Panel Discussion - I: Access Control for Assured Information Sharing
Solutions for access control for assured information systems were discussed as a panel session. In general, it was agreed that a variety of solutions need to be provided for sharing needs. Considerations include:
- Trust
- Ownership - how this issue is dealt with
- Responsibility - to share the knowledge and protect everyone
This aspect of research has become especially important after 9/11. We potentially had all the information within different departments to prevent/respond/reduce the severity of the attacks. But the information was restricted and information was not shared between systems.
The solution also needs to be adaptive - generalised event based management.
Some questions and issues raised during the panel:
- Why can't you have 1 solution for different scenarios, does it have to be a case by case basis?
- Enforcing sharing obligations infringes decision making
- Inherently, people do not trust computers
- DAC - restrict access as much as possible.
- Selective data sharing - share when you can get credit
Panel Discussion - II: Directions for Access Control and Policy Management
The areas that I paid the most attention to was role engineering. There is a lot of interest in this area, particularly in industry. The main issue for role engineering is definition of a structure is correct and that is good. Measure of correct is simple, measure of good is more difficult. On the day, it was agreed that generally, you should have less roles than users. Otherwise the infrastructure is useless, it would be more optimal to assign permissions to users directly. However, it was also discussed the presence of abstract roles. That is, roles that are not assigned to any users. Are they still useful? They may assigned the design of the infrastructure in hierarchical RBAC. In retrospect, if abstract roles exist, it may be acceptable for the number of roles to be larger than the number of users.
Posts
No comments:
Post a Comment