Trust and Risk based Access Control and Access Control Constraints

Access control in dynamic environments needs the ability to provide more access opportunities of information to users, while also ensuring protection information from malicious users. Trust and risk are essential factors and can be combined together in access control decision-making to meet the above requirement. In this paper, we propose the combination of the trust and risk in access control to balance information accessibility and protection. Access control decision is made on the basis of trustworthiness of users and risk value of permissions. We use potential relations between users and relations between permissions in access control. Our approach not only provides more access opportunities for trustworthy users in accessing permissions, but also enforces traditional access control constraints such as Chinese Wall policy and Separation of Duty (SoD) of Role-Based Access Control (RBAC) model in an effective way.

[1]  Indrajit Ray,et al.  A Trust-Based Access Control Model for Pervasive Computing Applications , 2009, DBSec.

[2]  Timothy W. Finin,et al.  Trust-Based Security in Pervasive Computing Environments , 2022 .

[3]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[4]  Hong Fan,et al.  An Access Control Model for Ubiquitous Computing Application , 2005, 2005 2nd Asia Pacific Conference on Mobile Technology, Applications and Systems.

[5]  Jaecheol Ryou,et al.  GPU-Accelerated Password Cracking of PDF Files , 2011, KSII Trans. Internet Inf. Syst..

[6]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[7]  Jason Crampton,et al.  Specifying and enforcing constraints in role-based access control , 2003, SACMAT '03.

[8]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[9]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[10]  Junzhou Luo,et al.  A trust degree based access control in grid environments , 2009, Inf. Sci..

[11]  Etienne J. Khayat,et al.  Risk Based Security Analysis of Permissions in RBAC , 2004, WOSIS.

[12]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[13]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[14]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[15]  Audun Jøsang,et al.  Analysing the Relationship between Risk and Trust , 2004, iTrust.

[16]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[17]  Heejo Lee,et al.  Contextual Risk-Based Access Control , 2007, Security and Management.

[18]  Ravi S. Sandhu,et al.  Peer-to-peer access control architecture using trusted computing technology , 2005, SACMAT '05.

[19]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[20]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[21]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[22]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[23]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[24]  Yan Li,et al.  Using Trust and Risk in Access Control for Grid Environment , 2008, 2008 International Conference on Security Technology.

[25]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[26]  Indrajit Ray,et al.  An interoperable context sensitive model of trust , 2009, Journal of Intelligent Information Systems.