Obstruction-Free Authorization Enforcement: Aligning Security with Business Objectives

D. Basin, Samuel J. Burri, G. Karjoth
{"title":"Obstruction-Free Authorization Enforcement: Aligning Security with Business Objectives","authors":"D. Basin, Samuel J. Burri, G. Karjoth","doi":"10.1109/CSF.2011.14","DOIUrl":null,"url":null,"abstract":"Access control is fundamental in protecting information systems but it also poses an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints including those specifying Separation of Duty (SoD) and Binding of Duty (BoD).To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. Afterwards, we consider enforcement's effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present lower and upper bounds for the complexity of this problem and also give an approximation algorithm that performs well when authorizations are equally distributed among users.","PeriodicalId":6500,"journal":{"name":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","volume":"57 1","pages":"99-113"},"PeriodicalIF":0.0000,"publicationDate":"2011-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSF.2011.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 8

Abstract

Access control is fundamental in protecting information systems but it also poses an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints including those specifying Separation of Duty (SoD) and Binding of Duty (BoD).To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. Afterwards, we consider enforcement's effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present lower and upper bounds for the complexity of this problem and also give an approximation algorithm that performs well when authorizations are equally distributed among users.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
无障碍授权实施:使安全性与业务目标保持一致
访问控制是保护信息系统的基础,但它也对实现业务目标构成障碍。我们在受授权约束(包括指定职责分离(SoD)和职责绑定(BoD)的那些约束)限制的工作流建模的系统上下文中分析了这种权衡及其避免。首先,我们提出了一种在带有循环和条件执行的工作流中确定授权约束范围的新方法。然后,我们考虑强制执行对业务目标的影响。我们确定了阻塞的概念,它概括了执行访问控制的系统中的死锁,并且我们将无阻塞执行机制的存在表述为一个决策问题。我们给出了该问题复杂性的下界和上界,并给出了当授权在用户之间均匀分布时性能良好的近似算法。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Axioms for Information Leakage Multi-run Side-Channel Analysis Using Symbolic Execution and Max-SMT sElect: A Lightweight Verifiable Remote Voting System Automated Reasoning for Equivalences in the Applied Pi Calculus with Barriers On Modular and Fully-Abstract Compilation
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1