Access Control: Foundations and Recent Advancements

Access control is one of the most important pillars of computer security and is a well-researched topic in this field spanning more than four decades. Access control mechanisms, typically based on certain formal models, are used to mitigate the risk of unauthorized access to data, resources and systems in an organization. For traditional information systems that deal with a pre-specified set of users, access control models like Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC) work satisfactorily. However, a primary limitation of these traditional models is their significant dependence on user identity for making access decisions. Owing to this, such models are not quite suitable for dynamic situations, where unknown users from external domains may have to be given access in a controlled manner. Further, an inherent lack of extendibility makes it difficult to take into account the context in which the access request is made. To handle such requirements, the Attribute-Based Access Control (ABAC) model has recently been proposed.

In ABAC, a user is permitted or denied access to an object in a particular situation based on a set of rules (together called an ABAC Policy), which is specified using attribute values of different types of entity, namely user, object and environment. There are several advantages of ABAC including its ability to specify fine-grained policies, handling of environmental factors that affect access decisions, and support for ad hoc users with appropriate attributes values. 

In this talk, we first introduce the traditional access control techniques, followed by details on how the various components of ABAC can be specified in a given system. Next, we discuss some of the research challenges in implementing ABAC in an organization. An important problem in this context is efficient evaluation of ABAC rules, which is essential for ensuring decision making at on-line speed when an access request is originated. Sequentially evaluating all the rules in a policy is inherently time consuming and does not scale well with the size of the ABAC system or the frequency of generation of access requests. To address this concern, we describe an efficient data structure called PolTree that can be used for specifying and enforcing ABAC policies. We also present experimental findings on the scalability of this approach.