar
  17. [17]
    NIST. Role Based Access Control. Scholar
  18. [18]
    Neuman, B. C. and Ts’o, T. “Kerberos: An Authentication Service for Computer Networks”. IEEE Communications,. 32(9):33-38. September 1994CrossRefGoogle Scholar
  19. [19]
    Povey, D. “Optimistic Security: A New Access Control Paradigm”. Proceedings of the 1999 New Paradigms Workshop. 40-45.Google Scholar
  20. [20]
    Richards, J. ; Allen, R. ; and Lowe-Norris, A. G. Active Directory, Third Edition. O’Reilly Media, January 2006.Google Scholar
  21. [21]
    Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L; and Youman, C.E. “Role-Based Access Control Models”. IEEE Computer. 29(2): 38—47. 1996.Google Scholar
  22. [22]
    Sasse, M.A. “Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems”. IEEE Security and Privacy. 5(3): 78—81. May/June 2007.Google Scholar
  23. [23]
    Smith, S. W. “Probing End-User IT Security Practices—via Homework”. The Educause Quarterly. 24 (4): 68—71. November 2004.Google Scholar
  24. [24]
    Smith, S. W.; and Marchesini, J. 2008. The Craft of System Security. Indianapolis, Indiana: Addison Wesley Professional.Google Scholar
  25. [25]
    Weeks, S. “Understanding Trust Management Systems”. Proceedings of the 2001 IEEE Symposium on Security and Privacy. pp. 94-105.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Sara Sinclair
    • 1
  • Sean W. Smith
    • 1
  1. 1.Department of Computer ScienceDartmouth CollegeHanoverUSA

Personalised recommendations