Evolving access control: formal models and analysis

Any model of access control has two fundamental aims: to ensure that resources are protected from inappropriate access and to ensure that access by authorised users is appropriate. Traditionally, approaches to access control have fallen into one of two categories: discretionary access control (DAC) or mandatory access control (MAC). More recently, role-based access control (RBAC) has offered the potential for a more manageable and flexible alternative. Typically, though, whichever model is adopted, any changes in the access control policy will have to be brought about via the intervention of a trusted administrator. In an ever-more connected world, with a drive towards autonomic computing, it is inevitable that a need for systems that support automatic policy updates in response to changes in the environment or user actions will emerge. Indeed, data management guidelines and legislation are often written at such a high level of abstraction that there is almost an implicit assumption that policies should react to contextual changes. Furthermore, as access control policies become more complicated, there is a clear need to express and reason about such entities at a higher level of abstraction for any meaningful analysis to be tractable, especially when consideration of complex state is involved. This thesis describes research conducted in formalising an approach to access control, termed evolving access control (EAC), that can support the automatic evolution of policies based on observed changes in the environment as dictated by high-level requirements embodied in a metapolicy. The contribution of this research is a formal, conceptual model of EAC which supports the construction, analysis and deployment of metapolicies and policies. The formal EAC model provides a framework to construct and describe metapolicies and to reason about how they manage the evolution of policies. Additionally, the model is used to analyse metapolicies for desirable properties, and to verify that policies adhere to the high-level requirements of the metapolicy. Furthermore, the model also allows the translation of verified policies to machine-readable representations, which can then be deployed in a system that supports fine-grained, dynamic access control.