skip to main content
10.1145/2799979.2800013acmotherconferencesArticle/Chapter ViewAbstractPublication PagessinConference Proceedingsconference-collections
research-article

Mitigating conflicts of interest by authorization policies

Published: 08 September 2015 Publication History

Abstract

In many organizations, there are numerous business processes that involve sensitive tasks that may encourage corruption. Conflict of interest policies are defined in an organization to deter corruption before it can happen. Existing research generally focuses on separation of duties, yet lacks attention for the underpinning conflicts of interest. Moreover, separation of duty is only one particular kind of conflicts of interest. Other kinds do exist and must be resolved as well.
In this paper a novel approach is proposed to define conflict of interest policies and to facilitate their enforcement. Our work provides an expressive mechanism that can be applied for a wide range of conflicts of interest that go beyond separation of duty policies. Furthermore, we show how policies can be enforced in the context of the role-oriented access control model (ROAC), which we extend to provide a stronger basis for the enforcement of conflict of interest policies.

References

[1]
G.-J. Ahn and R. Sandhu. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur., 3(4): 207--226, Nov. 2000.
[2]
D. Basin, S. J. Burri, and G. Karjoth. Dynamic enforcement of abstract separation of duty constraints. In Proceedings of the 14th European Conference on Research in Computer Security, ESORICS'09, pages 250--267, Berlin, Heidelberg, 2009. Springer-Verlag.
[3]
E. Bertino, E. Ferrari, and V. Atluri. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur., 2(1): 65--104, Feb. 1999.
[4]
D. Clark and D. Wilson. A comparison of commercial and military computer security policies. In In Proceedings of the IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, 1987. IEEE Computer Society Press.
[5]
J. Crampton and H. Khambhammettu. Data structures for constraint enforcement in role-based systems. In Proceedings of the 2005 IASTED Conference on Network and Information Security, pages 158--167, 2005.
[6]
D. Ferraiolo and D. Kuhn. Role-based access control. In In Proceedings of the 15th National Computer Security Conference, 1992.
[7]
H. Lee, Y. Lee, and B. Noh. A framework for modeling organization structure in role engineering. In Proceedings of the 7th International Conference on Applied Parallel Computing: State of the Art in Scientific Computing, PARA'04, pages 1017--1024, Berlin, Heidelberg, 2006. Springer-Verlag.
[8]
N. Li, M. V. Tripunitara, and Z. Bizri. On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur., 10(2), May 2007.
[9]
N. Li and Q. Wang. Beyond separation of duty: An algebra for specifying high-level security policies. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06, pages 356--369, New York, NY, USA, 2006. ACM.
[10]
N. Li and Q. Wang. Beyond separation of duty: An algebra for specifying high-level security policies. J. ACM, 55(3):12:1--12:46, Aug. 2008.
[11]
D. Moore and D. Cain. Conflicts of interest: Challenges and solutions in business. Law, Medicine, and Public Policy Cambridge University Press, April 2005.
[12]
N. Nassr, N. Aboudagga, and E. Steegmans. Osdm: An organizational supervised delegation model for rbac. In Proceedings of the 15th International Conference on Information Security, ISC'12, pages 322--337, Berlin, Heidelberg, 2012. Springer-Verlag.
[13]
N. Nassr and E. Steegmans. A parameterized rbac access control model for ws-bpel orchestrated composite web services. In Internet Technology and Secured Transactions (ICITST), 2011 International Conference for, pages 122--27, Dec 2011.
[14]
N. Nassr and E. Steegmans. Roac: A role-oriented access control model. In Proceedings of the 6th IFIP WG 11.2 International Conference on Information Security Theory and Practice: Security, Privacy and Trust in Computing Systems and Ambient Intelligent Ecosystems, WISTP'12, pages 113--127, Berlin, Heidelberg, 2012. Springer-Verlag.
[15]
OMG. Object constraint language. OMG Available Spec. Version 2.0, http://www.omg.org/spec/OCL/2.0/, May 2006.
[16]
F. Paci, E. Bertino, and J. Crampton. An access-control framework for ws-bpel. International Journal of Web Services Research, 5(3): 20--43.
[17]
R. Sandhu. Separation of duties in computerized information systems. In Database Security IV: Status and Prospects, 1991.
[18]
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2): 38--47, Feb. 1996.
[19]
R. Simon and M. E. Zurko. Separation of duty in role-based environments. In Proceedings of the 10th IEEE Workshop on Computer Security Foundations, CSFW '97, pages 183--, Washington, DC, USA, 1997. IEEE Computer Society.
[20]
D. Thompson. Understanding financial conflicts of interest. The new England journal of medicine, 329: 573--579, 1993.
[21]
X. Wang, Y. Zhang, H. Shi, and J. Yang. Bpel4rbac: An authorisation specification for ws-bpel. In Proceedings of the 9th International Conference on Web Information Systems Engineering, WISE '08, pages 381--395, Berlin, Heidelberg, 2008. Springer-Verlag.

Cited By

View all
  • (2018)Impact of Excessive Access Permissions and Insider Threat Opportunity in the Financial IndustryInternational Journal of Strategic Information Technology and Applications10.4018/IJSITA.20180701039:3(32-58)Online publication date: Jul-2018
  • (2017)On Run-Time Enforcement of Authorization Constraints in Security-Sensitive WorkflowsSoftware Engineering and Formal Methods10.1007/978-3-319-66197-1_13(203-218)Online publication date: 13-Aug-2017

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks
September 2015
350 pages
ISBN:9781450334532
DOI:10.1145/2799979
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access control
  2. authorization constraints
  3. conflict of interest
  4. separation of duty

Qualifiers

  • Research-article

Conference

SIN '15

Acceptance Rates

SIN '15 Paper Acceptance Rate 34 of 92 submissions, 37%;
Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)1
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)Impact of Excessive Access Permissions and Insider Threat Opportunity in the Financial IndustryInternational Journal of Strategic Information Technology and Applications10.4018/IJSITA.20180701039:3(32-58)Online publication date: Jul-2018
  • (2017)On Run-Time Enforcement of Authorization Constraints in Security-Sensitive WorkflowsSoftware Engineering and Formal Methods10.1007/978-3-319-66197-1_13(203-218)Online publication date: 13-Aug-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media