Skip to main content
SpringerLink
Log in
Book cover

Australasian Conference on Information Security and Privacy

ACISP 1996: Information Security and Privacy pp 219–227Cite as

Access control: The neglected frontier

Invited paper

  • Invited Lecture 3
  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1172))

Abstract

Access control is an indispensable security technology. However, it has been relatively neglected by the research community. Over the past ten years, the doctrine of mandatory and discretionary access controls has slowly become discredited but no dominant doctrine has emerged to replace it. There are promising candidates such as role and task-based access controls but these are still in their formative stages and have not gained wide acceptance. This paper gives my personal perspective on these issues and identifies some of the important access control issues that researchers and practitioners should focus on.

This is a preview of subscription content, log in via an institution.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. P.E. Ammann and Ravi S. Sandhu. The extended schematic protection model. The Journal Of Computer Security, 1(3&4):335–384, 1992.

    Google Scholar 

  2. K.J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, The Mitre Corporation, Bedford, MA, April 1977.

    Google Scholar 

  3. W. Boebert and R. Kain. A practical alternative to hierarchical integrity policies. In NBS-NCSC National Computer Security Conference, pages 18–27, 1985.

    Google Scholar 

  4. D.E. Bell and L.J. LaPadula. Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, The Mitre Corporation, Bedford, MA, March 1975.

    Google Scholar 

  5. D.F.C. Brewer and M.J. Nash. The Chinese wall security policy. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 215–228, Oakland, CA, May 1989.

    Google Scholar 

  6. D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 184–194, Oakland, CA, May 1987.

    Google Scholar 

  7. D.E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976.

    Google Scholar 

  8. R. Fagin. On an authorization mechanism. ACM Transactions on Database Systems, 3(3):310–319, 1978.

    Google Scholar 

  9. David Ferraiolo and Richard Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, Baltimore, MD, October 13–16 1992.

    Google Scholar 

  10. Simon Foley. Aggregation and separation as non-interference properties. The Journal Of Computer Security, 1(2):159–188, 1992.

    Google Scholar 

  11. Srinivas Ganta. Expressive Power of Access Control Models Based on Propagation of Rights. PhD Thesis, George Mason University, 1996.

    Google Scholar 

  12. G.S. Graham and P.J. Denning. Protection — principles and practice. In AFIPS Spring Joint Computer Conference, pages 40:417–429, 1972.

    Google Scholar 

  13. Ehud Gudes, Haiyan Song, and Eduardo B. Fernandez. Evaluation of negative, predicate, and instance-based authorization in object-oriented databases. In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, pages 85–98. North-Holland, 1991.

    Google Scholar 

  14. P.P. Griffiths and B.W. Wade. An authorization mechanism for a relational database system. ACM Transactions on Database Systems, 1(3):242–255, 1976.

    Google Scholar 

  15. M.H. Harrison, W.L. Ruzzo, and J.D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461–471, 1976.

    Google Scholar 

  16. P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn. A vmm security kernel for the vax architecture. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 2-19, Oakland, CA, May 1990.

    Google Scholar 

  17. B.W. Lampson. Protection. In 5th Princeton Symposium on Information Science and Systems, pages 437–443, 1971. Reprinted in ACM Operating Systems Review 8(1):18–24, 1974.

    Google Scholar 

  18. T.M.P. Lee. Using mandatory integrity to enforce “commercial” security. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 140–146, Oakland, CA, May 1988.

    Google Scholar 

  19. S.B. Lipner. Non-discretionary controls for commercial applications. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 2–10, Oakland, CA, May 1982.

    Google Scholar 

  20. R.J. Lipton and L. Snyder. A linear time algorithm for deciding subject security. Journal of the ACM, 24(3):455–464, 1977.

    Google Scholar 

  21. Teresa Lunt. Access control policies: Some unanswered questions. In IEEE Computer Security Foundations Workshop II, pages 227–245, Franconia, NH, June 1988.

    Google Scholar 

  22. J.D. Moffett and M.S. Sloman. The source of authority for commercial access control. IEEE Computer, 21(2):59–69, 1988.

    Google Scholar 

  23. P. Pittelli. The bell-lapadula computer security model represented as a special case of the harrison-ruzzo-ullman model. In NBS-NCSC National Computer Security Conference, 1987.

    Google Scholar 

  24. F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Transactions on Database Systems, 16(1), 1991.

    Google Scholar 

  25. Ravi S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404–432, April 1988.

    Google Scholar 

  26. Ravi S. Sandhu. Transaction control expressions for separation of duties. In Fourth Annual Computer Security Application Conference, pages 282–286, Orlando, FL, December 1988.

    Google Scholar 

  27. Ravi S. Sandhu. Mandatory controls for database integrity. In D.L. Spooner and C.E. Landwehr, editors, Database Security III: Status and Prospects, pages 143–150. North-Holland, 1990.

    Google Scholar 

  28. Ravi S. Sandhu. Expressive power of the schematic protection model. The Journal Of Computer Security, 1(1):59–98, 1992.

    Google Scholar 

  29. Ravi S. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9–19, November 1993.

    Google Scholar 

  30. Ravi Sandhu. Rationale for the RBAC96 family of access control models. In Ravi Sandhu, Ed Coyne, and Charles Youman, editors, Proceedings of the 1st ACM Workshop on Role-Based Access Control. ACM, 1996.

    Google Scholar 

  31. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, February 1996.

    Google Scholar 

  32. Ravi Sandhu, Ed Coyne, and Charles Youman, editors. Proceedings of the 1st ACM Workshop on Role-Based Access Control. ACM, 1996.

    Google Scholar 

  33. Ravi S. Sandhu and S. Ganta. On testing for absence of rights in access control models. In IEEE Computer Security Foundations Workshop, Franconia, NH, June 1993. 109–118.

    Google Scholar 

  34. Ravi Sandhu and Pierangela Samarati. Access control: Principles and practice. IEEE Communications, 32(9):40–48, 1994.

    Google Scholar 

  35. Roshan Thomas and Ravi S. Sandhu. Conceptual foundations for a model of task-based authorizations. In IEEE Computer Security Foundations Workshop 7, pages 66–79, Franconia, NH, June 1994.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ISSE Department, George Mason University, MS 4A4, 22033, Fairfax, VA, USA

    Ravi Sandhu

Authors
  1. Ravi Sandhu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Josef Pieprzyk Jennifer Seberry

Rights and permissions

Reprints and permissions

Copyright information

© 1996 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sandhu, R. (1996). Access control: The neglected frontier. In: Pieprzyk, J., Seberry, J. (eds) Information Security and Privacy. ACISP 1996. Lecture Notes in Computer Science, vol 1172. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0023301

Download citation

  • DOI: https://doi.org/10.1007/BFb0023301

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-61991-8

  • Online ISBN: 978-3-540-49583-3

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation