• DocumentCode
    2867641
  • Title

    Obstruction-Free Authorization Enforcement: Aligning Security with Business Objectives

  • Author

    Basin, David ; Burri, Samuel J. ; Karjoth, Günter

  • Author_Institution
    Inf. Security Group, ETH Zurich, Zurich, Switzerland
  • fYear
    2011
  • fDate
    27-29 June 2011
  • Firstpage
    99
  • Lastpage
    113
  • Abstract
    Access control is fundamental in protecting information systems but it also poses an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints including those specifying Separation of Duty (SoD) and Binding of Duty (BoD).To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. Afterwards, we consider enforcement´s effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present lower and upper bounds for the complexity of this problem and also give an approximation algorithm that performs well when authorizations are equally distributed among users.
  • Keywords
    authorisation; access control; approximation algorithm; obstruction-free authorization enforcement; system deadlock; Approximation methods; Authorization; Board of Directors; Business; Logic gates; Semantics; Visualization; Access control; Separation of Duty; authorization constraint; workflow;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Foundations Symposium (CSF), 2011 IEEE 24th
  • Conference_Location
    Cernay-la-Ville
  • ISSN
    1940-1434
  • Print_ISBN
    978-1-61284-644-6
  • Type

    conf

  • DOI
    10.1109/CSF.2011.14
  • Filename
    5992157