skip to main content
10.1145/3532105.3535019acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

BlueSky: Physical Access Control: Characteristics, Challenges, and Research Opportunities

Published: 08 June 2022 Publication History

Abstract

Physical access control (PAC) is an integral part of the physical security system of any organization. However, despite the size of the PAC industry and its importance in securing our physical environments, public research and development regarding PAC are limited. This paper aims to lower the barriers for the access control research community to explore and engage in the research opportunities regarding PAC systems. We characterize PAC systems and present an access control architecture that captures their central concepts, such as physical space models and different levels of policies, and processes such as policy conversion, enforcement, and analysis. We discuss how PAC can be distinguished from logical access control (LAC), which is applicable to cyber environments. We also present several unique challenges and research opportunities that the PAC domain introduces.

Supplementary Material

MP4 File (sacmat22-sacmat20bs.mp4)
In this talk, we discuss the characteristics and challenges of physical access control (PAC). We distinguish PAC versus logical access control and other related concepts. We characterize access management and enforcement in PAC by presenting an access control architecture that captures its central concepts and processes, such as physical space models and policy conversion. Finally, we discuss some of the unique research challenges and opportunities in the PAC domain.

References

[1]
C. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati. Access Control in Location-Based Services. In Privacy in Location-Based Applications, pages 106--126. 2009.
[2]
A. Ben Fadhel, D. Bianculli, L. Briand, and B. Hourte. A Model-driven Approach to Representing and Checking RBAC Contextual Policies. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 243--253, 2016.
[3]
E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001.
[4]
R. Bhatti, E. Bertino, and A. Ghafoor. A Trust-Based Context-Aware Access Control Model for Web-Services. Distributed and Parallel Databases, 18(1):83--105, 2005.
[5]
Y. Cao, Z. Huang, Y. Yu, C. Ke, and Z. Wang. A topology and risk-aware access control framework for cyber-physical space. Frontiers of Computer Science, 14(4):144805, 2020.
[6]
Y. Cao, Y. Ping, S. Tao, Y. Chen, and Y. Zhu. Specification and adaptive verification of access control policy for cyber-physical-social spaces. Computers & Security, 114:102579, 2022.
[7]
L. Cardelli and A. D. Gordon. Types for mobile ambients. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, pages 79--92, 1999.
[8]
S. M. Chandran and J. B. D. Joshi. LoT-RBAC: A Location and Time-Based RBAC Model. In A. H. H. Ngu, M. Kitsuregawa, E. J. Neuhold, J.- Y. Chung, and Q. Z. Sheng, editors, Web Information Systems Engineering -- WISE 2005, LNCS, pages 361--375, 2005.
[9]
R. B. CHS-III PSP. Fixing the gaps in your PACS. Security Info Watch. 2017. url: https://www.securityinfowatch.com/access-identity/article/12293604/fixing-the-gaps-in-your-pacs.
[10]
M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca. GEO-RBAC: A spatially aware RBAC. ACM Trans. Inf. Syst. Secur., 10(1), 2007.
[11]
A. Datta, S. Jha, N. Li, D. Melski, and T. Reps. Analysis Techniques for Information Security. Synthesis Lectures on Information Security, Privacy, and Trust, 2(1):1--164, 2010.
[12]
eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01, OASIS, 2017. url: http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.pdf.
[13]
W. M. Fitzgerald, F. Turkmen, S. N. Foley, and B. O'Sullivan. Anomaly analysis for Physical Access Control security configuration. In 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pages 1--8, 2012.
[14]
Flight Systems Stolen From Arik Air Boeing 737. Simple Flying. 2022. url: https://simpleflying.com/arik-air-737-system-theft/.
[15]
R. Frohardt, B. E. Chang, and S. Sankaranarayanan. Access Nets: Modeling Access to Physical Spaces. In VMCAI, 2011.
[16]
M. Ge and S. L. Osborn. A design for parameterized roles. In C. Farkas and P. Samarati, editors. IFIP TC11/WG11.3 Eighteenth Annual Conference on Data and Applications Security, pages 251--264, 2004.
[17]
Glossary of Key Information Security Terms. Glossary NISTIR 7298 Rev. 3, NIST. url: https://csrc.nist.gov/glossary/term/lacs.
[18]
V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST SP 800--162, National Institute of Standards and Technology, 2014. url: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800--162.pdf.
[19]
A. A. Jabal, M. Davari, E. Bertino, C. Makaya, S. Calo, D. Verma, A. Russo, and C. Williams. Methods and Tools for Policy Analysis. ACM Computing Surveys, 51(6):121:1--121:35, 2019.
[20]
D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. EXAM: a comprehensive environment for the analysis of access control policies. Intl. Journal of Information Security, 9(4):253--273, 2010.
[21]
R. Milner. The Space and Motion of Communicating Agents. 2009. 215 pages.
[22]
J. Newman and K. Griffith. Facebook's WFH policy made 7-hour outage worse. Daily Mail. 2021. url: https://www.dailymail.co.uk/news/article-10060447/WFH-Facebooks-outage-worse-75--60-000-workforce-not-office-fix-it.html.
[23]
ONVIF Access Rules Service Specification, ONVIF: Open Network Video Interface Forum Inc., 2019. url: http://www.onvif.org/specs/srv/access/ONVIF-AccessRules-Service-Spec.pdf.
[24]
OSS Standard Offline (OSS-SO). OSS-Association. url: https://www.oss-association.com/en/oss-association/oss-standards/oss-standard-offline-application/.
[25]
L. Pasquale, C. Ghezzi, E. Pasi, C. Tsigkanos, M. Boubekeur, B. Florentino-Liano, T. Hadzic, and B. Nuseibeh. Topology-Aware Access Control of Smart Spaces. Computer, 50(7):54--63, 2017.
[26]
J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.
[27]
R. S. Sandhu, E. J. E. Coyne, H. L. Feinstein, and C. E. C. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.
[28]
B. Schneier. Essays: Is Perfect Access Control Possible? - Schneier on Security. url: https://www.schneier.com/essays/archives/2009/09/is_perfect_access_co.html.
[29]
D. Servos and S. L. Osborn. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv., 49(4):65:1--65:45, 2017.
[30]
N. Skandhakumar, F. Salim, J. Reid, and E. Dawson. Physical Access Control Administration Using Building Information Models. In Cyberspace Safety and Security, volume 7672, pages 236--250, 2012.
[31]
L. Tandon, P. W. L. Fong, and R. Safavi-Naini. HCAP: A History-Based Capability System for IoT Devices. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT '18, pages 247--258, 2018.
[32]
The Physical Security Business 2021 to 2026 - Access Control, Video Surveillance & Intruder Alarm / Perimeter Protection Research, Meemoori Research AB, 2021-Q4.
[33]
P. Tsankov, M. Dashti, and D. Basin. Access Control Synthesis for Physical Spaces. 29th IEEE Computer Security Foundations Symposium (CSF), 2016.
[34]
C. Tsigkanos, L. Pasquale, C. Ghezzi, and B. Nuseibeh. Ariadne: Topology Aware Adaptive Security for Cyber-Physical Systems. 37th IEEE International Conference on Software Engineering, 2015.
[35]
C. Tsigkanos, L. Pasquale, C. Menghi, C. Ghezzi, and B. Nuseibeh. Engineering topology aware adaptive security: Preventing requirements violations at runtime. In 22nd IEEE International Requirements Engineering Conference (RE), pages 203--212, 2014.
[36]
F. Turkmen, S. Foley, B. O'Sullivan, W. Fitzgerald, T. Hadzic, S. Basagiannis, and M. Boubekeur. Explanations and Relaxations for Policy Conflicts in Physical Access Control. In Proc. 25th IEEE International Conference on Tools with Artificial Intelligence, ICTAI '13, pages 330--336, 2013.
[37]
D. Unal and M. U. Caglayan. A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks, 57(1):330--350, 2013.
[38]
J. van der Laan. Incremental Verification of Physical Access Control Systems, University of Twente, 2021. url: http://essay.utwente.nl/85634/3/Laan_MA_EEMCS.pdf.

