Abstract
Dynamic and evolving systems might require flexible access control mechanisms, in order to make sure that the unavailability of some users does not prevent the system to be functional, in particular for emergency-prone environments, such as healthcare, natural disaster response teams, or military systems. The auto-delegation mechanism, which combines the strengths of delegation systems and “break-the-glass” policies, was recently introduced to handle such situations, by stating that the most qualified available user for a resource can access this resource.
In this work we extend this mechanism by considering availability as a quantitative measure, such that each user is associated with a probability of availability. The decision to allow or deny an access is based on the utility of each outcome and on a risk strategy. We describe a generic framework allowing a system designer to define these different concepts. We also illustrate our framework with two specific use cases inspired from healthcare systems and resource management systems.
Work partially supported by EU FP7-ICT project NESSoS (Network of Excellence on Engineering Secure Future Internet Software Services and Systems) under the grant agreement n. 256980 and by EU-funded project ”CONNECT”.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ardagna, C.A., De Capitani di Vimercati, S., Grandison, T., Jajodia, S., Samarati, P.: Regulating Exceptions in Healthcare Using Policy Spaces. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 254–267. Springer, Heidelberg (2008)
Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 329–339 (May 1989)
Brucker, A.D., Petritsch, H., Schaad, A.: Delegation assistance. In: IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 84–91 (2009)
Chander, A., Mitchell, J.C., Dean, D.: A state-transition model of trust management and access control. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, pp. 27–43. IEEE Computer Society Press (2001)
Chen, L., Crampton, J.: Risk-aware role-based access control. In: Proceedings of 7th International Workshop on Security and Trust Management (to appear, 2011)
Cheng, P.-C., Karger, P.A.: Risk modulating factors in risk-based access control for information in a manet. Technical Report RC24494, IBM T.J. Watson (2008)
Cheng, P.-C., Rohatgi, P.: IT security as risk management: A research perspective. Technical Report RC24529, IBM T.J. Watson (April 2008)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 222–230 (2007)
Computing Research Association. Four grand challenges in trustworthy computing (November 2003)
Crampton, J., Morisset, C.: An Auto-delegation Mechanism for Access Control Systems. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 1–16. Springer, Heidelberg (2011)
Cybenko, G.: Why johnny can’t evaluate security risk. IEEE Security and Privacy 4, 5 (2006)
Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing access control using risk assessment. In: Proceedings of the Fourth European Conference on Universal Multiservice Networks, Washington, DC, USA, pp. 419–424 (2007)
Ferraiolo, D.F., Kuhn, D.R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)
Han, Y., Hori, Y., Sakurai, K.: Security policy pre-evaluation towards risk analysis. In: Proceedings of the 2008 International Conference on Information Security and Assurance, pp. 415–420. IEEE, Washington, DC (2008)
Hanson, S.O.: Decision theory: A brief introduction (August 1994)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Kephart, J.: The utility of utility: Policies for self-managing systems. In: Proceedings of Policies for Distributed Systems and Networks (to appear, 2011)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Influence of Attribute Freshness on Decision Making in Usage Control. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 35–50. Springer, Heidelberg (2011)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Risk-aware usage decision making in highly dynamic systems. In: Proceedings of the Fifth International Conference on Internet Monitoring and Protection. IEEE (2010)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Risk-based usage control for service oriented architecture. In: Proceedings of the 18th Euromicro International Conference on Parallel, Distributed and Network-Based Computing. IEEE (2010)
Lampson, B.: Protection. In: Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University (1971)
LaPadula, L.J., Bell, D.E.: Secure Computer Systems: A Mathematical Model. Journal of Computer Security 4, 239–263 (1996)
Li, Y., Sun, H., Chen, Z., Ren, J., Luo, H.: Using trust and risk in access control for grid environment. In: Proceedings of the 2008 International Conference on Security Technology, pp. 13–16. IEEE, Washington, DC (2008)
McGraw, R.W.: Risk-adaptable access control, RAdAC (2007), http://csrc.nist.gov/news_events/privilege-management-workshop/radac-Paper0001.pdf (August 16, 2009)
Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: Proceedings of the 15th ACM New Security Paradigms Workshop, Lake TAhoe, CA, USA. ACM, New York (2008)
Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A.: Risk-based access control decisions under uncertainty. Technical Report RC25121, IBM T.J. Watson (September 2011)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 250–260. ACM, New York (2010)
Skalka, C., Wang, X.S., Chapin, P.: Risk management for distributed authorization. J. Comput. Secur. 15(4), 447–489 (2007)
Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC - a workflow security model incorporating controlled overriding of constraints. International Journal of Cooperative Information Systems 12, 455–485 (2003)
Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (BARAC). In: Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, pp. 45–53 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krautsevich, L., Martinelli, F., Morisset, C., Yautsiukhin, A. (2012). Risk-Based Auto-delegation for Probabilistic Availability. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds) Data Privacy Management and Autonomous Spontaneus Security. DPM SETOP 2011 2011. Lecture Notes in Computer Science, vol 7122. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28879-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-28879-1_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28878-4
Online ISBN: 978-3-642-28879-1
eBook Packages: Computer ScienceComputer Science (R0)