Specify and enforce the policies of quantified risk adaptive access control

XACML and its reference implementation can not directly support quantified risk adaptive access control, because there are several special requirements to specify and enforce the policies in risk adaptive access control: the elements in these policies, such as risk, risk level, are not covered; and risk in quantified risk adaptive access control would be mutable, accumulated and required to be continuously controlled. This paper, therefore, extends XACML and its reference implementation to support quantified risk adaptive access control. This paper makes two contributions: design a risk adaptive policy language extended from XACML; and propose a framework to enforce the policies. To the best of our knowledge, this paper is the first research work to discuss this topic.

[1]  Ian Molloy,et al.  Trading in risk: using markets to improve access control , 2009, NSPW '08.

[2]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[3]  Ravi S. Sandhu,et al.  A usage-based authorization framework for collaborative computing systems , 2006, SACMAT '06.

[4]  Hong Chen,et al.  Apply Measurable Risk to Strengthen Security of a Role-Based Delegation Supporting Workflow System , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[5]  L. Jean Camp,et al.  Mitigating Inadvertent Insider Threats with Incentives , 2009, Financial Cryptography.

[6]  Jorge Lobo,et al.  Access control policy combining: theory meets practice , 2009, SACMAT '09.

[7]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[8]  Lotfi A. Zadeh,et al.  Outline of a New Approach to the Analysis of Complex Systems and Decision Processes , 1973, IEEE Trans. Syst. Man Cybern..

[9]  Bogdan Carbunar,et al.  Efficient access enforcement in distributed role-based access control (RBAC) deployments , 2009, SACMAT '09.

[10]  Mudhakar Srivatsa,et al.  A decision support system for secure information sharing , 2009, SACMAT '09.

[11]  Duminda Wijesekera,et al.  Towards Session-Aware RBAC Administration and Enforcement with XACML , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[12]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[13]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[14]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).