SlideShare a Scribd company logo

Risk based identity and access management

nadischka66
nadischka66

Traditional Access Control Models, such as MAC (Mandatory Access Control), DAC (Discretionary Access Control), and RBAC (Role-Based Access Control), rely on hard coded policies and rules predefined by the security administrator of the resource owner . These policies statically define who can access which resource, how and under what circumstances. Lately the research community widely shares the opinion that those traditional models do not correctly address the increasing need of flexibility in access control. In fact authorization policies tend to be too rigid to handle the exceptional situations or emergencies in which granting an exceptional access should be envisaged if it contribute to the fulfillment of business goal or if its benefits exceed the potential harm

1 of 10
Download to read offline
10/2/14 10/2/14 Risk-­‐based Iden-ty and Access Management Nadia METOUI Topic 1 Instead of : Risk-­‐based Access Control
10/2/14 Context and Problema-c • In TradiBonal Access Control Systems Trust and Risk are pre-­‐computed [1] • The unawareness of context variaBon and misuse of authorized access, exposes these systems to many vulnerabiliBes [2] and flexibility issues [3] [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 2
10/2/14 Background Risk “Risk is defined by the likelihood of a hazardous situa5on and its consequences if it occurs.” [4] 3 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012
10/2/14 Exis-ng Solu-ons • Context Aware and Event Driven – Define a set of Context parameters and include them in the access evaluaBon process – Set reacBve policies triggered by context-­‐generated events[5] 4 [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 Device LocaBon Time Context Access EvaluaBon Engine
10/2/14 Exis-ng Solu-ons • Risk Aware SoluBon (Risk MiBgaBon) [4,6,7] – Define a risk threshold – Compute the access risk related to • User trustworthiness, competence, behavior… • Role appropriateness • Session risk … – In include computed risk and risk threshold values in the Access Decision 5 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012
10/2/14 Exis-ng Solu-ons • Risk AdapBve SoluBon[1, 8] – Include user access history in the trustworthiness computaBon – Include Resources access history in the risk computaBon – Infer new access control funcBons or modify exisBng policies, using an evaluaBon history based logic 6 [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011
10/2/14 Limita-ons • Trust management and Risk assessment are assumed but not explicit • No model is taking in consideraBon both context risk and user risk at the same Bme • Risk AdapBve AC Models propose to modify risk values for future access control evaluaBon but don’t propose real Bme reacBon strategies • No model is taking consideraBon, the context and risk constraints' impacts, on the Access Control process performance 7
10/2/14 Possible Alterna-ves Solu-ons • Including the context in the trust and risk computaBon • Developing Real Bme risk treatment strategies • Managing risk-­‐originated "access deny" incidents • Working on complexity and performance issues 8
10/2/14 References • [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 • [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. • [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐ EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 • [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 • [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 • [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 • [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012 • [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011 9
10/2/14 10/2/14 Thank you ! QuesBons
Ad

Recommended

Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
Roger Johnston
 
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United StatesSEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
SEAMS-2016, 16-17 May, 2016, Austin, Texas, United States
Charith Perera
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...
ijcseit
 
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGPLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNING
CSEIJJournal
 
Balasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesforiBalasaraswathi2017 article feature_selectiontechniquesfori
Balasaraswathi2017 article feature_selectiontechniquesfori
boloKiKa
 
Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...Information security risk analysis methods and research trends ahp and fuzzy ...
Information security risk analysis methods and research trends ahp and fuzzy ...
ijcsit
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
Ni
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Day 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptxDay 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptx
gege09231
 
Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.
NemsEscobar
 
CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera ready
Mark Sinclair
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdf
MUST
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6
Agus Suhanto
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Panagiotis Papaioannou
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
Pierre Samson
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefing
David Sweigert
 
Access control
Access controlAccess control
Access control
arj_presenter
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics Tools
HCI Lab
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
IRJET Journal
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...
Mohamed Ben Naseir
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Ludovik Coba
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
Shereef Sabri
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
dotco
 
2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx
fliplopo
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
Resilient Systems
 
Igor Linkov
Igor LinkovIgor Linkov
Igor Linkov
Royal United Services Institute for Defence and Security Studies
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Ad

More Related Content

Similar to Risk based identity and access management (20)

Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Day 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptxDay 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptx
gege09231
 
Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.
NemsEscobar
 
CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera ready
Mark Sinclair
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdf
MUST
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6
Agus Suhanto
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Panagiotis Papaioannou
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
Pierre Samson
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefing
David Sweigert
 
Access control
Access controlAccess control
Access control
arj_presenter
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics Tools
HCI Lab
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
IRJET Journal
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...
Mohamed Ben Naseir
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Ludovik Coba
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
Shereef Sabri
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
dotco
 
2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx
fliplopo
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
Resilient Systems
 
Igor Linkov
Igor LinkovIgor Linkov
Igor Linkov
Royal United Services Institute for Defence and Security Studies
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Day 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptxDay 5, 6 _ 7 - Project Risk Management.pptx
Day 5, 6 _ 7 - Project Risk Management.pptx
gege09231
 
Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.Information Risk Assessment and Analysis.
Information Risk Assessment and Analysis.
NemsEscobar
 
