Abstract
Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world” practitioners desire and what the research and vendor communities can offer. Basing our arguments on this ethnographic research (which targets both technology and the human business systems that drive and constrain it), we present the theoretical underpinnings of modern access control, discuss requirements of successful solutions for corporate environments today, and offer a survey of current technology that addresses these requirements. The paper concludes by exploring areas of future development in access control that offer particular promise in the struggle to prevent insider attack.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
American Dental Association. “Insurance: Medicare and Medicaid,” ADA Official Website. http://www.ada.org/public/manage/insurance/medicare.asp.
Anderson, R. E. “Matrix Redux,” Business Horizons, Nov.-Dec. 1994, 6-10.
Blaze, M; Feigenbaum, J.; Ioannidis, J.; and Keromytis, A. “The Role of Trust Management in Distributed Systems”. Secure Internet Programming. Springer-Verlag LNCS 1603, pp 185-210. 1999.
Blaze, M.; Feigenbaum, J.; and Lacy, J. “Decentralized Trust Management”. Proceedings of the 1996 IEEE Symposium on Security and Privacy. pp. 164-173.
British Broadcasting Corporation. “Passwords Revealed by Sweet Deal”. BBC News, UK Edition, April 20, 2004. http://news.bbc.co.uk/1/hi/technology/3639679.stm.
Burns, L. R. and Wholey, D. R. “Adoption and Abandonment of Matrix Management Programs: Effects on Organizational Characteristics and Inter-organizational Networks”. Academy of Management Journal, Vol. 36, 1, 106-139.
Chadwick, D. “The PERMIS X.509 Role Based Privilege Management Infrastructure”. 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002). 2002.
Chadwick, D. 1994. Understanding X.500: The Directory. London: Chapman & Hall, Ltd.
Chadwick, D.; Otenko, A.; and Ball, E. “Role-Based Access Control with X.509 Attribute Certificates”. IEEE Internet Computing. March-April2003.
Department of Defense Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. December 1985.
Donner, M.; Nochin, D.; Shasha, D.; and Walasek, W. “Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations”. Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security. Kluwer, 2001
Ferrailio, D.F. and Kuhn, D.R. “Role Based Access Control”. 15th National Computer Security Conference. 1992.
Ferrailio, D.F.; Kuhn, D.R.; and Chandramouli, R. 2007. Role-Based Access Control. Norwood, Massachusetts: Artech House Publishers.
Harrison, M.A.; Ruzzo, W.L.; and Ullmann, J.D. “Protection in Operating Systems”. Communications of the ACM. 19(8): 461—470. 1976.
Housley, R.; Polk, W.; Ford, W.; and Solo, D. 2002 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Internet RFC 3280.
Lampson, B.W. “Protection”. ACM Operating Systems Review. 8(1): 18—24. January 1974.
NIST. Role Based Access Control. http://csrc.nist.gov/rbac/
Neuman, B. C. and Ts’o, T. “Kerberos: An Authentication Service for Computer Networks”. IEEE Communications,. 32(9):33-38. September 1994
Povey, D. “Optimistic Security: A New Access Control Paradigm”. Proceedings of the 1999 New Paradigms Workshop. 40-45.
Richards, J. ; Allen, R. ; and Lowe-Norris, A. G. Active Directory, Third Edition. O’Reilly Media, January 2006.
Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L; and Youman, C.E. “Role-Based Access Control Models”. IEEE Computer. 29(2): 38—47. 1996.
Sasse, M.A. “Red-Eye Blink, Bendy Shuffle, and the Yuck Factor: A User Experience of Biometric Airport Systems”. IEEE Security and Privacy. 5(3): 78—81. May/June 2007.
Smith, S. W. “Probing End-User IT Security Practices—via Homework”. The Educause Quarterly. 24 (4): 68—71. November 2004.
Smith, S. W.; and Marchesini, J. 2008. The Craft of System Security. Indianapolis, Indiana: Addison Wesley Professional.
Weeks, S. “Understanding Trust Management Systems”. Proceedings of the 2001 IEEE Symposium on Security and Privacy. pp. 94-105.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Sinclair, S., Smith, S.W. (2008). Preventative Directions For Insider Threat Mitigation Via Access Control. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds) Insider Attack and Cyber Security. Advances in Information Security, vol 39. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77322-3_10
Download citation
DOI: https://doi.org/10.1007/978-0-387-77322-3_10
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-77321-6
Online ISBN: 978-0-387-77322-3
eBook Packages: Computer ScienceComputer Science (R0)