ABSTRACT
Physical access control (PAC) is an integral part of the physical security system of any organization. However, despite the size of the PAC industry and its importance in securing our physical environments, public research and development regarding PAC are limited. This paper aims to lower the barriers for the access control research community to explore and engage in the research opportunities regarding PAC systems. We characterize PAC systems and present an access control architecture that captures their central concepts, such as physical space models and different levels of policies, and processes such as policy conversion, enforcement, and analysis. We discuss how PAC can be distinguished from logical access control (LAC), which is applicable to cyber environments. We also present several unique challenges and research opportunities that the PAC domain introduces.
Supplemental Material
- C. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati. Access Control in Location-Based Services. In Privacy in Location-Based Applications, pages 106--126. 2009.Google ScholarDigital Library
- A. Ben Fadhel, D. Bianculli, L. Briand, and B. Hourte. A Model-driven Approach to Representing and Checking RBAC Contextual Policies. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 243--253, 2016.Google ScholarDigital Library
- E. Bertino, P. A. Bonatti, and E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur., 4(3):191--233, 2001.Google ScholarDigital Library
- R. Bhatti, E. Bertino, and A. Ghafoor. A Trust-Based Context-Aware Access Control Model for Web-Services. Distributed and Parallel Databases, 18(1):83--105, 2005.Google ScholarDigital Library
- Y. Cao, Z. Huang, Y. Yu, C. Ke, and Z. Wang. A topology and risk-aware access control framework for cyber-physical space. Frontiers of Computer Science, 14(4):144805, 2020.Google ScholarDigital Library
- Y. Cao, Y. Ping, S. Tao, Y. Chen, and Y. Zhu. Specification and adaptive verification of access control policy for cyber-physical-social spaces. Computers & Security, 114:102579, 2022.Google ScholarDigital Library
- L. Cardelli and A. D. Gordon. Types for mobile ambients. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, pages 79--92, 1999.Google ScholarDigital Library
- S. M. Chandran and J. B. D. Joshi. LoT-RBAC: A Location and Time-Based RBAC Model. In A. H. H. Ngu, M. Kitsuregawa, E. J. Neuhold, J.- Y. Chung, and Q. Z. Sheng, editors, Web Information Systems Engineering -- WISE 2005, LNCS, pages 361--375, 2005.Google Scholar
- R. B. CHS-III PSP. Fixing the gaps in your PACS. Security Info Watch. 2017. url: https://www.securityinfowatch.com/access-identity/article/12293604/fixing-the-gaps-in-your-pacs.Google Scholar
- M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca. GEO-RBAC: A spatially aware RBAC. ACM Trans. Inf. Syst. Secur., 10(1), 2007.Google ScholarDigital Library
- A. Datta, S. Jha, N. Li, D. Melski, and T. Reps. Analysis Techniques for Information Security. Synthesis Lectures on Information Security, Privacy, and Trust, 2(1):1--164, 2010.Google Scholar
- eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01, OASIS, 2017. url: http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.pdf.Google Scholar
- W. M. Fitzgerald, F. Turkmen, S. N. Foley, and B. O'Sullivan. Anomaly analysis for Physical Access Control security configuration. In 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pages 1--8, 2012.Google ScholarDigital Library
- Flight Systems Stolen From Arik Air Boeing 737. Simple Flying. 2022. url: https://simpleflying.com/arik-air-737-system-theft/.Google Scholar
- R. Frohardt, B. E. Chang, and S. Sankaranarayanan. Access Nets: Modeling Access to Physical Spaces. In VMCAI, 2011.Google ScholarCross Ref
- M. Ge and S. L. Osborn. A design for parameterized roles. In C. Farkas and P. Samarati, editors. IFIP TC11/WG11.3 Eighteenth Annual Conference on Data and Applications Security, pages 251--264, 2004.Google Scholar
- Glossary of Key Information Security Terms. Glossary NISTIR 7298 Rev. 3, NIST. url: https://csrc.nist.gov/glossary/term/lacs.Google Scholar
- V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST SP 800--162, National Institute of Standards and Technology, 2014. url: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800--162.pdf.Google Scholar
- A. A. Jabal, M. Davari, E. Bertino, C. Makaya, S. Calo, D. Verma, A. Russo, and C. Williams. Methods and Tools for Policy Analysis. ACM Computing Surveys, 51(6):121:1--121:35, 2019.Google ScholarDigital Library
- D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. EXAM: a comprehensive environment for the analysis of access control policies. Intl. Journal of Information Security, 9(4):253--273, 2010.Google ScholarDigital Library
