Re: [xacml] Break the Glass policies

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi Robin

thanks for this reference. I will now download and read it.

I attach our paper, which is not online yet but will be in due course. 
The interesting thing to me, is that in the live trails that took place 
in the hospital, in just under 50% of cases the doctors who did not have 
access but who were offered BTG, chose not to BTG when given this 
option, meaning that the system does empower users to act responsibly 
and they tend to do so when given the chance.

regards

David


Robin Cover wrote:
> On Mon, 14 Dec 2009, Ludwig Seitz wrote:
> 
>> Hi David,
>>
>> you might want to look at this:
>> http://portal.acm.org/citation.cfm?id=1263871
>>
>> I think it is very similar to what you want to achieve.
>>
>> Regards,
>>
>> Ludwig
> 
> By odd coincidence, I encountered a reference to XACML and BTG
> yesterday in an ACM SACMAT 2009 paper.  I provide some references
> below, though I've not yet spotted an online copy of David's
> ACSAC 2009 paper "How to Securely Break into RBAC: the BTG-RBAC Model"
> 
> ================================================================================ 
> 
> 
> "Extending Access Control Models with Break-glass"
> 
> Achim D. Brucker (achim.brucker@sap.com)
> SAP Research
> 
> Helmut Petritsch (helmut.petritsch@sap.com)
> SAP Research
> 
> Presented June 5, 2009 at ACM SACMAT
> Proceedings of the Fourteenth ACM symposium on Access Control Models and 
> Technologies
> http://www.sacmat.org/2009/index.php
> 
> http://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009.en.html 
> 
> http://www.brucker.ch/bibliography/download/2009/brucker.ea-extending-2009.pdf 
> 
> 
> Access control models are usually static, i.e., permissions are
> granted based on a policy that only changes seldom. Especially
> for scenarios in health care and disaster management, a more
> flexible support of access control, i.e., the underlying policy,
> is needed.
> 
> Break-glass is one approach for such a flexible support of
> policies which helps to prevent system stagnation that could
> harm lives or otherwise result in losses. Today, break-glass
> techniques are usually added on top of standard access control
> solutions in an ad-hoc manner and, therefore, lack an
> integration into the underlying access control paradigm and
> the systems' access control enforcement architecture. We
> present an approach for integrating, in a fine-grained manner,
> break-glass strategies into standard access control models
> and their accompanying enforcement architecture. This
> integration provides means for specifying break-glass policies
> precisely and supporting model-driven development techniques
> based on such policies.
> 
> Our contributions are four-fold: first, we present a generic
> break-glass model. Second, we present a SecureUML extension
> supporting break-glass. Third, we present a security architecture
> supporting break-glass and, finally, a transformation from
> break-glass SecureUML policies to XACML. The rest of the paper
> is structured as follows: after introducing the preliminaries
> of our work in Section 2, we present a generic break-glass
> model which can be integrated into a large class of access
> control models in Section 3. In the same section, we also
> present, as an example for such an integration, an extension
> for SecureUML supporting break-glass. We present a security
> architecture supporting break-glass in Section 4. This
> architecture is the target of the transformation of break-glass
> SecureUML policies to XACML which we present in Section 5.
> Finally report on related work in Section 6 and present our
> conclusions in Section 7.
> 
> ==================================================================
> 
> How to Securely Break into RBAC: the BTG-RBAC Model
> Ana Ferreira, David Chadwick, Pedro Farinha, Gansen Zhao, Rui Chilro
> 
> 2009 Annual Computer Security Applications Conference
> http://www.acsac.org/2009/
> http://www.acsac.org/2009/openconf/modules/request.php?module=oc_program&action=summary.php&id=135 
> 
> 
> Access control models describe frameworks that dictate how
> subjects (e.g. users) access resources. In the Role-Based
> Access Control (RBAC) model access to resources is based on
> the role the user holds within the organization. Although
> flexible and easier to manage within large-scale authorization
> frameworks, RBAC is usually a static model where access
> control decisions have only two output options: Grant or Deny.
> Break The Glass (BTG) policies can be provided in order to
> break or override the access controls within an access control
> policy but in a controlled and justifiable manner. The main
> objective of this paper is to integrate BTG within the
> NIST/ANSI RBAC model in a transparent and secure way so that
> it can be adopted generically in any domain where unanticipated
> or emergency situations may occur. The new proposed model,
> called BTG-RBAC, provides a third decision option BTG. This
> allows break the glass policies to be implemented in any
> application without any major changes to either the application
> or the RBAC authorization infrastructure, apart from the
> decision engine. Finally, in order to validate the model,
> we discuss how the BTG-RBAC model is being introduced within
> a Portuguese healthcare institution where the legislation
> requires that genetic information must be accessed by a
> restricted group of healthcare professionals. These
> professionals, advised by the ethical committee, have required
> and asked for the implementation of the BTG concept in order
> to comply with the said legislation.
> 
> Related:
> 
> How to break access control in a controlled manner
> http://kar.kent.ac.uk/14476/1/How_to_break_access_control_in_a_controlled_manner.pdf 
> 
> 
> Modular Authorisation Infrastructures
> http://www.sti.uniurb.it/events/fosad08/slides/Chadwick_ModAuthz.pdf
> 
> ===========
> 
> Robin Cover
> OASIS, Director of Information Services
> Editor, Cover Pages and XML Daily Newslink
> Email: robin@oasis-open.org
> Staff bio: http://www.oasis-open.org/who/staff.php#cover
> Cover Pages: http://xml.coverpages.org/
> Newsletter: http://xml.coverpages.org/newsletterArchive.html
> Tel: +1 972-296-1783
> 
> 
> On Mon, 14 Dec 2009, Ludwig Seitz wrote:
> 
>> Hi David,
>>
>> you might want to look at this:
>> http://portal.acm.org/citation.cfm?id=1263871
>>
>> I think it is very similar to what you want to achieve.
>>
>> Regards,
>>
>> Ludwig
>>
>> -- 
>> Ludwig Seitz, PhD             |   Axiomatics AB
>> Training & Development        |   Electrum 223
>> Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
>> Mail: ludwig@axiomatics.com   |
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

ACSACfinalSubmitted.pdf