The Community for Technology Leaders
RSS Icon
Issue No.05 - September/October (2011 vol.9)
pp: 48-55
Carl A. Gunter , University of Illinois at Urbana-Champaign
David M. Liebovitz , Northwestern University
Bradley Malin , Vanderbilt University
Experience-based access management (EBAM) is a life-cycle model for identity and access management. It incorporates models, techniques, and tools to reconcile differences between the ideal access model, as judged by professional and legal standards, and the enforced access control, specific to the operational system. EBAM's principal component is an expected-access model that represents differences between the ideal and enforced models on the basis of access logs and other operational information. A technique called access rules informed by probabilities (ARIP) can aid EBAM in the context of healthcare organizations.
security and privacy protection knowledge; data engineering tools and techniques; security, integrity, and protection; public policy issues; privacy
Carl A. Gunter, David M. Liebovitz, Bradley Malin, "Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems", IEEE Security & Privacy, vol.9, no. 5, pp. 48-55, September/October 2011, doi:10.1109/MSP.2011.72
1. D.F. Ferraiolo, D.R. Kuhn, and R. Chandramouli, Role-Based Access Control, Artech House, 2003.
2. M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management," Proc. 1996 IEEE Symp. Security and Privacy, IEEE CS Press, 1996, pp. 164–173.
3. L. Wang, D. Wijesekera, and S. Jajodia, "A Logic-Based Framework for Attribute Based Access Control," Proc. ACM Formal Methods in Software Eng. Workshop, ACM Press, 2004, pp. 45–55.
4. "Trusted Computer System Evaluation Criteria," US Nat'l Computer Security Center, 26 Dec. 1985; dod85.pdf.
5. O. Saydjari, "Multilevel Security: Reprise," IEEE Security & Privacy, vol. 2, no. 5, 2004, pp. 64–67.
6. L. R⊘stad and N. Øystein, "Access Control and Integration of Health Care Systems: An Experience Report and Future Challenges," Proc. 2nd Int'l Conf. Availability, Reliability and Security (ARES 07), IEEE CS Press, 2007, pp. 871–878.
7. N. Youngstrom, "Nosy Employees Are a Risk, Require a Wide Range of Remedies: Report on Patient Privacy," Atlantic Information Services, vol. 5, no. 8, 2005.
8. A. Zavis, "Former Cedars-Sinai Employee Held in Identity Theft, Fraud," Los Angeles Times,23 Dec. 2008.
9. "2009 Annual Study: Cost of a Data Breach," Ponemon Inst., Jan. 2010; .
10. J. Sankovich, "Keys to Health Record Security," InformationWeek, Aug. 2010.
11. "Standards for Protection of Electronic Health Information; Final Rule," Federal Register, 45 CFR: Part 164, US Dept. Health and Human Services, Office for Civil Rights, 20 Feb. 2003.
12. W. Royce, "Managing the Development of Large Software Systems: Concepts and Techniques," Proc. IEEE WESCON 26, IEEE Press, 1970, pp. 1–9.
13. B. Boehm, "A Spiral Model of Software Development and Enhancement," Computer, vol. 21, no. 5, 1988, pp. 61–72.
14. C.A. Gunter et al., "A Reference Model for Requirements and Specifications," IEEE Software, vol. 17, no. 3, 2000, pp. 37–43.
15. "Introduction to Scrum Methodology," Collabnet, 2009;
16. M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining—Revealing Business Roles for Security Administration Using Data Mining Technology," Proc. ACM Symp. Access Control Models and Technologies, ACM Press, 2003, pp. 179–186.
17. V. Prakash and A. O'Donnell, "Fighting Spam with Reputation Systems," ACM Queue—Social Computing, vol. 3, no. 9, 2005, pp. 36–41.
18. R. Summer and V. Paxson, "Outside the Closed World: On Using Machine Learning for Network Intrusion Detection," Proc. 2010 IEEE Symp. Security and Privacy, IEEE CS Press, 2010, pp. 305–316.
19. E. Chen and J. Cimino, "Automated Discovery of Patient-Specific Clinician Information Needs Using Clinical Information System Log Files," Proc. Am. Medical Informatics Assoc. Ann. Symp., Am. Medical Informatics Assoc., 2003, pp. 145–149.
20. B. Malin, S. Nyemba, and J. Paulett, "Leaning Relational Policies from Electronic Health Records Access Logs," J. Biomedical Informatics, vol. 44, no. 2, 2011, pp. 333–342.
21. Y. Chen and B. Malin, "Detection of Anomalous Insiders in Collaborative Environments via Relational Analysis of Access Logs," Proc. ACM Conf. Data and Application Security and Privacy, ACM Press, 2011, pp. 63–74.
14 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool