Privilege Aggregation and Creep
Privilege Aggregation and Creep is the cause and effect. Here’s my definition:
The privileges granted to a subject accumulate, e.g. because of promotions or rotations over time, to the extent that the aggregation of the privileges exceeds what the subject needs to do his or her duty or violates the security policies.
Aggregation and Inference in the Context of Privacy
I treat aggregation as the means, while inference as the end. It’s just a process of data collection and reasoning by induction and deduction to make a conclusion.
Example: Aggregation Scam
Access Control Terminologies
An attribute or set of attributes that uniquely describe a subject within a given context.
NIST SP 800-63-3 under Identity
An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or changes the system state.
NIST SP 800-33
A right granted to an individual, a program, or a process.
NIST SP 800-12 Rev. 1 under Privilege (CNSSI 4009)
Authorization to perform some action on a system.
The right or a permission that is granted to a system entity to access a system resource. NIST SP 800-82 Rev. 2 under Authorization (RFC 4949)
The process of initially establishing access privileges of an individual and subsequently verifying the acceptability of a request for access.
NISTIR 4734 under Authorization
Something that you have a right to do or have, or the right to do or have something.