Information Leaks and Limitations of Role-Based Access Control Mechanisms: A Qualitative Exploratory Single Case Study

Autor/in	Antony, Laljith
Titel	Information Leaks and Limitations of Role-Based Access Control Mechanisms: A Qualitative Exploratory Single Case Study
Quelle	(2016), (148 Seiten) PDF als Volltext Verfügbarkeit Ph.D. Dissertation, Northcentral University
Sprache	englisch
Dokumenttyp	gedruckt; online; Monographie
ISBN	978-1-3694-4746-0
Schlagwörter	Hochschulschrift; Dissertation; Computer Software; Qualitative Research; Case Studies; Information Security; Information Scientists; Semi Structured Interviews; Telephone Surveys; Computer Oriented Programs; Computer Security; Privacy + Suchen Sie Ihr Suchwort? Thesis; Dissertations; Academic thesis; Qualitative Forschung; Case study; Fallstudie; Case Study; Informationswissenschaftler; Telephone interview; Telefoninterview; Computerprogramm; Computervirus; Computersicherheit; Privatsphäre
Abstract	Failing to prevent leaks of confidential and proprietary information to unauthorized users from software applications is a major challenge that companies face. Access control policies defined in software applications with access control mechanisms are unable to prevent information leaks from software applications to unauthorized users. Role-based access control (RBAC) is the most predominant access control mechanism available today. Information security professionals implement access control policies in software applications to prevent information from being leaked to unauthorized users. This qualitative case study explored the perspectives of information security professionals about the limitations of RBAC and the ways these limitations could be addressed by using variants of RBAC. A purposive sample that included 13 information professionals was used for this study. The data were collected through in-depth, semi-structured telephone interviews with these participants. The data were analyzed with techniques that included compiling, disassembling, reassembling, interpreting, and concluding. The participants revealed that the American National Standards Institute (ANSI) RBAC model has several deficiencies. Some of the major deficiencies identified included RBAC's inability to address possible human errors in access control policies and coping with changes to application architecture methodologies. The results suggested that role engineering approaches available today are unable to prevent over-entitlement of users and RBAC has difficulties associated with monitoring and analysis of role-based access control policies. These deficiencies of RBAC have the implications of causing security vulnerabilities in software applications. These security vulnerabilities lead to confidential and proprietary information being leaked to unauthorized users. However, the variants that implement context-aware extensions to RBAC that use authorization factors other than users' roles could offer additional protection against information leaks. Moreover, enhancing the RBAC model by adding the ability to temporally delegate permissions to users could potentially limit information leaks. Several recommendations are given to information security professionals on how to address some of these deficiencies of RBAC model. The findings of this study are expected to strengthen companies' information security. Because the usage of these variants is not part of the current ANSI RBAC standard, recommendation for future research include evaluating the effectiveness of the usage of such variants on access control policies and developing a formal survey to address satisfaction levels with RBAC. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com/en-US/products/dissertations/individuals.shtml.] (As Provided).
Anmerkungen	ProQuest LLC. 789 East Eisenhower Parkway, P.O. Box 1346, Ann Arbor, MI 48106. Tel: 800-521-0600; Web site: http://www.proquest.com/en-US/products/dissertations/individuals.shtml
Erfasst von	ERIC (Education Resources Information Center), Washington, DC
Update	2020/1/01