ACM Computing Surveys (CSUR)
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
Obligation Monitoring in Policy Management
POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
The UCONABC usage control model
ACM Transactions on Information and System Security (TISSEC)
TrustGuard: countering vulnerabilities in reputation management for decentralized overlay networks
WWW '05 Proceedings of the 14th international conference on World Wide Web
On the modeling and analysis of obligations
Proceedings of the 13th ACM conference on Computer and communications security
Obligations for Role Based Access Control
AINAW '07 Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops - Volume 01
Proceedings of the 13th ACM symposium on Access control models and technologies
An Attribute Based Framework for Risk-Adaptive Access Control Models
ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
On practical specification and enforcement of obligations
Proceedings of the second ACM conference on Data and Application Security and Privacy
Ensuring authorization privileges for cascading user obligations
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
A trust-and-risk aware RBAC framework: tackling insider threat
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Risk-Aware role-based access control
STM'11 Proceedings of the 7th international conference on Security and Trust Management
| Hi-index | 0.00 |
Recently, the importance of including obligations as part of access control systems for privilege management, for example, in healthcare information systems, has been well recognized. In an access control system, an a posteriori obligation states which actions need to be performed by a user after he has accessed a resource. There is no guarantee that a user will fulfill a posteriori obligations. Not fulfilling these obligations may incur financial loss, or loss of goodwill and productivity to the organization. In this paper, we propose a trust-and-obligation based framework that reduces the risk exposure of an organization associated with a posteriori obligations. We propose a methodology to assign trust values to users to indicate how trustworthy they are with regards to fulfilling their obligations. When access requests that trigger a posteriori obligations are evaluated, the requesting users' trust values and the criticality of the associated obligations are used. Our framework detects and mitigates insider attacks and unintentional damages that may result from violating a posteriori obligations. Our framework also provides mechanisms to determine misconfigurations of obligation policies. We evaluate our framework through simulations and demonstrate its effectiveness.