A provenance-based access control model for dynamic separation of duties

Abstract

Dynamic Separation of Duties (DSOD) is a well-known and important concept in cyber security, which has been extensively studied in the literature. The published literature mostly assumes that necessary information for enabling DSOD constraints is readily available. As such, there has been little discussion on the tasks of capturing, storing, extracting, and utilizing necessary historical information. Since this information is often in the form of system events history, provenance data is naturally suitable as the source for DSOD-related information. Recently the notion of provenance-based access control (PBAC) has been formulated and a base PBAC model (PBAC <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">B</sub> ) together with an underlying provenance data model has been formally specified [19], [22]. Unlike Role-based Access Control where DSOD is modeled as a constraint, PBAC <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">B</sub> directly maintains and utilizes the necessary information for DSOD enforcement. In this paper, we propose an enhanced model, PBACc, by extending both the provenance data model and the PBAC <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">B</sub> model to enforce various DSOD policy classes identified in the literature, and go beyond these to specify novel DSOD policy classes. A proof-of-concept prototype is implemented and evaluated to demonstrate the feasibility of our approach.