- R. Milner. The Space and Motion of Communicating Agents. 2009. 215 pages.Google Scholar
- J. Newman and K. Griffith. Facebook's WFH policy made 7-hour outage worse. Daily Mail. 2021. url: https://www.dailymail.co.uk/news/article-10060447/WFH-Facebooks-outage-worse-75--60-000-workforce-not-office-fix-it.html.Google Scholar
- ONVIF Access Rules Service Specification, ONVIF: Open Network Video Interface Forum Inc., 2019. url: http://www.onvif.org/specs/srv/access/ONVIF-AccessRules-Service-Spec.pdf.Google Scholar
- OSS Standard Offline (OSS-SO). OSS-Association. url: https://www.oss-association.com/en/oss-association/oss-standards/oss-standard-offline-application/.Google Scholar
- L. Pasquale, C. Ghezzi, E. Pasi, C. Tsigkanos, M. Boubekeur, B. Florentino-Liano, T. Hadzic, and B. Nuseibeh. Topology-Aware Access Control of Smart Spaces. Computer, 50(7):54--63, 2017.Google Scholar
- J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.Google ScholarCross Ref
- R. S. Sandhu, E. J. E. Coyne, H. L. Feinstein, and C. E. C. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.Google ScholarDigital Library
- B. Schneier. Essays: Is Perfect Access Control Possible? - Schneier on Security. url: https://www.schneier.com/essays/archives/2009/09/is_perfect_access_co.html.Google Scholar
- D. Servos and S. L. Osborn. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv., 49(4):65:1--65:45, 2017.Google ScholarDigital Library
- N. Skandhakumar, F. Salim, J. Reid, and E. Dawson. Physical Access Control Administration Using Building Information Models. In Cyberspace Safety and Security, volume 7672, pages 236--250, 2012.Google ScholarDigital Library
- L. Tandon, P. W. L. Fong, and R. Safavi-Naini. HCAP: A History-Based Capability System for IoT Devices. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, SACMAT '18, pages 247--258, 2018.Google ScholarDigital Library
- The Physical Security Business 2021 to 2026 - Access Control, Video Surveillance & Intruder Alarm / Perimeter Protection Research, Meemoori Research AB, 2021-Q4.Google Scholar
- P. Tsankov, M. Dashti, and D. Basin. Access Control Synthesis for Physical Spaces. 29th IEEE Computer Security Foundations Symposium (CSF), 2016.Google Scholar
- C. Tsigkanos, L. Pasquale, C. Ghezzi, and B. Nuseibeh. Ariadne: Topology Aware Adaptive Security for Cyber-Physical Systems. 37th IEEE International Conference on Software Engineering, 2015.Google Scholar
- C. Tsigkanos, L. Pasquale, C. Menghi, C. Ghezzi, and B. Nuseibeh. Engineering topology aware adaptive security: Preventing requirements violations at runtime. In 22nd IEEE International Requirements Engineering Conference (RE), pages 203--212, 2014.Google ScholarCross Ref
- F. Turkmen, S. Foley, B. O'Sullivan, W. Fitzgerald, T. Hadzic, S. Basagiannis, and M. Boubekeur. Explanations and Relaxations for Policy Conflicts in Physical Access Control. In Proc. 25th IEEE International Conference on Tools with Artificial Intelligence, ICTAI '13, pages 330--336, 2013.Google ScholarDigital Library
- D. Unal and M. U. Caglayan. A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks, 57(1):330--350, 2013.Google ScholarDigital Library
- J. van der Laan. Incremental Verification of Physical Access Control Systems, University of Twente, 2021. url: http://essay.utwente.nl/85634/3/Laan_MA_EEMCS.pdf.Google Scholar
Index Terms
- BlueSky: Physical Access Control: Characteristics, Challenges, and Research Opportunities
Recommendations
Verification and enforcement of access control policies
Access control mechanisms protect critical resources of systems from unauthorized access. In a policy-based management approach, administrators define user privileges as rules that determine the conditions and the extent of users' access rights. As ...
Spatio-temporal Role Based Access Control for Physical Access Control Systems
EST '13: Proceedings of the 2013 Fourth International Conference on Emerging Security TechnologiesDue to the large size of the global enterprise and the complexity of job's functions within organisations, managing Physical Access Control (PAC) policies has become a challenging problem. It is therefore, very important to develop Access Control ...
Specification and Analysis of ABAC Policies via the Category-based Metamodel
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and PrivacyThe Attribute-Based Access Control (ABAC) model is one of the most powerful access control models in use. It subsumes popular models, such as the Role-Based Access Control (RBAC) model, and can also enforce dynamic policies where authorisations depend ...
Comments