Cited By

View all
  • (2024)IoT—A Promising Solution to Energy Management in Smart Buildings: A Systematic Review, Applications, Barriers, and Future ScopeBuildings10.3390/buildings1411344614:11(3446)Online publication date: 29-Oct-2024
  • (2023)FaceCrypt: Securing Workplaces Based on Facial Recognition and Visual Cryptography2023 International Conference on Engineering and Emerging Technologies (ICEET)10.1109/ICEET60227.2023.10526160(1-6)Online publication date: 27-Oct-2023

Index Terms

  1. BlueSky: Physical Access Control: Characteristics, Challenges, and Research Opportunities

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      SACMAT '22: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies
      June 2022
      282 pages
      ISBN:9781450393577
      DOI:10.1145/3532105
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 08 June 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. access control policy
      2. physical access control
      3. physical security
      4. policy analysis
      5. policy conversion
      6. policy enforcement

      Qualifiers

      • Research-article

      Conference

      SACMAT '22
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 177 of 597 submissions, 30%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)45
      • Downloads (Last 6 weeks)10
      Reflects downloads up to 14 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)IoT—A Promising Solution to Energy Management in Smart Buildings: A Systematic Review, Applications, Barriers, and Future ScopeBuildings10.3390/buildings1411344614:11(3446)Online publication date: 29-Oct-2024
      • (2023)FaceCrypt: Securing Workplaces Based on Facial Recognition and Visual Cryptography2023 International Conference on Engineering and Emerging Technologies (ICEET)10.1109/ICEET60227.2023.10526160(1-6)Online publication date: 27-Oct-2023

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media