Embed Size (px)
DESCRIPTION
Traditional Access Control Models, such as MAC (Mandatory Access Control), DAC (Discretionary Access Control), and RBAC (Role-Based Access Control), rely on hard coded policies and rules predefined by the security administrator of the resource owner . These policies statically define who can access which resource, how and under what circumstances. Lately the research community widely shares the opinion that those traditional models do not correctly address the increasing need of flexibility in access control. In fact authorization policies tend to be too rigid to handle the exceptional situations or emergencies in which granting an exceptional access should be envisaged if it contribute to the fulfillment of business goal or if its benefits exceed the potential harm
Citation preview
10/2/14
10/2/14
Risk-‐based Iden-ty and Access Management
Nadia METOUI
Topic 1
Instead of : Risk-‐based Access Control
10/2/14
Context and Problema-c
• In TradiBonal Access Control Systems Trust and Risk are pre-‐computed [1]
• The unawareness of context variaBon and misuse of authorized access, exposes these systems to many vulnerabiliBes [2] and flexibility issues [3]
2
[1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-‐based Decision Methods for Access Control Systems” 2012 [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-‐EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013
10/2/14
Background
Risk
“Risk is defined by the likelihood of a hazardous situa5on and its consequences if it occurs.” [4]
3
[4] N. Baracaldo and J. Joshi “A Trust-‐and-‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012
10/2/14
Exis-ng Solu-ons
• Context Aware and Event Driven – Define a set of Context parameters and include them in the access evaluaBon process
– Set reacBve policies triggered by context-‐generated events[5]
4
[5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-‐Driven RBAC”, 2013
Context
LocaBon
Time Device
Access EvaluaBon Engine
10/2/14
Exis-ng Solu-ons
• Risk Aware SoluBon (Risk MiBgaBon) [4,6,7] – Define a risk threshold
– Compute the access risk related to • User trustworthiness, competence, behavior… • Role appropriateness • Session risk …
– In include computed risk and risk threshold values in the Access Decision
5
[4] N. Baracaldo and J. Joshi “A Trust-‐and-‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 [6] L. Chen and J. Crampton, “Risk-‐Aware Role-‐Based Access Control”, 2012 [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-‐Aware RBAC Sessions”, 2012
10/2/14
Exis-ng Solu-ons
• Risk AdapBve SoluBon[1, 8] – Include user access history in the trustworthiness computaBon
– Include Resources access history in the risk computaBon
– Infer new access control funcBons or modify exisBng policies, using an evaluaBon history based logic
6
[1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-‐based Decision Methods for Access Control Systems” 2012 [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-‐AdapBve Access Control Models” 2011
10/2/14
Limita-ons
• Trust management and Risk assessment are assumed but not explicit
• No model is taking in consideraBon both context risk and user risk at the same Bme
• Risk AdapBve AC Models propose to modify risk values for future access control evaluaBon but don’t propose real Bme reacBon strategies
• No model is taking consideraBon, the context and risk constraints' impacts, on the Access Control process performance
7
10/2/14
Possible Alterna-ves Solu-ons
• Including the context in the trust and risk computaBon
• Developing Real Bme risk treatment strategies
• Managing risk-‐originated "access deny" incidents
• Working on complexity and performance issues
8
10/2/14
References • [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-‐based Decision Methods
for Access Control Systems” 2012 • [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. • [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-‐
EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013
• [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-‐Driven RBAC”, 2013 • [4] N. Baracaldo and J. Joshi “A Trust-‐and-‐Risk Aware RBAC Framework:
Tackling Insider Threat” 2012 • [6] L. Chen and J. Crampton, “Risk-‐Aware Role-‐Based Access Control”,
2012 • [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-‐Aware RBAC Sessions”,
2012 • [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework
for Risk-‐AdapBve Access Control Models” 2011 9
10/2/14
10/2/14
Thank you !
QuesBons
