This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems
September/October 2011 (vol. 9 no. 5)
pp. 48-55
Carl A. Gunter, University of Illinois at Urbana-Champaign
David M. Liebovitz, Northwestern University
Bradley Malin, Vanderbilt University
Experience-based access management (EBAM) is a life-cycle model for identity and access management. It incorporates models, techniques, and tools to reconcile differences between the ideal access model, as judged by professional and legal standards, and the enforced access control, specific to the operational system. EBAM's principal component is an expected-access model that represents differences between the ideal and enforced models on the basis of access logs and other operational information. A technique called access rules informed by probabilities (ARIP) can aid EBAM in the context of healthcare organizations.

1. D.F. Ferraiolo, D.R. Kuhn, and R. Chandramouli, Role-Based Access Control, Artech House, 2003.
2. M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management," Proc. 1996 IEEE Symp. Security and Privacy, IEEE CS Press, 1996, pp. 164–173.
3. L. Wang, D. Wijesekera, and S. Jajodia, "A Logic-Based Framework for Attribute Based Access Control," Proc. ACM Formal Methods in Software Eng. Workshop, ACM Press, 2004, pp. 45–55.
4. "Trusted Computer System Evaluation Criteria," US Nat'l Computer Security Center, 26 Dec. 1985; http://csrc.nist.gov/publications/history dod85.pdf.
5. O. Saydjari, "Multilevel Security: Reprise," IEEE Security & Privacy, vol. 2, no. 5, 2004, pp. 64–67.
6. L. R⊘stad and N. Øystein, "Access Control and Integration of Health Care Systems: An Experience Report and Future Challenges," Proc. 2nd Int'l Conf. Availability, Reliability and Security (ARES 07), IEEE CS Press, 2007, pp. 871–878.
7. N. Youngstrom, "Nosy Employees Are a Risk, Require a Wide Range of Remedies: Report on Patient Privacy," Atlantic Information Services, vol. 5, no. 8, 2005.
8. A. Zavis, "Former Cedars-Sinai Employee Held in Identity Theft, Fraud," Los Angeles Times,23 Dec. 2008.
9. "2009 Annual Study: Cost of a Data Breach," Ponemon Inst., Jan. 2010; www.cenzic.com/downloadsPonemon_DataBreach_201001.pdf .
10. J. Sankovich, "Keys to Health Record Security," InformationWeek, Aug. 2010.
11. "Standards for Protection of Electronic Health Information; Final Rule," Federal Register, 45 CFR: Part 164, US Dept. Health and Human Services, Office for Civil Rights, 20 Feb. 2003.
12. W. Royce, "Managing the Development of Large Software Systems: Concepts and Techniques," Proc. IEEE WESCON 26, IEEE Press, 1970, pp. 1–9.
13. B. Boehm, "A Spiral Model of Software Development and Enhancement," Computer, vol. 21, no. 5, 1988, pp. 61–72.
14. C.A. Gunter et al., "A Reference Model for Requirements and Specifications," IEEE Software, vol. 17, no. 3, 2000, pp. 37–43.
15. "Introduction to Scrum Methodology," Collabnet, 2009; www.scrummethodology.org.
16. M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining—Revealing Business Roles for Security Administration Using Data Mining Technology," Proc. ACM Symp. Access Control Models and Technologies, ACM Press, 2003, pp. 179–186.
17. V. Prakash and A. O'Donnell, "Fighting Spam with Reputation Systems," ACM Queue—Social Computing, vol. 3, no. 9, 2005, pp. 36–41.
18. R. Summer and V. Paxson, "Outside the Closed World: On Using Machine Learning for Network Intrusion Detection," Proc. 2010 IEEE Symp. Security and Privacy, IEEE CS Press, 2010, pp. 305–316.
19. E. Chen and J. Cimino, "Automated Discovery of Patient-Specific Clinician Information Needs Using Clinical Information System Log Files," Proc. Am. Medical Informatics Assoc. Ann. Symp., Am. Medical Informatics Assoc., 2003, pp. 145–149.
20. B. Malin, S. Nyemba, and J. Paulett, "Leaning Relational Policies from Electronic Health Records Access Logs," J. Biomedical Informatics, vol. 44, no. 2, 2011, pp. 333–342.
21. Y. Chen and B. Malin, "Detection of Anomalous Insiders in Collaborative Environments via Relational Analysis of Access Logs," Proc. ACM Conf. Data and Application Security and Privacy, ACM Press, 2011, pp. 63–74.

Index Terms:
security and privacy protection knowledge; data engineering tools and techniques; security, integrity, and protection; public policy issues; privacy
Citation:
Carl A. Gunter, David M. Liebovitz, Bradley Malin, "Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems," IEEE Security & Privacy, vol. 9, no. 5, pp. 48-55, Sept.-Oct. 2011, doi:10.1109/MSP.2011.72
Usage of this product signifies your acceptance of the Terms of Use.