Abstract
With increasing information exchange within and between organizations, it becomes increasingly unsatisfactory to depend solely on access control to meet confidentiality and other security needs. To better support the regulation of information flow, this paper presents a release control framework founded on a logical language. Release policies can be specified in a hierarchical manner, in the sense that each user, group, division and organization can specify their own policies, and these are combined by the framework in a manner that enables flexibility within the context of management oversight and regulation. In addition, the language can be used naturally to specify associated provisions (actions that must be undertaken before the release is permitted) and obligations (actions that are agreed will be taken after the release).
This paper also addresses issues arising due to the fact that a data object can be released from one entity to another in sequence, along a release path. We show how to test whether a given release specification satisfies given constraints on the release paths it authorizes. We also show how to find the best release paths from release specifications, based on weights specified by users. The factors affecting weights include the subjects through which a path passes, as well as the provisions and obligations that must be met to authorize each step in the path.
Keywords
Download to read the full chapter text
Chapter PDF
References
Piero A. Bonatti, Sabrina De Capitani di Vimercati, and Pierangela Samarati. A modular approach to composing access control policies. In ACM Conference on Computer and Communications Security, pages 164–173, 2000.
Claudio Bettini, Sushil Jajodia, Xiaoyang Sean Wang, and Duminda Wijesekera. Provisions and obligations in policy management and security applications. In VLDB, pages 502–513, 2002.
Dorothy E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236–243, 1976.
Simon N. Foley. A model for secure information flow. In IEEE Symposium on Security and Privacy, pages 248–258, 1989.
Allen Van Gelder. The alternating fixpoint of logic programs with negation. In Proceedings of the Eighth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems, March 29–31, 1989, Philadelphia, Pennsylvania, pages 1–10. ACM Press, 1989.
Sushil Jajodia, Pierangela Samarati, Maria Luisa Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Trans. Database Syst., 26(2):214–260, 2001.
John W. Lloyd. Foundations of Logic Programming, Second Edition. Springer, 1987.
Andrew C. Myers and Barbara Liskov. A decentralized model for information flow control. In SOSP, pages 129–142, 1997.
Catherine D. McCollum, J. R. Messing, and LouAnna Notargiacomo. Beyond the pale of mac and dac-defining new forms of access control. In IEEE Symposium on Security and Privacy, pages 190–200, 1990.
Pierangela Samarati, Elisa Bertino, Alessandro Ciampichetti, and Sushil Jajodia. Information flow control in object-oriented systems. IEEE Trans. Knowl. Data Eng., 9(4):524–538, 1997.
Ravi S. Sandhu, Venkata Bhamidipati, and Qamar Munawer. The arbac97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur., 2(1):105–135, 1999.
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, 1996.
Duminda Wijesekera and Sushil Jajodia. Policy algebras for access control the predicate case. In ACM Conference on Computer and Communications Security, pages 171–180, 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Yao, C., Winsborough, W.H., Jajodia, S. (2005). A Hierarchical Release Control Policy Framework. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_8
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_8
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)