Abstract
As organisations expand and interconnect, authorisation infrastructures become increasingly difficult to manage. Several solutions have been proposed, including self-adaptive authorisation, where the access control policies are dynamically adapted at run-time to respond to misuse and malicious behaviour. The ultimate goal of self-adaptive authorisation is to reduce human intervention, make authorisation infrastructures more responsive to malicious behaviour, and manage access control in a more cost-effective way. In this chapter, we scope and define the emerging area of self-adaptive authorisation by describing some of its developments, trends, and challenges. For that, we start by identifying key concepts related to access control and authorisation infrastructures and provide a brief introduction to self-adaptive software systems, which provides the foundation for investigating how self-adaptation can enable the enforcement of authorisation policies. The outcome of this study is the identification of several technical challenges related to self-adaptive authorisation, which are classified according to the different stages of a feedback control loop.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Also referred to as the self-adaptive layer.
References
Axiomatics: Axiomatics policy server [Online], Available from: https://www.axiomatics.com/axiomatics-policy-server.html. Accessed 17 Jan 2014
Bailey, C.M.: Self-adaptive Authorisation Infrastructures. Ph.D. thesis, University of Kent (2015)
Bailey, C., Chadwick, D.W., de Lemos, R.: Self-adaptive authorization framework for policy based RBAC/ABAC models. In: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, DASC ’11, pp. 37–44. IEEE Computer Society, Washington, DC (2011). https://doi.org/10.1109/DASC.2011.31
Bailey, C., Chadwick, D.W., de Lemos, R.: Self-adaptive federated authorization infrastructures. J. Comput. Syst. Sci. 80(5), 935–952 (2014). http://www.sciencedirect.com/science/article/pii/S0022000014000154, Special Issue on Dependable and Secure Computing the 9th {IEEE} International Conference on Dependable, Autonomic and Secure Computing
Bailey, C., Montrieux, L., de Lemos, R., Yu, Y., Wermelinger, M.: Run-time generation, transformation, and verification of access control models for self-protection. In: Proceedings of the 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2014, pp. 135–144. ACM, New York (2014). https://doi.org/10.1145/2593929.2593945
BBC: Credit card details on 20 million South Koreans stolen [Online] (Jan 2014), Available from: http://www.bbc.co.uk/news/technology-25808189. Accessed 5 Jan 2014
Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, New York (2005)
Bistarelli, S., Martinelli, F., Santini, F.: A formal framework for trust policy negotiation in autonomic systems: abduction with soft constraints. In: Proceedings of the 7th International Conference on Autonomic and Trusted Computing, ATC’10, vol. 6407, pp. 268–282. Springer, Berlin/Heidelberg (2010). http://dl.acm.org/citation.cfm?id=1927943.1927968
Booth, R., Brooke, H., Moriss, S.: WikiLeaks cables: Bradley Manning faces 52 years in jail [Online] (30 Nov 2010), Available from: http://www.theguardian.com/world/2010/nov/30/wikileaks-cables-bradley-manning. Accessed 5 Jan 2014
Brun, Y., Marzo Serugendo, G., Gacek, C., Giese, H., Kienle, H., Litoiu, M., Müller, H., Pezzè, M., Shaw, M.: Software engineering for self-adaptive systems. Engineering Self-Adaptive Systems Through Feedback Loops, pp. 48–70. Springer, Berlin/Heidelberg (2009). https://doi.org/10.1007/978-3-642-02161-9_3
Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, 1st edn. Addison-Wesley Professional, Upper Saddle River (2012)
Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Secur. Priv. 7(6), 14–21 (2009). https://doi.org/10.1109/MSP.2009.110
Chadwick, D.W., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT ’02, pp. 135–140. ACM, New York (2002). https://doi.org/10.1145/507711.507732
Chadwick, D.W., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurr. Comput. Pract. Exp. 20(11), 1341–1357 (2008). https://doi.org/10.1002/cpe.v20:11
Demchenko, Y., Gommans, L., Laat, C.: Extending role based access control model for distributed multidomain applications. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., Solms, R. (eds.) New Approaches for Security, Privacy and Trust in Complex Environments, IFIP International Federation for Information Processing, vol. 232, pp. 301–312. Springer (2007). https://doi.org/10.1007/978-0-387-72367-9_26
