Abstract
Access control is an indispensable security technology. However, it has been relatively neglected by the research community. Over the past ten years, the doctrine of mandatory and discretionary access controls has slowly become discredited but no dominant doctrine has emerged to replace it. There are promising candidates such as role and task-based access controls but these are still in their formative stages and have not gained wide acceptance. This paper gives my personal perspective on these issues and identifies some of the important access control issues that researchers and practitioners should focus on.
This is a preview of subscription content, log in via an institution.
Preview
Unable to display preview. Download preview PDF.
References
P.E. Ammann and Ravi S. Sandhu. The extended schematic protection model. The Journal Of Computer Security, 1(3&4):335–384, 1992.
K.J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, The Mitre Corporation, Bedford, MA, April 1977.
W. Boebert and R. Kain. A practical alternative to hierarchical integrity policies. In NBS-NCSC National Computer Security Conference, pages 18–27, 1985.
D.E. Bell and L.J. LaPadula. Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, The Mitre Corporation, Bedford, MA, March 1975.
D.F.C. Brewer and M.J. Nash. The Chinese wall security policy. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 215–228, Oakland, CA, May 1989.
D.D. Clark and D.R. Wilson. A comparison of commercial and military computer security policies. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 184–194, Oakland, CA, May 1987.
D.E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, 1976.
R. Fagin. On an authorization mechanism. ACM Transactions on Database Systems, 3(3):310–319, 1978.
David Ferraiolo and Richard Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554–563, Baltimore, MD, October 13–16 1992.
Simon Foley. Aggregation and separation as non-interference properties. The Journal Of Computer Security, 1(2):159–188, 1992.
Srinivas Ganta. Expressive Power of Access Control Models Based on Propagation of Rights. PhD Thesis, George Mason University, 1996.
G.S. Graham and P.J. Denning. Protection — principles and practice. In AFIPS Spring Joint Computer Conference, pages 40:417–429, 1972.
Ehud Gudes, Haiyan Song, and Eduardo B. Fernandez. Evaluation of negative, predicate, and instance-based authorization in object-oriented databases. In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status and Prospects, pages 85–98. North-Holland, 1991.
P.P. Griffiths and B.W. Wade. An authorization mechanism for a relational database system. ACM Transactions on Database Systems, 1(3):242–255, 1976.
M.H. Harrison, W.L. Ruzzo, and J.D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461–471, 1976.
P.A. Karger, M.E. Zurko, D.W. Bonin, A.H. Mason, and C.E. Kahn. A vmm security kernel for the vax architecture. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 2-19, Oakland, CA, May 1990.
B.W. Lampson. Protection. In 5th Princeton Symposium on Information Science and Systems, pages 437–443, 1971. Reprinted in ACM Operating Systems Review 8(1):18–24, 1974.
T.M.P. Lee. Using mandatory integrity to enforce “commercial” security. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 140–146, Oakland, CA, May 1988.
S.B. Lipner. Non-discretionary controls for commercial applications. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 2–10, Oakland, CA, May 1982.
R.J. Lipton and L. Snyder. A linear time algorithm for deciding subject security. Journal of the ACM, 24(3):455–464, 1977.
Teresa Lunt. Access control policies: Some unanswered questions. In IEEE Computer Security Foundations Workshop II, pages 227–245, Franconia, NH, June 1988.
J.D. Moffett and M.S. Sloman. The source of authority for commercial access control. IEEE Computer, 21(2):59–69, 1988.
P. Pittelli. The bell-lapadula computer security model represented as a special case of the harrison-ruzzo-ullman model. In NBS-NCSC National Computer Security Conference, 1987.
F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Transactions on Database Systems, 16(1), 1991.
Ravi S. Sandhu. The schematic protection model: Its definition and analysis for acyclic attenuating schemes. Journal of the ACM, 35(2):404–432, April 1988.
Ravi S. Sandhu. Transaction control expressions for separation of duties. In Fourth Annual Computer Security Application Conference, pages 282–286, Orlando, FL, December 1988.
Ravi S. Sandhu. Mandatory controls for database integrity. In D.L. Spooner and C.E. Landwehr, editors, Database Security III: Status and Prospects, pages 143–150. North-Holland, 1990.
Ravi S. Sandhu. Expressive power of the schematic protection model. The Journal Of Computer Security, 1(1):59–98, 1992.
Ravi S. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9–19, November 1993.
Ravi Sandhu. Rationale for the RBAC96 family of access control models. In Ravi Sandhu, Ed Coyne, and Charles Youman, editors, Proceedings of the 1st ACM Workshop on Role-Based Access Control. ACM, 1996.
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, February 1996.
Ravi Sandhu, Ed Coyne, and Charles Youman, editors. Proceedings of the 1st ACM Workshop on Role-Based Access Control. ACM, 1996.
Ravi S. Sandhu and S. Ganta. On testing for absence of rights in access control models. In IEEE Computer Security Foundations Workshop, Franconia, NH, June 1993. 109–118.
Ravi Sandhu and Pierangela Samarati. Access control: Principles and practice. IEEE Communications, 32(9):40–48, 1994.
Roshan Thomas and Ravi S. Sandhu. Conceptual foundations for a model of task-based authorizations. In IEEE Computer Security Foundations Workshop 7, pages 66–79, Franconia, NH, June 1994.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sandhu, R. (1996). Access control: The neglected frontier. In: Pieprzyk, J., Seberry, J. (eds) Information Security and Privacy. ACISP 1996. Lecture Notes in Computer Science, vol 1172. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0023301
Download citation
DOI: https://doi.org/10.1007/BFb0023301
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61991-8
Online ISBN: 978-3-540-49583-3
eBook Packages: Springer Book Archive