How to securely break into RBAC: the BTG-RBAC model

Ferreira, Ana and Chadwick, David W. and Farinha, P and Cruz-Correia, Ricardo and Zhao, Gansen and Chilro, R and Antunes, Luis (2009) How to securely break into RBAC: the BTG-RBAC model. In: Computer Security Applications Conference, 2009. ACSAC'09. Annual, December 7–11, 2009, Honolulu, Hawaii, USA. (Full text available)

PDF (Published paper) - Published Version
Available under License Creative Commons Attribution.
Download (949kB) Preview
[img]
Preview
Official URL
http://dx.doi.org/10.1109/ACSAC.2009.12

Abstract

Access control models describe frameworks that dictate how subjects (e.g. users) access resources. In the Role-Based Access Control (RBAC) model access to resources is based on the role the user holds within the organization. Although flexible and easier to manage within large-scale authorization frameworks, RBAC is usually a static model where access control decisions have only two output options: Grant or Deny. Break The Glass (BTG) policies can be provided in order to break or override the access controls within an access control policy but in a controlled and justifiable manner. The main objective of this paper is to integrate BTG within the NIST/ANSI RBAC model in a transparent and secure way so that it can be adopted generically in any domain where unanticipated or emergency situations may occur. The new proposed model, called BTG-RBAC, provides a third decision option BTG. This allows break the glass policies to be implemented in any application without any major changes to either the application or the RBAC authorization infrastructure, apart from the decision engine. Finally, in order to validate the model, we discuss how the BTG-RBAC model is being introduced within a Portuguese healthcare institution where the legislation requires that genetic information must be accessed by a restricted group of healthcare professionals. These professionals, advised by the ethical committee, have required and asked for the implementation of the BTG concept in order to comply with the said legislation.

Item Type: Conference or workshop item (Paper)
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Faculties > Science Technology and Medical Studies > School of Computing > Security Group
Depositing User: David Chadwick
Date Deposited: 25 Oct 2012 14:42
Last Modified: 08 Apr 2014 13:31
Resource URI: http://kar.kent.ac.uk/id/eprint/31989 (The current URI for this page, for reference purposes)
  • Depositors only (login required):

Downloads

Downloads per month over past year