de Lemos, R., Potena, P.: Chapter 14 – identifying and handling uncertainties in the feedback control loop. In: Mistrik, I., Ali, N., Kazman, R., Grundy, J., Schmerl, B. (eds.) Managing Trade-Offs in Adaptable Software Architectures. Morgan Kaufmann, pp. 353–367 (2017). ISBN 9780128028551, https://doi.org/10.1016/B978-0-12-802855-1.00014-9
de Lemos, R., Giese, H., Müller, H., Shaw, M., Andersson, J., Litoiu, M., Schmerl, B., Tamura, G., Villegas, N., Vogel, T., Weyns, D., Baresi, L., Becker, B., Bencomo, N., Brun, Y., Cukic, B., Desmarais, R., Dustdar, S., Engels, G., Geihs, K., Göschka, K., Gorla, A., Grassi, V., Inverardi, P., Karsai, G., Kramer, J., Lopes, A., Magee, J., Malek, S., Mankovskii, S., Mirandola, R., Mylopoulos, J., Nierstrasz, O., Pezzè, M., Prehofer, C., Schäfer, W., Schlichting, R., Smith, D., Sousa, J., Tahvildari, L., Wong, K., Wuttke, J.: Software engineering for self-adaptive systems: a second research roadmap. In: de Lemos, R., Giese, H., Müller, H., Shaw, M. (eds.) Software Engineering for Self-Adaptive Systems II. Lecture Notes in Computer Science, vol. 7475, pp. 1–32. Springer, Berlin/Heidelberg (2013). https://doi.org/10.1007/978-3-642-35813-5_1
Dobson, S., Denazis, S., Fernández, A., Gaïti, D., Gelenbe, E., Massacci, F., Nixon, P., Saffre, F., Schmidt, N., Zambonelli, F.: A survey of autonomic communications. ACM Trans. Auton. Adapt. Syst. 1(2), 223–259 (2006). https://doi.org/10.1145/1186778.1186782
Garlan, D., Cheng, S.W., Huang, A.C., Schmerl, B., Steenkiste, P.: Rainbow: architecture-based self-adaptation with reusable infrastructure. Computer 37(10), 46–54 (2004). https://doi.org/10.1109/MC.2004.175
Hellerstein, J.L., Diao, Y., Parekh, S., Tilbury, D.M.: Feedback Control of Computing Systems. Wiley, New York (2004)
Hu, V.C., Kuhn, D.R., Xie, T., Hwang, J.: Model checking for verification of mandatory access control models and properties. Int. J. Softw. Eng. Knowl. Eng. 21(01), 103–127 (2011)
Hu, V.C., Schnitzer, A., Sandlin, K., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2013)
IBM: IBM Security Intelligence with Big Data [Online], Available from: http://www-03.ibm.com/security/solution/intelligence-big-data/. Accessed 20 July 2014
ITU-T Rec. X.509: The Directory: Authentication Framework. ISO/IEC 9594-8 (2000)
Janicke, H., Cau, A., Siewe, F., Zedan, H.: Dynamic access control policies. Comput. J. 56(4), 440–463 (2013). https://doi.org/10.1093/comjnl/bxs102
Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY ’03, pp. 120–131. IEEE Computer Society (2003). http://dl.acm.org/citation.cfm?id=826036.826869
Kephart, J.O., Chess, D.M.: The vision of autonomic computing. Computer 36(1), 41–50 (2003). https://doi.org/10.1109/MC.2003.1160055
Koutsonikola, V., Vakali, A.: LDAP: framework, practices, and trends. IEEE Internet Comput. 8(5), 66–72 (2004). https://doi.org/10.1109/MIC.2004.44
Kramer, J., Magee, J.: Self-managed systems: an architectural challenge. In: 2007 Future of Software Engineering, FOSE ’07, pp. 259–268. IEEE Computer Society, Washington, DC (2007). https://doi.org/10.1109/FOSE.2007.19
Lopez, J., Oppliger, R., Pernul, G.: Authentication and authorization infrastructures (AAIS): a comparative survey. Comput. Secur. 23(7), 578–590 (2004). https://doi.org/10.1016/j.cose.2004.06.013
McGraw, R.: Risk-adaptable access control (RADac). Technical report, National Institute of Standards and Technology (NIST) (2009)
Moore, A.P., Hanley, M., Mundie, D.: A pattern for increased monitoring for intellectual property theft by departing insiders. Technical report, CMU/SEI-2012-TR-008, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2012)
Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the Shibboleth approach. EDUCAUSE Q. 27(4), 12–17 (2004). http://www.eric.ed.gov/ERICWebPortal/detail?accno=EJ854029
Mu, C., Li, Y.: An intrusion response decision-making model based on hierarchical task network planning. Expert Syst. Appl. 37(3), 2465–2472 (2010)
NIST: INCITS 359-2004 – Role Based Access Control (2004)
Nurse, J.R., Buckley, O., Legg, P.A., Goldsmith, M., Creese, S., Wright, G.R., Whitty, M.: Understanding insider threat: a framework for characterising attacks. In: Workshop on Research for Insider Threat (WRIT) Held as Part of the IEEE Computer Society Security and Privacy Workshops (SPW14), in conjunction with the IEEE Symposium on Security and Privacy (SP), pp. 214–228. IEEE (2014). http://www.sei.cmu.edu/community/writ2014/
OASIS: Security Assertion Markup Language (SAML) Version 2.0 (2005)
OASIS: eXtensible Access Control Markup Language (XACML) v3.0 (2013)
