DocumentCode
2867641
Title
Obstruction-Free Authorization Enforcement: Aligning Security with Business Objectives
Author
Basin, David ; Burri, Samuel J. ; Karjoth, Günter
Author_Institution
Inf. Security Group, ETH Zurich, Zurich, Switzerland
fYear
2011
fDate
27-29 June 2011
Firstpage
99
Lastpage
113
Abstract
Access control is fundamental in protecting information systems but it also poses an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints including those specifying Separation of Duty (SoD) and Binding of Duty (BoD).To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. Afterwards, we consider enforcement´s effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present lower and upper bounds for the complexity of this problem and also give an approximation algorithm that performs well when authorizations are equally distributed among users.
Keywords
authorisation; access control; approximation algorithm; obstruction-free authorization enforcement; system deadlock; Approximation methods; Authorization; Board of Directors; Business; Logic gates; Semantics; Visualization; Access control; Separation of Duty; authorization constraint; workflow;
fLanguage
English
Publisher
ieee
Conference_Titel
Computer Security Foundations Symposium (CSF), 2011 IEEE 24th
Conference_Location
Cernay-la-Ville
ISSN
1940-1434
Print_ISBN
978-1-61284-644-6
Type
conf
DOI
10.1109/CSF.2011.14
Filename
5992157
Link To Document