000000157 001__ 157
000000157 005__ 20130522141950.0
000000157 037__ $$aLERSSE-PRESENTATION-2008-071
000000157 041__ $$aeng
000000157 100__ $$aKonstantin Beznosov
000000157 245__ $$aThe Secondary and Approximate Authorization Model and its Application to BLP and RBAC Policies
000000157 260__ $$c2008-07-06
000000157 300__ $$a58p
000000157 520__ $$aThe request-response paradigm used for access control solutions commonly leads to point-to-point (PTP) architectures, with security enforcement logic obtaining decisions from authorization servers through remote procedure calls. In massive-scale and complex enterprises, PTP authorization architectures result in fragile and inefficient solutions. They also fail to exploit virtually free CPU resources and network bandwidth. This talk introduces a three-fold approach to improving availability and performance of authorization solutions: employing publish-subscribe technologies, "actively" recycling authorizations, and flooding PEPs with speculatively precomputed “junk” authorizations. After introducing the approach, the talk describes in detail the active authorization recycling part. Specifically, it defines the secondary and approximate authorization model (SAAM). In SAAM, approximate authorization responses are inferred from cached primary responses, and therefore provide an alternative source of access control decisions in the event that the authorization server is unavailable or slow. The ability to compute approximate authorizations improves the reliability and performance of access control sub-systems and ultimately the application systems themselves. The operation of a system that employs SAAM depends on the type of access control policy it implements. We propose and analyze algorithms for computing secondary authorizations in the case of policies based on the Bell-LaPadula (BLP) and role-based access control (RBAC) models.
000000157 6531_ $$aSAAM
000000157 6531_ $$aRBAC
000000157 6531_ $$aBLP
000000157 6531_ $$aauthorization
000000157 6531_ $$aaccess control
000000157 6531_ $$aavailability
000000157 8560_ $$fqiangw@ece.ubc.ca
000000157 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/157/files/157.pdf$$yTransfer from CDS 0.99.7
000000157 909C4 $$pKonstantin Beznosov, “The Secondary and Approximate Authorization Model and its Application to BLP and RBAC Policies” talk given at the Computer Science Department, IBM Research Laboratory, Rüeschlikon, Switzerland, 5 June 2008.
000000157 980__ $$aPRESENTATION