O’Conner, A.C., Loomis, R.J.: 2010 economic analysis of role-based access control. Technical report, RTI International, NIST (2010)
Oltsik, J.: The 2013 Vormetric insider threat report [Online] (2013), Available from: http://www.vormetric.com/sites/default/files/vormetric-insider-threat-report-oct-2013.pdf. Accessed 12 June 2014
Oreizy, P., Gorlick, M.M., Taylor, R.N., Heimbigner, D., Johnson, G., Medvidovic, N., Quilici, A., Rosenblum, D.S., Wolf, A.L.: An architecture-based approach to self-adaptive software. IEEE Intell. Syst. 14(3), 54–62 (1999). https://doi.org/10.1109/5254.769885
Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004). https://doi.org/10.1145/984334.984339
Pashalidis, A., Mitchell, C.J.: A taxonomy of single sign-on systems. In: Proceedings of the 8th Australasian Conference on Information Security and Privacy, ACISP’03, pp. 249–264. Springer, Berlin/Heidelberg (2003). http://dl.acm.org/citation.cfm?id=1760479.1760507
Pasquale, L., Menghi, C., Salehie, M., Cavallaro, L., Omoronyia, I., Nuseibeh, B.: Securitas: a tool for engineering adaptive security. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pp. 19:1–19:4. ACM, New York (2012). https://doi.org/10.1145/2393596.2393618
Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY’02), pp. 50–59. IEEE Computer Society, Washington, DC (2002). http://dl.acm.org/citation.cfm?id=863632.883495
PERMIS Standalone Authorisation Server: [Online], Available from: http://sec.cs.kent.ac.uk/permis/. Accessed 5 Jan 2014
Ratha, N.K., Bolle, R.M., Pandit, V.D., Vaish, V.: Robust fingerprint authentication using local structural similarity. In: Fifth IEEE Workshop on Applications of Computer Vision, 2000, pp. 29–34. IEEE (2000). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.19.8588&rep=rep1&type=pdf
Serrano, M., Meer, S., Strassner, J., Paoli, S., Kerr, A., Storni, C.: Trust and reputation policy-based mechanisms for self-protection in autonomic communications. In: Proceedings of the 6th International Conference on Autonomic and Trusted Computing, ATC ’09, pp. 249–267. Springer, Berlin/Heidelberg (2009). https://doi.org/10.1007/978-3-642-02704-8_19
SimpleSAMLphp: [Online], Available from: http://simplesamlphp.org/. Accessed 5 Jan 2014
Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)
Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: AINA. vol. 7, pp. 428–435 (2007)
Strasburg, C., Stakhanova, N., Basu, S., Wong, J.S.: A framework for cost sensitive assessment of intrusion response selection. In: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC ’09, vol. 01, pp. 355–360. IEEE Computer Society, Washington, DC (2009). https://doi.org/10.1109/COMPSAC.2009.54
Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based access control for widely distributed resources. In: Proceedings of the 8th Conference on USENIX Security Symposium, SSYM’99, pp. 17–30. USENIX Association, Berkeley (1999). http://dl.acm.org/citation.cfm?id=1251421.1251438
Walsh, C.: New data theft scandal rocks subcontinent’s call centres [Online] (3 Sept 2006), Available from: http://www.theguardian.com/money/2006/sep/03/business.india. Accessed 5 Jan 2014
Weyns, D.: Software engineering of self-adaptive systems: an organised tour and future challenges. In: Cha, S., Taylor, R.N., Kang, K.C. (eds.) Handbook of Software Engineering. Springer, Cham (2018)
Weyns, D., Malek, S., Andersson, J.: Forms: unifying reference model for formal specification of distributed self-adaptive systems. ACM Trans. Auton. Adapt. Syst. 7(1), 8:1–8:61 (2012). https://doi.org/10.1145/2168260.2168268
Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS ’05, pp. 561–569. IEEE Computer Society, Washington, DC (2005). https://doi.org/10.1109/ICWS.2005.25
Yuan, E., Malek, S., Schmerl, B., Garlan, D., Gennari, J.: Architecture-based self-protecting software systems. In: Proceedings of the 9th International ACM Sigsoft Conference on Quality of Software Architectures, pp. 33–42. ACM (2013)
Yuan, E., Esfahani, N., Malek, S.: A systematic survey of self-protecting software systems. ACM Trans. Auton. Adapt. Syst. 8(4), 17:1–17:41 (2014). https://doi.org/10.1145/2555611
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Montrieux, L., de Lemos, R., Bailey, C. (2019). Challenges in Engineering Self-Adaptive Authorisation Infrastructures. In: Yu, Y., et al. Engineering Adaptive Software Systems. Springer, Singapore. https://doi.org/10.1007/978-981-13-2185-6_3
Download citation
DOI: https://doi.org/10.1007/978-981-13-2185-6_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-2184-9
Online ISBN: 978-981-13-2185-6
eBook Packages: Computer ScienceComputer Science (R0)