Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Restricting Insider Access through Efficient Implementation of Multi-Policy Access Control Systems

Published

Author(s)

Peter M. Mell, Serban I. Gavrila, James Shook

Abstract

The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of insiders. However, the specifications describe the required access control capabilities but not the related algorithms. Existing reference implementations have inefficient algorithms and thus do not fully express the NGAC's ability to scale. For example, the primary NGAC reference implementation took several minutes to simply display the set of files accessible to a user on a moderately sized system. To solve this problem we provide efficient algorithms, reducing the overall complexity from cubic to quadratic. Our other major contribution is to provide a novel mechanism for administrators and users to review allowed access rights. We provide an interface that appears to be a simple file directory hierarchy but in reality is an automatically generated structure abstracted from the underlying access control graph that works with any set of simultaneously instantiated access control policies. Our work thus provides the first efficient implementation of NGAC while enabling user privilege review through a novel visualization approach. It thereby enables the efficient simultaneous instantiation of multiple access control policies that is needed to best limit insider access to information (and thereby limit information leakage).
Proceedings Title
Proceedings of the 23rd ACM Conference on Computer and Communications Security
Conference Dates
October 24-28, 2016
Conference Location
Vienna
Conference Title
8th ACM Computer and Communications Security International Workshop on Managing Insider Security
Threats

Keywords

access control, graph, algorithms, complexity, next generation access control, policy machine

Citation

Mell, P. , Gavrila, S. and Shook, J. (2016), Restricting Insider Access through Efficient Implementation of Multi-Policy Access Control Systems, Proceedings of the 23rd ACM Conference on Computer and Communications Security, Vienna, -1, [online], https://doi.org/10.1145/2995959.2995961 (Accessed April 21, 2024)
Created October 28, 2016, Updated November 10, 2018