000000122 001__ 122
000000122 005__ 20130522141951.0
000000122 037__ $$aLERSSE-PRESENTATION-2006-060
000000122 041__ $$aeng
000000122 100__ $$aKonstantin Beznosov
000000122 245__ $$aEmploying Secondary and Approximate Authorizations to Improve Access Control Systems
000000122 260__ $$c2006-10-18
000000122 520__ $$aThe request-response paradigm used for developing access control solutions commonly leads to point-to-point (PTP) architectures, with security enforcement logic obtaining decisions from authorization servers through remote procedure calls. In massive-scale and complex enterprises, PTP authorization architectures result in fragile and inefficient solutions. They also fail to exploit virtually free CPU resources and network bandwidth. This talk introduces a three-fold approach to improving availability and performance of authorization solutions: employing publish-subscribe technologies, *actively* recycling authorizations, and flooding policy enforcement points with speculatively precomputed *junk* authorizations. After introducing the approach, the talk describes in detail the active authorization recycling part. Specifically, it defines the secondary and approximate authorization model (SAAM). In SAAM, approximate authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the authorization server is unavailable or slow. The ability to compute approximate authorizations is expected to improve the reliability and performance of access control sub-systems and ultimately the application systems themselves. The operation of a system that employs SAAM depends on the type of access control policy it implements. We propose and analyze algorithms for computing secondary authorizations in the case of policies based on the Bell-LaPadula model. In this context, we define a dominance graph, and describe its construction and usage for generating secondary responses to authorization requests. We discuss preliminary results of evaluating stand-alone and distributed versions of SAAM-BLP algorithms.
000000122 6531_ $$aSAAM
000000122 6531_ $$aJAMES
000000122 6531_ $$aaccess control
000000122 6531_ $$aBell-LaPadulla
000000122 6531_ $$aBLP
000000122 6531_ $$aCSAR
000000122 6531_ $$aaccess control models and languages
000000122 8560_ $$fqiangw@ece.ubc.ca
000000122 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/122/files/122.pdf$$yTransfer from CDS 0.99.7
000000122 909C4 $$pKonstantin Beznosov "Employing Secondary and Approximate Authorizations to Improve Access Control Systems," Halifax, NS, Canada, Faculty of Computer Science, Dalhousie University, 12 October, 2006, pp.43.
000000122 980__ $$aPRESENTATION