Risk-Aware RBAC Sessions

Role Based Access Control (RBAC) has received considerable attention as a model of choice for simplified access control over the past decade. More recently, risk awareness in access control has emerged as an important research theme to mitigate risks involved when users exercise their privileges to access resources under different contexts such as accessing a sensitive file from work versus doing the same from home. In this paper, we investigate how to incorporate “risk” in RBAC—in particular, in RBAC sessions. To this end, we propose an extension to the core RBAC model by incorporating risk awareness in sessions where the risk is bounded by a session-based “risk-threshold.” We develop a framework of models for role activation and deactivation in a session based on this threshold. Finally, we provide formal specification of one of these models by enhancing the NIST core RBAC model.

[1]  Nora Cuppens-Boulahia,et al.  Reaction Policy Model Based on Dynamic Organizations and Threat Context , 2009, DBSec.

[2]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Nora Cuppens-Boulahia,et al.  Enabling automated threat response through the use of a dynamic security policy , 2007, Journal in Computer Virology.

[4]  Ravi S. Sandhu,et al.  An Attribute Based Framework for Risk-Adaptive Access Control Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[5]  Ed Dawson,et al.  An Approach to Access Control under Uncertainty , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[6]  Ehud Gudes,et al.  Data and Applications Security XXIII, 23rd Annual IFIP WG 11.3 Working Conference, Montreal, Canada, July 12-15, 2009. Proceedings , 2009, Database Security.

[7]  Liang Chen,et al.  Risk-Aware Role-Based Access Control , 2011, STM.

[8]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[9]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Rafael Accorsi,et al.  Security and Trust Management , 2013, Lecture Notes in Computer Science.