Abstract
Access control facilitates controlled sharing and protection of resources in an enterprise. When correctly implemented and administered, it is effective in providing security. However, in many cases, there is a belief on the part of the consumers that security requirements can be met by simply acquiring and installing a product. Unfortunately, since the security requirements of each organization are different, there is no single tool (or even any meaningful set of tools) that can be readily employed. Independent of the specific policy adopted, such as discretionary access control or role-based access control, most organizations today perform permission assignment to its entities on a more or less ad-hoc basis. Permissions assigned to entities are poorly documented, and not understood in their entirety. Such lack of system administrators’ awareness of comprehensive view of total permissions of an entity on all systems results in an ever growing set of permissions leading to misconfigurations such as under privileges, violation of the least privilege requirement (i.e., over authorization), and expensive security administration. In this talk, we examine the problem of automated security configuration and administration. This is a tough area of research since many of the underlying problems are NP-hard and it is difficult to find solutions that work with reasonable performance without trading-off accuracy. To address this, usable security mechanisms must be developed by employing novel methodologies and tools from other areas of research that have a strong theoretical basis. We discuss some of the existing work that addresses this and lay out future problems and challenges.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
DoD Computer Security Center: Trusted Computer System Evaluation Criteria (December 1985)
Bell, D., LaPadula, L.: Secure computer systems: Unified exposition and multics interpretation. Technical Report MTR-2997, The Mitre Corporation, Bedford, MA (March 1976)
Sandhu, R.S., et al.: Role-based Access Control Models. IEEE Computer, 38–47 (February 1996)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. In: TISSEC (2001)
Identity management design guide with ibm tivoli identity. Technical report, IBM (November 2005), http://www.redbooks.ibm.com/redbooks/pdfs/sg246996.pdf
Coyne, E.J.: Role-engineering. In: 1st ACM Workshop on Role-Based Access Control (1995)
Gallagher, M.P., O’Connor, A., Kropp, B.: The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology (March 2002)
Coyne, E., Davis, J.: Role Engineering for Enterprise Security Management. Artech House, Norwood (2007)
Fernandez, E.B., Hawkins, J.C.: Determining role rights from use cases. In: ACM Workshop on Role-Based Access Control, pp. 121–125 (1997)
Brooks, K.: Migrating to role-based access control. In: ACM Workshop on Role-Based Access Control, pp. 71–81 (1999)
Roeckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administraiton in a large industrial organization. In: ACM (ed.) RBAC (2000)
Shin, D., Ahn, G.J., Cho, S., Jin, S.: On modeling system-centric information for roleengineering. In: 8th ACM Symposium on Access Control Models and Technologies (June 2003)
Thomsen, D., O’Brien, D., Bogle, J.: Role based access control framework for network enterprises. In: 14th Annual Computer Security Application Conference, pp. 50–58 (December 1998)
Neumann, G., Strembeck, M.: A scenario-driven role engineering process for functional rbac roles. In: 7th ACM Symposium on Access Control Models and Technologies (June 2002)
Epstein, P., Sandhu, R.: Engineering of role/permission assignment. In: 17th Annual Computer Security Application Conference (December 2001)
Kern, A., Kuhlmann, M., Schaad, A., Moffett, J.: Observations on the role life-cycle in the context of enterprise security management. In: 7th ACM Symposium on Access Control Models and Technologies (June 2002)
Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a european bank: A case study and discussion. In: Proceedings of ACM Symposium on Access Control Models and Technologies, pp. 3–9 (May 2001)
Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining - revealing business roles for security administration using data mining technology. In: Symposium on Access Control Models and Technologies (SACMAT). ACM, New York (June 2003)
Schlegelmilch, J., Steffens, U.: Role mining with orca. In: Symposium on Access Control Models and Technologies (SACMAT). ACM, New York (June 2005)
