Automating global category-based access control policy generation for distributed environment principals

As security systems grow more complex in an increasingly distributed environment access control needs to have the ability to accommodate very dynamically changing requests amongst an increasing growth in principals and resources. Whilst a number of methodologies for access control have been proposed, such as the popular role-based control, or the more flexible attribute-based approach, it can be shown that these techniques do not allow for either continuous dynamicity or explainability.

Also, it can be shown that the proposed wider definition of categories encompasses most traditional principal components defining their policy, such as roles or attributes. Furthermore, whilst it has traditionally been the task of the system administrator to allocate appropriate permissions to principals, such manual mechanics are becoming increasingly unsustainable, in systems where the combination of exploding amounts of resources, users and combinations of policies requires a more automated approach.

This necessity to increase automation must not, however, come at the cost of a decrease in privacy protection.

The goal of this thesis is to provide a suggestion for a system which is specifically designed to detect and track the evolution of principals and their requests over time, to automatically detect the correct permission assignment/any development thereof, and to auto-generate the appropriate access control policy for that principal and their request, whilst safeguarding privacy of both principals and resources. To accomplish this data mining and machine learning techniques are researched and refined to match principals with the appropriate policies in a distributed environment.

Of particular interest is the scenario where distinct principals share permission characteristics. The goal here is to efficiently translate such common factors into a succinct, robust policy requiring less maintenance and manual intervention and facilitating auditing and governance requirements.