Dynamic, Flexible, and Optimistic Access Control
- Author(s): Peisert, Sean
- Bishop, Matt
- et al.
Traditional access controls have evolved from being static and coarse-grained to being dynamic and very fine-grained. However, a balance still must be struck: too little access inhibits usefulness, effectively creating a denial of service for people trying to do their jobs; and too much access invites breaches of security. "Break-the-glass" techniques and adaptive access control have previously been developed to address this issue. But gaps in these techniques still exist. We extend these techniques as follows: consider a system in which prohibitions fall into two classes. Core prohibitions prevent disaster, and are axiomatic to the system. Ancillary prohibitions, derived from core prohibitions, hinder the ability of an attacker to violate core prohibitions, but are not in and of themselves critical to the security of the system. We introduce optimistic access control, a framework in which core prohibitions are always enforced, and ancillary prohibitions are enforced only when a specific threshold is crossed. The threshold depends upon history, trust, and a variety of non-binary countermeasures. This control deals with many scenarios—including the insider threat and remote access with limited communication—that are extremely difficult to address or even characterize using current techniques. Therefore, these controls address certain gaps. Finally, we present a formal mapping to lattice models, and describe implementation ideas and issues of this method in practice.