How to securely break into RBAC: The BTG-RBAC model

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 23-31

  Ferreira, Ana ^a   Chadwick, David ^a   Farinha, Pedro ^b   Correia, Ricardo ^b   Zao, Gansen ^c   Chilro, Rui ^d   Antunes, Luis ^e  

^a UNIVERSITY OF KENT   (United Kingdom)

^b University of Porto   (Portugal)

^c SOUTH CHINA NORMAL UNIVERSITY   (China)

^d UNIVERSITY OF PORTO   (Portugal)

^e INSTITUTO DE TELECOMUNICAÇÕES   (Portugal)

Author keywords

Access control model; Break The Glass; NIST core RBAC; Obligations

Indexed keywords

ACCESS CONTROL DECISIONS; ACCESS CONTROL MODEL; ACCESS CONTROL MODELS; APPLICATION CODES; AUTHORIZATION INFRASTRUCTURE; AUTHORIZED USERS; DECISION ENGINES; EMERGENCY SITUATION; GENETIC INFORMATION; HEALTH CARE PROFESSIONALS; HEALTHCARE INSTITUTIONS; RBAC MODEL; RIGID MODEL; ROLE-BASED ACCESS CONTROL MODEL;

AIRCRAFT ENGINE MANUFACTURE; COMPUTER APPLICATIONS; GENES; GLASS; HEALTH CARE; SECURITY SYSTEMS;

ACCESS CONTROL;

EID: 77649181757     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.12     Document Type: Conference Paper

References (21)

1. Anderson R. Security Engineering: A guide to build dependable distributed systems. Wiley 2001.
2. Information Technology - Role Based Access Control. ANSI/INCITS 359-2004. International Committee for Information Technology Standards.
3. Rissanen E, Firozabadi S, Sergot M. Towards a Mechanism for Discretionary Overriding of Access Control. Proceedings of the 12th International Workshop on Security Protocols, Cambridge. 2004.
4. Povey D. Optimistic security: a new access control paradigm," in Proceedings of the 1999 workshop on New security paradigms. ACM Press, 2000; 40-45.
5. Ferreira A, Cruz-Correia R, Antunes L, Farinha P, Oliveira-Palhares E, Chadwick D W, Costa-Pereira A: How to break access control in a controlled manner? Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems. 2006; 847-851.
6. Break-glass: An approach to granting emergency access to healthcare systems. White paper, Joint -NEMA/COCIR/JIRA Security and Privacy Committee (SPC). 2004.
7. Gansen Zhao, David Chadwick, and Sassa Otenko. Obligation for Role Based Access Control. IEEE International Symposium on Security in Networks and Distributed Systems (SSNDS07). 2007.
8. Break Glass - Granting Emergency Access to Critical ePHI Systems - HIPAA Security. Protecting the privacy and security of health information - HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT. Accessed at: http://hipaa.yale.edu/security/sysadmin/breakglass.html. Accessed on the 5th May 2009.
9. 7869 2008-A SCR Clinical User Guide. NHS care records service - NHS Connecting for Health. 2008. Accessed at: http://www.connectingforhealth.nhs.uk/ systemsandservices /nhscrs/scr/publications/7869-user-guide.pdf. Accessed on the 5th May 2009.
10. McGraw R. Risk-Adaptable Access Control (RAdAC). Privilege (Access) Management Workshop. NIST - National Institute of Standards and Technology - Information Technology Laboratory. 2009.
11. Rostad L. Access Control in Healthcare Application. NOKOBIT05. 2005.
12. Rostad L., Edsberg O. A study of access control requirements for healthcare systems based on audit trails from access logs. Annual Computer Security Applications Conference (ACSAC). 2006.
13. Brucker A., Petrisch H. Extending Access Control Models with Break-glass. SACMAT'09. 2009.
14. th international conference on software engineering. 1985.
15. Jonscher D. Extending access controls with duties - realized by active mechanisms. Database Security IV: Status and Prospects. North-Holland. 1993.
16. David W Chadwick, Linying Su, Romain Laborde. "Coordinating Access Control in Grid Services". Concurrency and Computation: Practice and Experience. 2008; Volume 20, Issue 9, Pages 1071-1094.
17. rd international workshop on policies for distributed systems and networks. 2002.
18. Bettini C.,Jajodia S.,Wang X., Wijesekera D. Provisions and obligations in policy management and security applications. In VLDB. 2002.
19. Building a Modular Authorization Infrastrucutre. David Chadwick, Gansen Zhao, Sassa Otenko, Romain Laborde, Linying Su, Tuan Anh Nguyen. In All Hands Meeting, Nottingham. 2006.
20. Cruz-Correia R, , Vieira-Marques P, Costa P, Ferreira A, Oliveira-Palhares E, Araújo F, Costa Pereira A. Integration of hospital data using agent technologies - a case study. AICommunications special issue of ECAI. 2005; 18(3): 191-200.
21. Lei 12/2005 - Informação de genética pessoal e informação de saúde. Diário da República - Série A, no 18. 2005.