CHI abstract camera ready
CHI abstract camera readyCHI abstract camera ready
CHI abstract camera ready
Mark Sinclair
 
pmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdfpmp11-risk-180412035349-2.pdf
pmp11-risk-180412035349-2.pdf
MUST
 
Project Risk Management - PMBOK6
Project Risk Management - PMBOK6Project Risk Management - PMBOK6
Project Risk Management - PMBOK6
Agus Suhanto
 
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Systemic Modeling and Relations Thinking for Risk Assessment and IT Resources...
Panagiotis Papaioannou
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
Pierre Samson
 
Emergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefingEmergency Services Sector Cybersecurity Initiative UASI briefing
Emergency Services Sector Cybersecurity Initiative UASI briefing
David Sweigert
 
Access control
Access controlAccess control
Access control
arj_presenter
 
Human Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics ToolsHuman Factors in the Design and Evaluation of Bioinformatics Tools
Human Factors in the Design and Evaluation of Bioinformatics Tools
HCI Lab
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
Assessment of Risk in Construction Projects by Modified Fuzzy Analytic Hierar...
IRJET Journal
 
National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...National cybersecurity capacity building framework for countries in a transit...
National cybersecurity capacity building framework for countries in a transit...
Mohamed Ben Naseir
 
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Decision Making Based on Bimodal Rating Summary Statistics - An Eye-Tracking ...
Ludovik Coba
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
Shereef Sabri
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
dotco
 
2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx2151049_SajjadOsman_PosterPresentation.pptx
2151049_SajjadOsman_PosterPresentation.pptx
fliplopo
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
Resilient Systems
 
Igor Linkov
Igor LinkovIgor Linkov
Igor Linkov
Royal United Services Institute for Defence and Security Studies
 

Recently uploaded (20)

Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Ad

Risk based identity and access management

  • 1. 10/2/14 10/2/14 Risk-­‐based Iden-ty and Access Management Nadia METOUI Topic 1 Instead of : Risk-­‐based Access Control
  • 2. 10/2/14 Context and Problema-c • In TradiBonal Access Control Systems Trust and Risk are pre-­‐computed [1] • The unawareness of context variaBon and misuse of authorized access, exposes these systems to many vulnerabiliBes [2] and flexibility issues [3] [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 2
  • 3. 10/2/14 Background Risk “Risk is defined by the likelihood of a hazardous situa5on and its consequences if it occurs.” [4] 3 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012
  • 4. 10/2/14 Exis-ng Solu-ons • Context Aware and Event Driven – Define a set of Context parameters and include them in the access evaluaBon process – Set reacBve policies triggered by context-­‐generated events[5] 4 [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 Device LocaBon Time Context Access EvaluaBon Engine
  • 5. 10/2/14 Exis-ng Solu-ons • Risk Aware SoluBon (Risk MiBgaBon) [4,6,7] – Define a risk threshold – Compute the access risk related to • User trustworthiness, competence, behavior… • Role appropriateness • Session risk … – In include computed risk and risk threshold values in the Access Decision 5 [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012
  • 6. 10/2/14 Exis-ng Solu-ons • Risk AdapBve SoluBon[1, 8] – Include user access history in the trustworthiness computaBon – Include Resources access history in the risk computaBon – Infer new access control funcBons or modify exisBng policies, using an evaluaBon history based logic 6 [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011
  • 7. 10/2/14 Limita-ons • Trust management and Risk assessment are assumed but not explicit • No model is taking in consideraBon both context risk and user risk at the same Bme • Risk AdapBve AC Models propose to modify risk values for future access control evaluaBon but don’t propose real Bme reacBon strategies • No model is taking consideraBon, the context and risk constraints' impacts, on the Access Control process performance 7
  • 8. 10/2/14 Possible Alterna-ves Solu-ons • Including the context in the trust and risk computaBon • Developing Real Bme risk treatment strategies • Managing risk-­‐originated "access deny" incidents • Working on complexity and performance issues 8
  • 9. 10/2/14 References • [1] R.A. Shaikh, K. Adi, L. Logrippo “Dynamic Risk-­‐based Decision Methods for Access Control Systems” 2012 • [2] C. S. InsBtute. CSI computer crime and security survey, 2010/11. • [3] L. Krautsevich, A. Lazouski, F. MarBnelli, and A. Yautsiukhin “Cost-­‐ EffecBve Enforcement of Access and Usage Control Policies under UncertainBes” 2013 • [5] P. Bona`, C. Galdi and D. Torres “ERBAC: Event-­‐Driven RBAC”, 2013 • [4] N. Baracaldo and J. Joshi “A Trust-­‐and-­‐Risk Aware RBAC Framework: Tackling Insider Threat” 2012 • [6] L. Chen and J. Crampton, “Risk-­‐Aware Role-­‐Based Access Control”, 2012 • [7] K.Z. Bijon, R. Krishnan, and R. Sandhu “Risk-­‐Aware RBAC Sessions”, 2012 • [8] S. Kandala, R. Sandhu, V. BhamidipaB, “An Akribute Based Framework for Risk-­‐AdapBve Access Control Models” 2011 9
  • 10. 10/2/14 10/2/14 Thank you ! QuesBons