Security policies often need to resolve the conflict between protecting assets (or complying with laws and regulations) and the risk of hindering businesses or people. For example, health records are sensitive and need to be protected carefully. At the same time, hindering doctors to access, in an emergency, them might endanger lives.
To resolve this conflict, we introduced a dynamic access control model, called Generic Break Glass (GBG) that can be used to introduce break-the-glass (also called access-control override) into a wide variety of traditional access control models. This access control model independence (i.e., it is not specific to RBAC, DAC, etc.) is a unique feature of GBG. For example, we implemented GBG on top of:
The latter two approaches integrate break-the-glass concepts into model-driven security.
Our Generic Break Glass implementation is available, as free software, in our GBG git repository.. The implementation of GBG in the context of SecureBPMN is, as free software, available in the SecureBPMN git repository.
1. Brucker, A. D. and Petritsch, H. “A Framework for Managing and Analyzing Changes of Security Policies” IEEE international symposium on policies for distributed systems and networks (policy) (2011): 105–112. doi:10.1109/POLICY.2011.47, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-framework-2011
2. Brucker, A. D. and Petritsch, H. “Idea: Efficient Evaluation of Access Control Constraints” International symposium on engineering secure software and systems (essos) (2010): 157–165. doi:10.1007/978-3-642-11747-3_12, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-efficient-2010
3. Brucker, A. D., Petritsch, H., and Weber, S. G. “Attribute-Based Encryption with Break-Glass” Workshop in information security theory and practice (wistp) (2010): 237–244. doi:10.1007/978-3-642-12368-9_18, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-attribute-based-2010
4. Brucker, A. D. and Petritsch, H. “Extending Access Control Models with Break-Glass” ACM symposium on access control models and technologies (sacmat) (2009): 197–206. doi:10.1145/1542207.1542239, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009
5. Brucker, A. D., Petritsch, H., and Schaad, A. “Delegation Assistance” IEEE international symposium on policies for distributed systems and networks (policy) (2009): 84–91. doi:10.1109/POLICY.2009.35, URL: http://www.brucker.ch/bibliography/abstract/brucker.ea-delegation-2009