Adaptive identity and access management—contextual data based policies

Due to compliance and IT security requirements, company-wide identity and access management within organizations has gained significant importance in research and practice over the last years. Companies aim at standardizing user management policies in order to reduce administrative overhead and strengthen IT security. These policies provide the foundation for every identity and access management system no matter if poured into IT systems or only located within responsible identity and access management (IAM) engineers’ mind. Despite its relevance, hardly any supportive means for the automated detection and refinement as well as management of policies are available. As a result, policies outdate over time, leading to security vulnerabilities and inefficiencies. Existing research mainly focuses on policy detection and enforcement without providing the required guidance for policy management nor necessary instruments to enable policy adaptibility for today’s dynamic IAM. This paper closes the existing gap by proposing a dynamic policy management process which structures the activities required for policy management in identity and access management environments. In contrast to current approaches, it utilizes the consideration of contextual user management data and key performance indicators for policy detection and refinement and offers result visualization techniques that foster human understanding. In order to underline its applicability, this paper provides an evaluation based on real-life data from a large industrial company.

[1]  Günther Pernul,et al.  Different Approaches to In-House Identity Management - Justification of an Assumption , 2009, 2009 International Conference on Availability, Reliability and Security.

[2]  J. A. Hartigan,et al.  A k-means clustering algorithm , 1979 .

[3]  Denis Royer,et al.  Planung und Bewertung von Enterprise Identity Managementsystemen , 2008, Datenschutz und Datensicherheit - DuD.

[4]  Denis Royer,et al.  Enterprise Identity Management - What's in it for Organisations? , 2007, FIDIS.

[5]  Günther Pernul,et al.  Minimizing insider misuse through secure Identity Management , 2012, Secur. Commun. Networks.

[6]  Mark Strembeck,et al.  Deriving Process-Related RBAC Models from Process Execution Histories , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops.

[7]  Teuvo Kohonen,et al.  An introduction to neural computing , 1988, Neural Networks.

[8]  Günther Pernul,et al.  Dynamic Trust-based Recertifications in Identity and Access Management , 2015 .

[9]  Anat Hovav,et al.  Tutorial: Identity Management Systems and Secured Access Control , 2009, Commun. Assoc. Inf. Syst..

[10]  Anind K. Dey,et al.  Understanding and Using Context , 2001, Personal and Ubiquitous Computing.

[11]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[12]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[13]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[14]  Erik Duval,et al.  Context-Aware Recommender Systems for Learning: A Survey and Future Challenges , 2012, IEEE Transactions on Learning Technologies.

[15]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[16]  de Bert Brock Enterprise, Business-Process and Information Systems Modeling , 2018, Lecture Notes in Business Information Processing.

[17]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[18]  Joe Pato Identity Management: Setting the Context , 2003 .

[19]  Nora Cuppens-Boulahia,et al.  Policy Mining: A Bottom-Up Approach toward a Model Based Firewall Management , 2013, ICISS.

[20]  Scott D. Stoller,et al.  Mining attribute-based access control policies from RBAC policies , 2013, 2013 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT).

[21]  Anne Baumgraß,et al.  Deriving Current State RBAC Models from Event Logs , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[22]  Andreas Schaad,et al.  Deriving XACML Policies from Business Process Models , 2007, WISE Workshops.

[23]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[24]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies from Logs , 2014, DBSec.

[25]  Günther Pernul,et al.  Supporting Compliant and Secure User Handling - A Structured Approach for In-House Identity Management , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[26]  Using Context,et al.  Modeling and Using Context, 6th International and Interdisciplinary Conference, CONTEXT 2007, Roskilde, Denmark, August 20-24, 2007, Proceedings , 2007, CONTEXT.

[27]  Marco Casassa Mont,et al.  Economics of Identity and Access Management: Providing decision support for investments , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[28]  David W. Chadwick,et al.  Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[29]  Rolf Oppliger,et al.  Authentication and authorization infrastructures (AAIs): a comparative survey , 2004, Comput. Secur..

[30]  Mark Strembeck,et al.  An approach to extract RBAC models from BPEL4WS processes , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[31]  Marlon Dumas,et al.  Controlled automated discovery of collections of business process models , 2014, Inf. Syst..

[32]  Elisa Bertino,et al.  X-FEDERATE: a policy engineering framework for federated access management , 2006, IEEE Transactions on Software Engineering.

[33]  Ravi S. Sandhu,et al.  Roles in information security - A survey and classification of the research area , 2011, Comput. Secur..

[34]  Andreas Zimmermann,et al.  An Operational Definition of Context , 2007, CONTEXT.

[35]  Denis Royer,et al.  Enterprise Identity Management – Towards a Decision Support Framework Based on the Balanced Scorecard Approach , 2009, Bus. Inf. Syst. Eng..

[36]  Günther Pernul,et al.  Reducing the Risk of Insider Misuse by Revising Identity Management and User Account Data , 2010, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[37]  Alessandro Colantonio,et al.  A new role mining framework to elicit business roles and to mitigate enterprise risk , 2011, Decis. Support Syst..

[38]  Lior Rokach,et al.  Introduction to Recommender Systems Handbook , 2011, Recommender Systems Handbook.

[39]  Günther Pernul,et al.  Role Model Optimization for Secure Role-Based Identity Management , 2014, ECIS.