Network-Centric Access Control

Information leakage via the networks formed by subjects and objects often leads to unpredicted risks in access control decisions, and needs to be quantified and addressed in an explicit manner. This paper presents a novel networkcentric access control paradigm that enhances traditional nodecentric models by explicitly accounting for such network effects in information flows, and yet offering scalable and flexible risk estimation regarding access control decisions. A network-centric access control model is designed to answer questions of the form: Has subject s acquired covert access via the subject/object networks to object o? If s is given access to o, what is its impact on the access of subject s′ to object o′? How will a newly created social relationship of s and s′ influence the current access control risks? Our goal is not to prescribe a one-size-fits-all solution; instead, we enable a class of risk estimation models by developing a library of fundamental estimation operators, configurable to concrete subject/object networks. We show that a range of stateof-the-art access control models can be enhanced using this general framework. The efficacy of our solutions is empirically evaluated using two real-life socio-information network datasets, collected from the IBM SmallBlue project and Twitter.