|
 ABSTRACT
Access control models are usually static, i.e, permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed. Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture. We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Break-glass: An approach to granting emergency access to healthcare systems. White paper, Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC), 2004.
|
| |
2
|
|
| |
3
|
|
| |
4
|
Basel Committee on Banking Supervision. Basel II: International convergence of capital measurement and capital standards. Technical report, Bank for International Settlements, Basel, Switzerland, 2004.
|
| |
5
|
|
 |
6
|
|
| |
7
|
|
| |
8
|
A. D. Brucker and J. Doser. Metamodel-based UML notations for domain-specific languages. In J. M. Favre, D. Gasevic, R. Lämmel, and A. Winter, editors, 4th International Workshop on Software Language Engineering (ATEM 2007). Oct. 2007.
|
| |
9
|
A. D. Brucker, J. Doser, and B. Wolff. An MDA framework supporting OCL. Electronic Communications of the EASST, 5, 2006.
|
| |
10
|
A. D. Brucker, J. Doser, and B. Wolff. A model transformation semantics and analysis methodology for SecureUML. In O. Nierstrasz, J. Whittle, D. Harel, and G. Reggio, editors, MoDELS 2006: Model Driven Engineering Languages and Systems, number 4199 in Lecture Notes in Computer Science, pages 306--320. Springer-Verlag, 2006. An extended version of this paper is available as ETH Technical Report, no. 524.
|
| |
11
|
|
| |
12
|
Nathan Dimmock , András Belokosztolszki , David Eyers , Jean Bacon , Ken Moody, Using trust and risk in role-based access control policies, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
[doi> 10.1145/990036.990062]
|
| |
13
|
|
| |
14
|
|
| |
15
|
A Ferreira , R Cruz-Correia , L Antunes , P Farinha , E Oliveira-Palhares , D W. Chadwick , A Costa-Pereira, How to Break Access Control in a Controlled Manner, Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, p.847-854, June 22-23, 2006
[doi> 10.1109/CBMS.2006.95]
|
| |
16
|
C. Fox and P. Zonneveld. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting. IT Governance Institute, Rolling Meadows, IL, USA, 2nd edition, Sept. 2006.
|
| |
17
|
M. Hafner, M. Memon, and M. Alam. Modeling and enforcing advanced access control policies in healthcare systems with Sectet. In H. Giese, editor, MoDELS Workshops, volume 5002 of Lecture Notes in Computer Science, pages 132--144, Heidelberg, 2007. Springer-Verlag.
|
| |
18
|
J. Hu and A. C. Weaver. Dynamic, context-aware access control for distributed healthcare applications. In Proceedings of the First Workshop on Pervasive Security, Privacy and Trust (PSPT), 2004.
|
| |
19
|
|
| |
20
|
|
| |
21
|
J. J. Longstaff , M. A. Lockyer , M. G. Thick, A model of accountability, confidentiality and override for healthcare and other applications, Proceedings of the fifth ACM workshop on Role-based access control, p.71-76, July 26-28, 2000, Berlin, Germany
[doi> 10.1145/344287.344304]
|
| |
22
|
eXtensible Access Control Markup Language (XACML), version 2.0, 2005.
|
| |
23
|
OMG XML metadata interchange (XMI) specification (version 1.1), Nov. 2000. Available as OMG document formal/00-11-02.
|
| |
24
|
UML 2.0 OCL specification, Oct. 2003. Available as OMG document ptc/03-10-14.
|
| |
25
|
UML 2.0 superstructure specification, July 2005. Available as OMG document formal/05-07-04.
|
| |
26
|
|
| |
27
|
|
| |
28
|
E. Rissanen. Towards a mechanism for discretionary overriding of access control (transcript of discussion). In B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, editors, Proceedings of the 12th International Workshop on Security Protocols, volume 3957 of Lecture Notes in Computer Science, pages 320--323, Heidelberg, Mar. 2004. Springer-Verlag.
|
| |
29
|
E. Rissanen, B. S. Firozabadi, and M. J. Sergot. Discretionary overriding of access control in the privilege calculus. In T. Dimitrakos and F. Martinelli, editors, Proceedings of the Workshop on Formal Aspects Security and Trust (FAST), volume 173, pages 219--232, Heidelberg, 2004. Springer-Verlag.
|
| |
30
|
|
| |
31
|
|
| |
32
|
P. Sarbanes, G. Oxley, et al. Sarbanes-Oxley Act of 2002. 107th Congress Report, House of Representatives, 2nd Session, 107--610, 2002.
|
| |
33
|
|
| |
34
|
Marc Wilikens , Simone Feriti , Alberto Sanna , Marcelo Masera, A context-related authorization and access control method based on RBAC:, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA
[doi> 10.1145/507711.507730]
|
| |
35
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4