Traditional Access Control Models, such as MAC (Mandatory Access Control), DAC (Discretionary Access Control), and RBAC (Role-Based Access Control), rely on hard coded policies and rules predefined by the security administrator of the resource owner . These policies statically define who can access which resource, how and under what circumstances.
Lately the research community widely shares the opinion that those traditional models do not correctly address the increasing need of flexibility in access control. In fact authorization policies tend to be too rigid to handle the exceptional situations or emergencies in which granting an exceptional access should be envisaged if it contribute to the fulfillment of business goal or if its benefits exceed the potential harm
1. 10/2/14
10/2/14
Risk-‐based
Iden-ty
and
Access
Management
Nadia
METOUI
Topic
1
Instead
of
:
Risk-‐based
Access
Control
2. 10/2/14
Context
and
Problema-c
• In
TradiBonal
Access
Control
Systems
Trust
and
Risk
are
pre-‐computed
[1]
• The
unawareness
of
context
variaBon
and
misuse
of
authorized
access,
exposes
these
systems
to
many
vulnerabiliBes
[2]
and
flexibility
issues
[3]
[1]
R.A.
Shaikh,
K.
Adi,
L.
Logrippo
“Dynamic
Risk-‐based
Decision
Methods
for
Access
Control
Systems”
2012
[2]
C.
S.
InsBtute.
CSI
computer
crime
and
security
survey,
2010/11.
[3]
L.
Krautsevich,
A.
Lazouski,
F.
MarBnelli,
and
A.
Yautsiukhin
“Cost-‐EffecBve
Enforcement
of
Access
and
Usage
Control
Policies
under
UncertainBes”
2013
2
3. 10/2/14
Background
Risk
“Risk
is
defined
by
the
likelihood
of
a
hazardous
situa5on
and
its
consequences
if
it
occurs.”
[4]
3
[4]
N.
Baracaldo
and
J.
Joshi
“A
Trust-‐and-‐Risk
Aware
RBAC
Framework:
Tackling
Insider
Threat”
2012
4. 10/2/14
Exis-ng
Solu-ons
• Context
Aware
and
Event
Driven
– Define
a
set
of
Context
parameters
and
include
them
in
the
access
evaluaBon
process
– Set
reacBve
policies
triggered
by
context-‐generated
events[5]
4
[5]
P.
Bona`,
C.
Galdi
and
D.
Torres
“ERBAC:
Event-‐Driven
RBAC”,
2013
Device
LocaBon
Time
Context
Access
EvaluaBon
Engine
5. 10/2/14
Exis-ng
Solu-ons
• Risk
Aware
SoluBon
(Risk
MiBgaBon)
[4,6,7]
– Define
a
risk
threshold
– Compute
the
access
risk
related
to
• User
trustworthiness,
competence,
behavior…
• Role
appropriateness
• Session
risk
…
– In
include
computed
risk
and
risk
threshold
values
in
the
Access
Decision
5
[4]
N.
Baracaldo
and
J.
Joshi
“A
Trust-‐and-‐Risk
Aware
RBAC
Framework:
Tackling
Insider
Threat”
2012
[6]
L.
Chen
and
J.
Crampton,
“Risk-‐Aware
Role-‐Based
Access
Control”,
2012
[7]
K.Z.
Bijon,
R.
Krishnan,
and
R.
Sandhu
“Risk-‐Aware
RBAC
Sessions”,
2012
6. 10/2/14
Exis-ng
Solu-ons
• Risk
AdapBve
SoluBon[1,
8]
– Include
user
access
history
in
the
trustworthiness
computaBon
– Include
Resources
access
history
in
the
risk
computaBon
– Infer
new
access
control
funcBons
or
modify
exisBng
policies,
using
an
evaluaBon
history
based
logic
6
[1]
R.A.
Shaikh,
K.
Adi,
L.
Logrippo
“Dynamic
Risk-‐based
Decision
Methods
for
Access
Control
Systems”
2012
[8]
S.
Kandala,
R.
Sandhu,
V.
BhamidipaB,
“An
Akribute
Based
Framework
for
Risk-‐AdapBve
Access
Control
Models”
2011
7. 10/2/14
Limita-ons
• Trust
management
and
Risk
assessment
are
assumed
but
not
explicit
• No
model
is
taking
in
consideraBon
both
context
risk
and
user
risk
at
the
same
Bme
• Risk
AdapBve
AC
Models
propose
to
modify
risk
values
for
future
access
control
evaluaBon
but
don’t
propose
real
Bme
reacBon
strategies
• No
model
is
taking
consideraBon,
the
context
and
risk
constraints'
impacts,
on
the
Access
Control
process
performance
7
8. 10/2/14
Possible
Alterna-ves
Solu-ons
• Including
the
context
in
the
trust
and
risk
computaBon
• Developing
Real
Bme
risk
treatment
strategies
• Managing
risk-‐originated
"access
deny"
incidents
• Working
on
complexity
and
performance
issues
8
9. 10/2/14
References
• [1]
R.A.
Shaikh,
K.
Adi,
L.
Logrippo
“Dynamic
Risk-‐based
Decision
Methods
for
Access
Control
Systems”
2012
• [2]
C.
S.
InsBtute.
CSI
computer
crime
and
security
survey,
2010/11.
• [3]
L.
Krautsevich,
A.
Lazouski,
F.
MarBnelli,
and
A.
Yautsiukhin
“Cost-‐
EffecBve
Enforcement
of
Access
and
Usage
Control
Policies
under
UncertainBes”
2013
• [5]
P.
Bona`,
C.
Galdi
and
D.
Torres
“ERBAC:
Event-‐Driven
RBAC”,
2013
• [4]
N.
Baracaldo
and
J.
Joshi
“A
Trust-‐and-‐Risk
Aware
RBAC
Framework:
Tackling
Insider
Threat”
2012
• [6]
L.
Chen
and
J.
Crampton,
“Risk-‐Aware
Role-‐Based
Access
Control”,
2012
• [7]
K.Z.
Bijon,
R.
Krishnan,
and
R.
Sandhu
“Risk-‐Aware
RBAC
Sessions”,
2012
• [8]
S.
Kandala,
R.
Sandhu,
V.
BhamidipaB,
“An
Akribute
Based
Framework
for
Risk-‐AdapBve
Access
Control
Models”
2011
9