Access Control Privileges Management for Risk Areas
-
Upload
mahsa-teimourikia -
Category
Technology
-
view
20 -
download
0
Transcript of Access Control Privileges Management for Risk Areas
ACCESS CONTROL PRIVILEGES MANAGEMENT FOR RISK AREAS
Mariagrazia Fugini1, and Mahsa Teimourikia2
Politecnico di Milano
[email protected], [email protected] 16, 2014
Polo Territoriale di Como
Outline
2
Objectives
Scope
Motivations
Preliminaries
The Risk Management System
The Risk-Adaptive Access Control
Conclusions
Polo Territoriale di Como
Objective
this research tackles the problem of flexibility and dynamicity of access control models with regards to the environment conditions and risks that endangers the security, privacy and safety of the civilians, resources and structures.
Dynamic and Adaptive Access Control
Environment
Users
Resources
SecuritySafety
Risk & Emergency
Pri
vacy
3
Polo Territoriale di Como
Security:
Access Control Models and Policies, Physical Resources
and Data, Attributes and Conditions of
Users, Resources and the Environment,
etc.
Risk:
Risk In the Environment, User-Centered Approach,
Proactive and Reactive Risk
Treatment, Distinction between
risks and emergencies, etc.
Scope
Adaptive and Risk Aware Access Control
4
Polo Territoriale di Como
Motivation
5
• In environmental risk management, providing security for people and various resources dynamically, according what happens in the environment is an open issue.
• In monitored environments, where risks can be acknowledged via sensors and spatial data technologies, security rules, in particular access control rules, should be made adaptive to the situation at hand at run time.
The JASON Report [1] points out the inflexibility of current access control (AC) models that can be a major limitation when dealing with dynamic and unpredictable environments.
[1] Horizontal integration: Broader access models for realizing information dominance.Technical report, TheMITRE Corporation, JASON Program Office, Mclean, Virginia, 2004.[2] K. Smith, Environmental hazards: assessing risk and reducing disaster, Routledge, 2013.
Polo Territoriale di Como
Preliminaries
6
• Risk: hazards and abnormalities recognized in an environment that indicate a threat to the infrastructures and/or the civilians (e.g., If sensors indicate gas leak, there is a risk of fire and explosion.). Risks can be avoided via preventive strategies (e.g. closing the gas flow). Risks contain attributes like Type, IntensityLevel, and Location.
• Emergency: When the Risk intensity is higher than a threshold, it is considered as an emergency that needs immediate interventions and corrective strategies. (e.g. if the gas leak is very heavy it can indicate an emergency situation where an explosion is going to happen (or have already happened).
Polo Territoriale di Como
The Scenario
7
Environment: Airport
Users: In-domain Users (e.g. Airport Staff), Out-domain Users (e.g. passengers,
first responders).
Resources: Data and physical resources
Polo Territoriale di Como
The Risk Management System (RMS)
8
The RMS [3] receives the inputs from sensors and monitoring devices, recognizes the risks and emergencies in the environment, and monitors the data received about the emergencies and disasters that have happened in nearby areas and produces a Risk Map and preventive or corrective Strategies accordingly.
[2] M. Fugini, C. Raibulet, and L. Ubezio, "Risk assessment in work environments: modeling and simulation," Concurrency and Computation: Practice and Experience, vol. 24, no. 18, pp. 2381-2403, 2012.
Polo Territoriale di Como
Risk Management System
9
Monitoring Analyzing Planning Executing
Risks are considered at two levels:
• Global Risk: That affects the whole or parts of an
environment. (e.g. Gas Leak Scenario)
• Personal: That affects individuals and has a potential to
cause global risk. (e.g. Mark’s Scenario)
• The Personal Risk Level (PRL):
Polo Territoriale di Como
The Access Control Model
10
The security model is based on Attribute Based Access Control (ABAC) including the following components:• Subjects: this abstracts a user, an application, or a process
wanting to perform an operation on a resource/object: • Administrative Subjects: Their main responsibility is to
assign the Subject, Object, and Environment Attributes • In Domain Subjects: are active subjects that need
permissions to access different kind of resources, and are in charge in the organization, with some kind of an organizational role. (e.g. Security Staff, etc.)
• Out Domain Subjects: are the Subjects that are outside the organizational hierarchy. In our scenario, they can be travelers or the first responders in an airport area.
Polo Territoriale di Como
The Access Control Model
11
In Domain Subjects: These subjects can hold many attributes (Subject Attributes –SA) grouped as follows:
Polo Territoriale di Como
The Access Control Model
12
• Objects: abstract resources that a subject can access or act on.
• Environment: this component models the environment (i.e., the airport) with its dynamic conditions, which affect the security decisions.
• Privileges: the operations that a Subject requests to perform on an Object. They can be actions such as read, write, and update, activities, such as trigger (for alarms), close (for doors and gas pipes), zoom in (for a camera), enter (for a section of the Environment) and so on.
• Request: A request is defined as the result of the application of an evaluate function as follows:
The results of this evaluation can be Permit, Deny and Not applicable.
Polo Territoriale di Como
The Access Control Model
13
The access control and risk components, in a class diagram.
Polo Territoriale di Como
The Access Control Model
14
To dynamically adapt the access control model to risk situations, two different methods are considered using Event-Condition-Action (ECA) rules.
• Activating/Deactivating Access Control Rules: this is done by considering set of access rules as an access control domain (acd ∈ ACD). Access control domains are statically defined by Administrative Subjects, but are activated and deactivated at run-time to adapt the access control model to risk situations.
• Dynamically Changing Subject/Object/Environment Attributes: Necessary changes are made in the attributes of Subjects, Objects, and the Environment to allow the successful execution of the RMS strategies.
Polo Territoriale di Como
The Access Control Model
The XACML Architecture is extended to support the risk-aware adaptivity in the access control.
15
Polo Territoriale di Como
The Access Control Model
16
Examples:
• Activating/Deactivating Access Control Rules:
• Dynamically Changing Subject/Object/Environment Attributes: Changing an Subject’s attribute to allow rescue teams to localize them.
Polo Territoriale di Como
• Considering risks as recognized by a Risk Management System based on monitoring data about the environment, this paper has presented an access control model, which is adaptive to risks.
• To facilitate the adaptivity we employed the concept of ECA to dynamically change the security rules and make changes in attributes of the security model components.
• As future work, we are working towards formalizing this model using Event Calculus and Impalement it as an addition to our RMS tool [2].
Conclusion and Future Work
17
[2] M. Fugini, C. Raibulet, and L. Ubezio, "Risk assessment in work environments: modeling and simulation," Concurrency and Computation: Practice and Experience, vol. 24, no. 18, pp. 2381-2403, 2012.
Polo Territoriale di Como18
THANK YOU!