SlideShare une entreprise Scribd logo

Risk based identity and access management

nadischka66
nadischka66

Traditional Access Control Models, such as MAC (Mandatory Access Control), DAC (Discretionary Access Control), and RBAC (Role-Based Access Control), rely on hard coded policies and rules predefined by the security administrator of the resource owner . These policies statically define who can access which resource, how and under what circumstances. Lately the research community widely shares the opinion that those traditional models do not correctly address the increasing need of flexibility in access control. In fact authorization policies tend to be too rigid to handle the exceptional situations or emergencies in which granting an exceptional access should be envisaged if it contribute to the fulfillment of business goal or if its benefits exceed the potential harm

Logiciels
1  sur  10
Télécharger pour lire hors ligne
10/2/14 10/2/14 Risk-­‐based Iden-ty and Access Management Nadia METOUI Topic 1 Instead of : Risk-­‐based Access Control
10/2/14 Context and Problema-c • In TradiBonal Access Control Systems Trust and Risk are pre-­‐computed [1] • The unawareness of context variaBon and misuse of authorized access, exposes these systems to many vulnerabiliBes [2] and flexibility issues [3] [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 2
10/2/14 Background Risk “Risk is defined by the likelihood of a hazardous situa5on and its consequences if it occurs.” [4] 3 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012
10/2/14 Exis-ng Solu-ons • Context Aware and Event Driven – Define a set of Context parameters and include them in the access evaluaBon process – Set reacBve policies triggered by context-­‐generated events[5] 4 [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 Device LocaBon Time Context Access EvaluaBon Engine
10/2/14 Exis-ng Solu-ons • Risk Aware SoluBon (Risk MiBgaBon) [4,6,7] – Define a risk threshold – Compute the access risk related to • User trustworthiness, competence, behavior… • Role appropriateness • Session risk … – In include computed risk and risk threshold values in the Access Decision 5 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012
10/2/14 Exis-ng Solu-ons • Risk AdapBve SoluBon[1, 8] – Include user access history in the trustworthiness computaBon – Include Resources access history in the risk computaBon – Infer new access control funcBons or modify exisBng policies, using an evaluaBon history based logic 6 [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011
10/2/14 Limita-ons • Trust management and Risk assessment are assumed but not explicit • No model is taking in consideraBon both context risk and user risk at the same Bme • Risk AdapBve AC Models propose to modify risk values for future access control evaluaBon but don’t propose real Bme reacBon strategies • No model is taking consideraBon, the context and risk constraints' impacts, on the Access Control process performance 7
10/2/14 Possible Alterna-ves Solu-ons • Including the context in the trust and risk computaBon • Developing Real Bme risk treatment strategies • Managing risk-­‐originated "access deny" incidents • Working on complexity and performance issues 8
10/2/14 References • [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 • [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. • [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐ EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 • [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 • [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 • [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 • [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012 • [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011 9
10/2/14 10/2/14 Thank you ! QuesBons

Recommandé

Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United StatesSEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United StatesCharith Perera
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...ijcseit
 
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGPLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGCSEIJJournal
 
Balasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesforiBalasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesforiboloKiKa
 
Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...ijcsit
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTNi
 

Recommandé

Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat MitigationRoger Johnston
 
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United StatesSEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United StatesCharith Perera
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...ijcseit
 
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGPLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGCSEIJJournal
 
Balasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesforiBalasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesforiboloKiKa
 
Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...ijcsit
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTNi
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
 
CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera readyMark Sinclair
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfMUST
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Agus Suhanto
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Panagiotis Papaioannou
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingDavid Sweigert
 
Access control
Access controlAccess control
Access controlarj_presenter
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHCI Lab
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...IRJET Journal
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...Mohamed Ben Naseir
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Ludovik Coba
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis Shereef Sabri
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
Igor Linkov
Igor LinkovIgor Linkov
Igor LinkovRoyal United Services Institute for Defence and Security Studies
 
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINTEVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINTcscpconf
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB
 
Personality Prediction with CV Analysis
Personality Prediction with CV AnalysisPersonality Prediction with CV Analysis
Personality Prediction with CV AnalysisIRJET Journal
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 

Contenu connexe

Similaire à Risk based identity and access management

CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera readyMark Sinclair
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfMUST
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Agus Suhanto
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Panagiotis Papaioannou
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingDavid Sweigert
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHCI Lab
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...IRJET Journal
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...Mohamed Ben Naseir
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Ludovik Coba
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis Shereef Sabri
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINTEVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINTcscpconf
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB
 
Personality Prediction with CV Analysis
Personality Prediction with CV AnalysisPersonality Prediction with CV Analysis
Personality Prediction with CV AnalysisIRJET Journal
 

Similaire à Risk based identity and access management (20)

Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera ready
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdf
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefing
 
Access control
Access controlAccess control
Access control
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics Tools
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
 
Igor Linkov
Igor LinkovIgor Linkov
Igor Linkov
 
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINTEVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
EVALUATION OF THE SOFTWARE ARCHITECTURE STYLES FROM MAINTAINABILITY VIEWPOINT
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
Personality Prediction with CV Analysis
Personality Prediction with CV AnalysisPersonality Prediction with CV Analysis
Personality Prediction with CV Analysis
 

Dernier

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Dernier (20)

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Risk based identity and access management

  • 1. 10/2/14 10/2/14 Risk-­‐based Iden-ty and Access Management Nadia METOUI Topic 1 Instead of : Risk-­‐based Access Control
  • 2. 10/2/14 Context and Problema-c • In TradiBonal Access Control Systems Trust and Risk are pre-­‐computed [1] • The unawareness of context variaBon and misuse of authorized access, exposes these systems to many vulnerabiliBes [2] and flexibility issues [3] [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 2
  • 3. 10/2/14 Background Risk “Risk is defined by the likelihood of a hazardous situa5on and its consequences if it occurs.” [4] 3 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012
  • 4. 10/2/14 Exis-ng Solu-ons • Context Aware and Event Driven – Define a set of Context parameters and include them in the access evaluaBon process – Set reacBve policies triggered by context-­‐generated events[5] 4 [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 Device LocaBon Time Context Access EvaluaBon Engine
  • 5. 10/2/14 Exis-ng Solu-ons • Risk Aware SoluBon (Risk MiBgaBon) [4,6,7] – Define a risk threshold – Compute the access risk related to • User trustworthiness, competence, behavior… • Role appropriateness • Session risk … – In include computed risk and risk threshold values in the Access Decision 5 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012
  • 6. 10/2/14 Exis-ng Solu-ons • Risk AdapBve SoluBon[1, 8] – Include user access history in the trustworthiness computaBon – Include Resources access history in the risk computaBon – Infer new access control funcBons or modify exisBng policies, using an evaluaBon history based logic 6 [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011
  • 7. 10/2/14 Limita-ons • Trust management and Risk assessment are assumed but not explicit • No model is taking in consideraBon both context risk and user risk at the same Bme • Risk AdapBve AC Models propose to modify risk values for future access control evaluaBon but don’t propose real Bme reacBon strategies • No model is taking consideraBon, the context and risk constraints' impacts, on the Access Control process performance 7
  • 8. 10/2/14 Possible Alterna-ves Solu-ons • Including the context in the trust and risk computaBon • Developing Real Bme risk treatment strategies • Managing risk-­‐originated "access deny" incidents • Working on complexity and performance issues 8
  • 9. 10/2/14 References • [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 • [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. • [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐ EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 • [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 • [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 • [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 • [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012 • [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011 9
  • 10. 10/2/14 10/2/14 Thank you ! QuesBons