Vaidya, J., Atluri, V., Warner, J.: Roleminer: mining roles using subset enumeration. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 144–153 (2006)
Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: Finding a minimal descriptive set of roles. In: The Twelth ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, June 20-22, pp. 175–184 (2007)
Vaidya, J., Atluri, V., Guo, Q., Lu, H.: Edge-rmp: Minimizing administrative assignments for role-based access control. Journal of Computer Security (to appear)
Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.: Fast exact and heuristic methods for role minimization problems. In: The ACM Symposium on Access Control Models and Technologies (June 2008)
Zhang, B., Al-Shaer, E., Jagadeesan, R., Riely, J., Pitcher, C.: Specifications of a high-level conflict-free firewall policy language for multi-domain networks. In: The Twelth ACM Symposium on Access Control Models and Technologies, pp. 185–194 (2007)
Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: A formal perspective. ACM Trans. Inf. Syst. Secur. 13(3), 1–31 (2010)
Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with semantic meanings. In: SACMAT 2008: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 21–30. ACM, New York (2008)
Colantonio, A., Pietro, R.D., Ocello, A.: Leveraging lattices to improve role mining. In: Proceedings of The IFIP TC-11 23rd International Information Security Conference (IFIP SEC 2008), pp. 333–347 (2008)
Colantonio, A., Di Pietro, R., Ocello, A.: A cost-driven approach to role engineering. In: SAC 2008: Proceedings of the 2008 ACM Symposium on Applied Computing, pp. 2129–2136. ACM, New York (2008)
Guo, Q., Vaidya, J., Atluri, V.: The role hierarchy mining problem: Discovery of optimal role hierarchies. In: Proceedings of the 24th Annual Computer Security Applications Conference (December 8-12, 2008)
Geerts, F., Goethals, B., Mielikainen, T.: Tiling databases. In: Suzuki, E., Arikawa, S. (eds.) DS 2004. LNCS (LNAI), vol. 3245, pp. 278–289. Springer, Heidelberg (2004)
Lu, H., Vaidya, J., Atluri, V.: Optimal boolean matrix decomposition: Application to role engineering. In: IEEE International Conference on Data Engineering (April 2008) (to appear)
Frank, M., Basin, D., Buhmann, J.M.: A class of probabilistic models for role engineering. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and Communications Security, pp. 299–310. ACM, New York (2008)
Fuchs, L., Pernul, G.: Hydro - hybrid development of roles. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 287–302. Springer, Heidelberg (2008)
Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. In: IEEE Symposium on Security and Privacy, pp. 17–31 (1999)
Mayer, A.J., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: IEEE Symposium on Security and Privacy, pp. 177–187 (2000)
Hazelhurst, S., Attar, A., Sinnappan, R.: Algorithms for improving the dependability of firewall and filter rule lists. In: International Conference on Dependable Systems and Networks, pp. 576–585 (2000)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C., Mohapatra, P.: Fireman: A toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy, pp. 199–213 (2006)
Le, F., Lee, S., Wong, T., Kim, H.S., Newcomb, D.: Minerals: using data mining to detect router misconfigurations. In: SIGCOMM Workshop on Mining Network Data (2006)
Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: Annual Joint Conference of the IEEE Computer and Communications Societies (2004)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceeding of the IEEE 69, 1278–1308 (1975)
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.: State of the practice of intrusion detection technologies, cmu/sei-99-tr-028. Technical report, Carnegie Mellon University (1999)
Lunt, T.F.: A survey of intrusion detection techniques. Computers and Security 12(4), 405–418 (1993)
Lane, T., Brodley, C.: Temporal sequence learning and data reduction for anomaly detection. ACM Transations on Information Systems Security 2(3), 295–331 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vaidya, J. (2010). Automating Security Configuration and Administration: An Access Control Perspective. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds) Advances in Information and Computer Security. IWSEC 2010. Lecture Notes in Computer Science, vol 6434. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16825-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-16825-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-16824-6
Online ISBN: 978-3-642-16825-3
eBook Packages: Computer ScienceComputer Science (R0)