Article

Risk-Aware role-based access control

Authors:

Jason CramptonAuthors Info & Claims

STM'11: Proceedings of the 7th international conference on Security and Trust Management

Pages 140 - 156

https://doi.org/10.1007/978-3-642-29963-6_11

Published: 27 June 2011 Publication History

Abstract

The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. The standard RBAC model is designed to operate in a relatively stable, closed environment and does not include any support for risk. In this paper, we explore a number of ways in which the RBAC model can be extended to incorporate notions of risk. In particular, we develop three simple risk-aware RBAC models that differ in the way in which risk is represented and accounted for in making access control decisions. We also propose a risk-aware RBAC model that combines all the features of three simple models and consider some issues related to its implementation. Compared with existing work, our models have clear authorization semantics and support richer types of access control decisions.

References

[1]

American National Standards Institute: American National Standard for Information Technology - Role Based Access Control (2004), ANSI INCITS 359-2004

[2]

Aziz, B., Foley, S. N., Herbert, J., Swart, G.: Reconfiguring role based access control policies using risk semantics. Journal of High Speed Networks 15(3), 261-273 (2006)

Digital Library

[3]

Bacon, J., Moody, K., Yao, W.: A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security 5(4), 492-540 (2002)

Digital Library

[4]

Brucker, A. D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 197-206 (2009)

Digital Library

[5]

Celikel, E., Kantarcioglu, M., Thuraisingham, B. M., Bertino, E.: A risk management approach to RBAC. Risk and Decision Analysis 1(1), 21-33 (2009)

[6]

Chen, L., Crampton, J.: On spatio-temporal constraints and inheritance in rolebased access control. In: Proceedings of the 2008 ACM Symposium on Information Computer and Communications Security, pp. 356-369 (2008)

Digital Library

[7]

Cheng, P.C., Rohatgi, P., Keser, C., Karger, P. A., Wagner, G. M., Reninger, A. S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 222-230 (2007)

Digital Library

[8]

Clark, J. A., Tapiador, J. E., McDermid, J. A., Cheng, P.C., Agrawal, D., Ivanic, N., Slogget, D.: Risk based access control with uncertain and time-dependent sensitivity. In: Proceedings of the International Conference on Security and Cryptography, pp. 5-13 (2010)

[9]

Crampton, J., Huth, M.: Detecting and countering insider threats: Can policybased access control help? In: Proceedings of the 5th International Workshop on Security and Trust Management (2009)

[10]

Crampton, J., Morisset, C.: An Auto-Delegation Mechanism for Access Control Systems. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 1-16. Springer, Heidelberg (2011)

Digital Library

[11]

Dimmock, N., Belokosztolszki, A., Eyers, D. M., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 156-162 (2004)

Digital Library

[12]

Ferraiolo, D. F., Kuhn, D. R.: Role-based access controls. In: Proceedings of the 15th National Computer Security Conference, pp. 554-563 (1992)

[13]

Irwin, K., Yu, T., Winsborough, W. H.: On the modeling and analysis of obligations. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 134-143 (2006)

Digital Library

[14]

JASON Program Office: Horizontal integration: Broader access models for realizing information dominance. Technical Report JSR-04-132, MITRE Corporation (2004)

[15]

Landoll, D. J.: The Security Risk Assessment Handbook: A Complete Guide for Peforming Security Risk Assessments. CRC Press (2005)

Digital Library

[16]

Molloy, I., Cheng, P.C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 107-125 (2008)

Digital Library

[17]

National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems (2002), NIST Special Publication 800-30

[18]

Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information Computer and Communications Security, pp. 250-260 (2010)

Digital Library

[19]

Nissanke, N., Khayat, E. J.: Risk based security analysis of permissions in RBAC. In: Proceedings of the 2nd International Workshop on Security in Information Systems, pp. 332-341 (2004)

[20]

Moses, T. (ed.): OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard (February 1, 2005)

[21]

Park, J., Sandhu, R. S.: The UCONABC usage control model. ACM Transactions on Information and System Security 7(1), 128-174 (2004)

Digital Library

[22]

Saltzer, J. H., Schroeder, M. D.: The protection of information in computer systems. Proceeding of the IEEE 63(9), 1278-1308 (1975)

