Restricting Insider Access through Efficient Implementation of Multi-Policy Access Control Systems
Peter M. Mell, Serban I. Gavrila, James Shook
The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of insiders. However, the specifications describe the required access control capabilities but not the related algorithms. Existing reference implementations have inefficient algorithms and thus do not fully express the NGAC's ability to scale. For example, the primary NGAC reference implementation took several minutes to simply display the set of files accessible to a user on a moderately sized system. To solve this problem we provide efficient algorithms, reducing the overall complexity from cubic to quadratic. Our other major contribution is to provide a novel mechanism for administrators and users to review allowed access rights. We provide an interface that appears to be a simple file directory hierarchy but in reality is an automatically generated structure abstracted from the underlying access control graph that works with any set of simultaneously instantiated access control policies. Our work thus provides the first efficient implementation of NGAC while enabling user privilege review through a novel visualization approach. It thereby enables the efficient simultaneous instantiation of multiple access control policies that is needed to best limit insider access to information (and thereby limit information leakage).
Proceedings of the 23rd ACM Conference on Computer and Communications Security
October 24-28, 2016
8th ACM Computer and Communications Security International Workshop on Managing Insider Security