Toward Information Sharing: Benefit And Risk Access Control (BARAC) Lei Zhang † Alexander Brodsky †, * Sushil Jajodia †,‡ † Center for Secure Information Systems ‡ The MITRE Corporation George Mason University 7515 Coleshire Drive Fairfax, VA 22030 McLean, VA 22102 {lzhang8, brodsky, jajodia}@gmu.edu Abstract This paper describes an access control model, called BARAC, that is based on balancing risks of information disclosure with benefits of information sharing. The model configuration associates risk and benefit vectors with every read and update transaction. An allowed transactions graph captures allowed transactions and flow paths that can be used to carry out the transactions. The total system is required to be profitable, in that the total system benefit must overweigh the total system risk; and the allowed transaction graph is required to be optimal, in that its profit cannot be improved by adding transactions or removing transactions. Both the system configuration and the allowed transaction graph can be dynamically modified, while preserving the required properties. The dynamic modifications are done in the scope of hierarchies of tasks and responsible parties, that control the task structure and risk budget allocation to tasks. 1 Introduction Today diverse organizations and individuals need to share vast amounts of sensitive information. Yet existing security and access control methods are fundamentally in- adequate to deal with the need to share information. The key reason is that existing methods are concerned with pro- tecting information, while we believe there is need to bal- ance the risks of disclosing information, with the benefits of sharing it. This is exactly the focus of this paper. Background and Motivation A recent report [8] has identified the following high-level problems that need to be addressed: * Also with the Department of Information and Software Engineering, George Mason University. • Information flow to the war-fighter is excessively con- stricted. • There is no presently accepted paradigm for provid- ing intelligence and other classified information to dis- tributed homeland security consumers, including first respondents and local government officials with oper- ational responsibilities. • The gap between the implicit risk/benefit calculations of the producer and consumer communities is greater than it has ever been. • The status of sensitive information outside of the present classification system is murkier than ever. Cer- tain work-rounds to the present system result in classes of information whose protection level is uncertain. We believe there are a number of reasons why existing MLS systems (e.g., [1, 2, 3]) are not adequate for informa- tion sharing. First, existing classification processes of sub- jects and objects are too rigid and slow for the fast and con- tinuous gathering of vast amounts of information. This re- sults in major work-rounds, often made by individuals with operational responsibilities on an ad-hoc basis. In turn, this makes the overall amount of risk nearly impossible to con- trol. Most importantly, standard MLS systems were not de- signed to make a trade-off between the risk of information disclosure and the benefit of information sharing. To illustrate the last point, consider the following battle- field example. An Army Brigade communication channel is compromised because a set of communication equipment is fallen into the enemy hands. The brigade commander is considering to use the compromised channel to communi- cate the location of Battalion 1, which urgently needs rein- forcement, to the Commander of Battalion 2, to be sent to the rescue of Battalion 1. Because the location of Battalion 1 is a top-secret object, the Brigade commander is a top- secret subject, and the compromised channel can be con- sidered an unclassified container object, no MLS protocol would permit such a transaction. This is reasonable given Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06) 0-7695-2598-9/06 $20.00 © 2006 IEEE