[23]

Sandhu, R. S., Coyne, E. J., Feinstein, H. L., Youman, C. E.: Role-based access control models. IEEE Computer 29(2), 38-47 (1996)

Digital Library

[24]

Srivatsa, M., Balfe, S., Paterson, K. G., Rohatgi, P.: Trust management for secure information flows. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 175-188 (2008)

Digital Library

[25]

Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (BARAC). In: Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 45-53 (2006)

Digital Library

Cited By

(2019)A risk adaptive access control model based on Markov for big data in the cloudInternational Journal of High Performance Computing and Networking10.5555/3337625.333763513:4(464-475)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.5555/3337625.3337635
Amthor PFischer DKühnhauser WStelzer D(2019)Automated Cyber Threat Sensing and RespondingProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340509(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340509
Billard A(2019)Decision Model for the Security and Utility Risk Evaluation (SURE) FrameworkProceedings of the Australasian Computer Science Week Multiconference10.1145/3290688.3290694(1-11)Online publication date: 29-Jan-2019
https://dl.acm.org/doi/10.1145/3290688.3290694
Show More Cited By

Recommendations

Role-Based Access Control Models

Since the 1970s, computer systems have featured multiple applications and served multiple users, leading to heightened awareness of data security issues. System administrators and software developers focused on different kinds of access control to ...
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

STM'11: Proceedings of the 7th international conference on Security and Trust Management

June 2011

238 pages

ISBN:9783642299629

Editors:
Catherine Meadows
Naval Research Laboratory, Code 5543, Washington, DC
,
Carmen Fernandez-Gago
Department of Computer Science, University of Malaga, Code 5543, Málaga, DC, Spain

Sponsors

ERCIM: European Research Consortium for Informatics and Mathematics

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 27 June 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

(2019)A risk adaptive access control model based on Markov for big data in the cloudInternational Journal of High Performance Computing and Networking10.5555/3337625.333763513:4(464-475)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.5555/3337625.3337635
Amthor PFischer DKühnhauser WStelzer D(2019)Automated Cyber Threat Sensing and RespondingProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340509(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340509
Billard A(2019)Decision Model for the Security and Utility Risk Evaluation (SURE) FrameworkProceedings of the Australasian Computer Science Week Multiconference10.1145/3290688.3290694(1-11)Online publication date: 29-Jan-2019
https://dl.acm.org/doi/10.1145/3290688.3290694
Baracaldo NPalanisamy BJoshi J(2019)G-SIRIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.265443816:1(84-98)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TDSC.2017.2654438
Jaïdi FLabbene Ayachi FBouhoula A(2018)A Methodology and Toolkit for Deploying Reliable Security Policies in Critical InfrastructuresSecurity and Communication Networks10.1155/2018/71421702018Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1155/2018/7142170
Rezakhani AShirazi HModiri N(2018)A novel multilayer AAA model for integrated applicationsNeural Computing and Applications10.1007/s00521-016-2610-329:10(887-901)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1007/s00521-016-2610-3
Petracca GCapobianco FSkalka CJaeger TBertino ESandhu RWeippl E(2017)On Risk in Access Control EnforcementProceedings of the 22nd ACM on Symposium on Access Control Models and Technologies10.1145/3078861.3078872(31-42)Online publication date: 7-Jun-2017
https://dl.acm.org/doi/10.1145/3078861.3078872
Rashidi ARezakhani A(2017)A new approach to ranking attributes in attribute based access control using decision fusionNeural Computing and Applications10.1007/s00521-016-2385-628:1(803-812)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1007/s00521-016-2385-6
Steinegger RDeckers DGiessler PAbeck SPreschern CEloranta V(2016)Risk-based authenticator for web applicationsProceedings of the 21st European Conference on Pattern Languages of Programs10.1145/3011784.3011800(1-11)Online publication date: 6-Jul-2016
https://dl.acm.org/doi/10.1145/3011784.3011800
Dorri Nogoorani SJalili R(2016)TIRIACFuture Generation Computer Systems10.1016/j.future.2015.03.00355:C(238-254)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1016/j.future.2015.03.003
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents