Integration of Access Control Requirements into System Specifications

Abstract

The reliance on computer‐based systems is growing steadily. Information systems span many aspects of our lives. Due to increased reliance on computer‐based systems there is a growing concern about the security and privacy of information available in these systems. As a result, the complexity of data protection and availability requirements of most of the modern applications has also increased. An access control mechanism is one of the key security elements in the implementation of data protection and availability requirements. The effective implementation of access control requirements into the system design is generally hampered by the fact that security requirements are typically analysed in isolation from rest of the systems requirements. This isolation of security and systems engineering leads to a number of integration problems. In general, the effective integration of access control models is affected by four major problems: (1) the informal models may not be formally verified for correctness; (2) the formally specified models may not be easy to understand and validate; and (3) the often specialized formal models use different notation to the specification and design notation; and (4) the overall development does not support the early integration of security requirements into the design process, and the requirements traceability is often lost. For effective integration of security‐related requirements a security engineering method has been developed, which is based on an existing systems development approach called Behavior Engineering (BE). The BE approach uses a graphical notation called Behavior Trees (BT) for specification of requirements. The approach provides a systematic translation of informal requirements into a formal representation. An integrated view of requirements is generated which provides a platform for requirements analysis and design. With tool support the BT model can be simulated and model‐checked for correctness. The extension of BE for security engineering has been augmented by an access control model called BT‐RBAC. The BTRBAC is an integrated graphical model that aims to simplify the formal specification, validation, verification and integration of access control requirements into the system design. The integration of access control requirements is assisted through the use of single notation throughout the development process. Other features of the model include a systematic translation process, early defect detection, requirements traceability and support for requirements transformation into the system design in a traceable manner.