Function-based access control (FBAC): towards preventing insider threats in organizations
Version 2 2024-06-13, 13:00Version 2 2024-06-13, 13:00
Version 1 2019-05-02, 10:46Version 1 2019-05-02, 10:46
chapter
posted on 2024-06-13, 13:00authored byY Desmedt, A Shaghaghi
Insiders misuse their access to data and are known to pose serious risks to organizations. From a security engineering viewpoint, each insider threat incident is associated to full, or partial, failure of an access control system. Here, we introduce Function-Based Access Control (FBAC). FBAC is inspired by Functional Encryption but takes a system approach towards the problem. Abstractly, access authorizations are n longer stored as a two-dimensional Access Control Matrix (ACM). Instead, FBAC stores access authorizations as a three-dimensional tensor (called Access Control Tensor). Hence, applications no longer give blind folded execution right and users can only invoke commands that have been authorized at different levels such as data segments. Simply put, one might be authorized to use a certain command on one object while being forbidden to use the same command on another object. Evidently, this level of granularity and customization can not be efficently modeled using the classical access control matrix. The theoretical foundations of FBAC are presented along with Policy, Enforcement, and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.