Risk-Based Usage Control for Service Oriented Architecture

In Service Oriented Architecture (SOA) data belonging to a client (data provider) is often processed by a provider (data consumer). During this processing the data can be compromised. A client wants to be sure that its data is used in the least risky way while is under provider’s control. The risk level should be low when access to the data is granted and should remain low during the whole interaction and, maybe, some time after. Therefore, a client has to consider closely various providers and decide which one provides the service with the smallest risk. More importantly, the risk has to be constantly recomputed after granting the access to the data, i.e., usage of data must be controlled. In this work we propose a method to empower usage control with a risk-based decision making process for more efficient and flexible control of access to data. Employing this idea we show how to select a service provider using risk, re-evaluate the risk level when some changes have happened and how to improve an infrastructure in order to reduce the risk level.

[1]  Vincenzo D'Andrea,et al.  Evaluating Quality of Web Services: A Risk-Driven Approach , 2007, BIS.

[2]  Odej Kao,et al.  Introducing Risk Management into the Grid , 2006, 2006 Second IEEE International Conference on e-Science and Grid Computing (e-Science'06).

[3]  Valtteri Niemi,et al.  Distributed Usage Control , 2011, ANT/MobiWIS.

[4]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[5]  Álvaro Enrique Arenas,et al.  Controlling Usage in Business Process Workflows through Fine-Grained Security Policies , 2008, TrustBus.

[6]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[7]  Fabio Martinelli,et al.  Towards Continuous Usage Control on Grid Computational Services , 2005, Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services - (icas-isns'05).

[8]  S. Martello,et al.  Algorithms for Knapsack Problems , 1987 .

[9]  Benjamin Aziz,et al.  Reconfiguring Role Based Access Control policies using risk semantics , 2006, J. High Speed Networks.

[10]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[11]  Dominic Battré,et al.  Gaining users’ trust by publishing failure probabilities , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[12]  Andrew Stewart,et al.  On risk: perception and direction , 2004, Comput. Secur..

[13]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[14]  Christian Schaefer,et al.  A Policy Language for Distributed Usage Control , 2007, ESORICS.

[15]  Dominic Battré,et al.  AssessGrid Strategies for Provider Ranking Mechanisms in Risk-Aware Grid Systems , 2008, GECON.

[16]  David Pisinger,et al.  Algorithms for Knapsack Problems , 1995 .

[17]  Heejo Lee,et al.  Enforcing Access Control Using Risk Assessment , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[18]  Alexander Pretschner,et al.  Usage Control in Service-Oriented Architectures , 2007, TrustBus.

[19]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[20]  Rahim Choudhary A policy based architecture for NSA RAdAC model , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[21]  Sushil Jajodia,et al.  Toward information sharing: benefit and risk access control (BARAC) , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[22]  Warren Harrison,et al.  Prioritization of Threats Using the k / m Algebra , 2005 .

[23]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[24]  Dominic Battré,et al.  Quality assurance of Grid service provisioning by risk aware managing of resource failures , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[25]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[26]  Odej Kao,et al.  The First Step of Introducing Risk Management for Prepossessing SLAs , 2006, 2006 IEEE International Conference on Services Computing (SCC'06).

[27]  Schahram Dustdar,et al.  Service mediation and negotiation bootstrapping as first achievements towards self-adaptable grid and cloud services , 2009, GMAC '09.

[28]  Fred Cohen,et al.  Managing network security - Part 5: Risk management or risk analysis , 1997 .