Abstract : In order to protect resources from unauthorized access and data leakage in companies, security experts and administrators can use mechanisms such as Access Control (AC) and Transmission Control (TC). Both AC and TC are based on policies that are defined, modified and revoked by these experts. However, policy management can be a time-consuming and tiresome task, especially when both mechanisms are used on large sets of users and resources. Moreover, contradictions between AC and TC policies can appear, for instance when a legiti- mate user is allowed to send a resource to someone who cannot access it. Such contradictions can lead to data leakage.
In this article, we first aim at studying experts feedback concerning policy definition and usage by reporting the results of a survey we have conducted among IT professionals. Based on the results of this survey, we then present a generic model that generates TC policies based on existing AC policies. This model serves several purposes. First, it takes into account the main AC models that are used in companies (i.e. genericity problem). Secondly, it tackles the problem of incoherences between AC and TC policies (i.e. coherence problem). Thirdly, it can reduce the total number of resources and subjects managed by the security policies (i.e. complexity problem). Finally, it takes into account the updates frequency of companies policies (i.e. rapidity problem).
Contributeur : Yoann Bertrand <>
Soumis le : mercredi 18 mai 2016 - 08:16:44
Dernière modification le : vendredi 16 septembre 2016 - 15:15:25
Document(s) archivé(s) le : jeudi 17 novembre 2016 - 10:47:43
Yoann Bertrand, Mireille Blay-Fornarino, Karima Boudaoud, Michel Riveill. A model to reduce complexity and maintain coherence between Access Control and Transmission Control policies. [Research Report] I3S. 2016. <hal-01317109>