Abstract
The increasing availability of large and diverse datasets (big data) calls for increased flexibility in access control so to improve the exploitation of the data. Risk-aware access control systems offer a natural approach to the problem. We propose a novel access control framework that combines trust with risk and supports access control in dynamic contexts through trust enhancement mechanisms and risk mitigation strategies. This allows to strike a balance between the risk associated with a data request and the trustworthiness of the requester. If the risk is too large compared to the trust level, then the framework can identify adaptive strategies leading to a decrease of the risk (e.g., by removing/obfuscation part of the data through anonymization) or to increase the trust level (e.g., by asking for additional obligations to the requester). We outline a modular architecture to realize our model, and we describe how these strategies can be actually realized in a realistic use case.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Trabelsi, S., Ecuyer, A., Alvarez, P.C.Y., Di Cerbo, F.: Optimizing access control performance for the cloud. In: Helfert, M., Desprez, F., Ferguson, D., Leymann, F., Muñoz, V.M. (eds.): CLOSER 2014 - Proceedings of the 4th International Conference on Cloud Computing and Services Science, Barcelona, Spain, April 3–5, 2014, 551–558. SciTePress (2014)
Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012)
Baracaldo, N., Joshi, J.: An adaptive risk management and access control framework to mitigate insider threats. Computers and Security 39, 237–254 (2013)
Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007). Emerging Issues in Collaborative Commerce
Mcknight, D.H., Chervany, N.L.: The meanings of trust. Technical report (1996)
Gambetta, D.: Can we trust trust? In: Trust: Making and Breaking Cooperative Relations 213–237. Basil Blackwell (1988)
Celikel, E., Kantarcioglu, M., Thuraisingham, B., Bertino, E.: A risk management approach to RBAC. Risk Decis. Anal. 1(1), 21–33 (2009)
ISO: Iec 27005: 2011 (en) information technology-security techniques-information security risk management switzerland. ISO/IEC (2011)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 222–230 (2007)
Houmb, S.H., Franqueira, V.N.L., Engum, E.A.: Quantifying security risk level from cvss estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (2010)
Moses, T., et al.: extensible access control markup language (xacml) version 2.0. Oasis Standard 200502 (2005)
Council of Europe: Handbook on european data protection law. Technical report (2014)
Scholl, M.A., Stine, K.M., Hash, J., Bowen, P., Johnson, L.A., Smith, C.D., Steinberg, D.I.: Sp 800–66 rev. 1. an introductory resource guide for implementing the health insurance portability and accountability act (HIPAA) security rule. Technical report (2008)
Clifton, C., Tassa, T.: On syntactic anonymity and differential privacy. Trans. Data Privacy 6(2), 161–183 (2013)
Dalenius, T.: Finding a needle in a haystack-or identifying anonymous census record. Journal of official statistics 2(3) (1986)
Bezzi, M.: An information theoretic approach for privacy metrics. Transactions on Data Privacy 3(3), 199–215 (2010)
Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)
Fung, B.C.M., Wang, K., Chen, R., Yu, P.S.: Privacy-preserving data publishing: A survey of recent developments. ACM Comput. Surv. 42(4), 1–53 (2010)
Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Samarati, P.: Theory of privacy and anonymity. In: Atallah, M., Blanton, M. (eds.) Algorithms and Theory of Computation Handbook (2nd edn). CRC Press (2009)
Armando, A., Bezzi, M., Metoui, N., Sabetta, A.: Risk-aware information disclosure. In: Garcia-Alfaro, J., Herrera-JoancomartÃ, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/SETOP/QASA 2014. LNCS, vol. 8872, pp. 266–276. Springer, Heidelberg (2015)
Committee on Strategies for Responsible Sharing of Clinical Trial Data: Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk. National Academies Press (US), Washington (DC) (2015)
Mont, M.C., Beato, F.: On parametric obligation policies: enabling privacy-aware information lifecycle management in enterprises. In: Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY 2007, pp. 51–55. IEEE (2007)
Ali, M., Bussard, L., Pinsdorf, U.: Obligation language for access control and privacy policies (2010)
Sandhu, R., Park, J.: Usage control: a vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 17–31. Springer, Heidelberg (2003)
Ardagna, C.A., Cremonini, M., Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. Journal of Computer Security 16(4), 369–397 (2008)
Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. Communications of the ACM 49(9), 39–44 (2006)
Di Cerbo, F., Doliere, F., Gomez, L., Trabelsi, S.: Ppl v2.0: uniform data access and usage control on cloud and mobile. In: Proceedings of the 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, IEEE (2015)
Trabelsi, S., Sendor, J., Reinicke, S.: Ppl: primelife privacy policy engine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 184–185, June 2011
Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001)
Bonatti, P., Galdi, C., Torres, D.: Erbac: event-driven rbac. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. SACMAT 2013. ACM NY (2013)
Ahmed, A., Zhang, N.: A context-risk-aware access control model for ubiquitous environments. In: IMCSIT. IEEE (2008)
Chen, L., Crampton, J., Kollingbaum, M.J., Norman, T.J.: Obligations in risk-aware access control. In: Cuppens-Boulahia, N., Fong, P., GarcÃa-Alfaro, J., Marsh, S., Steghöfer, J. (eds.) PST, pp. 145–152. IEEE (2012)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230. IEEE Computer Society (2007)
Dickens, L., Russo, A., Cheng, P.C., Lobo, J.: Towards learning risk estimation functions for access control. In: In Snowbird Learning Workshop (2010)
Shaikh, R.A., Adi, K., Logrippo, L.: Dynamic risk-based decision methods for access control systems 31, 447–464 (2012)
Armando, A., Bezzi, M., Metoui, N., Sabetta, A.: Risk-based privacy-aware information disclosure. International Journal of Secure Software Engineering (IJSSE) 6(2), 70–89 (2015)
Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Provisions and obligations in policy management and security applications. In: Proceedings of the 28th International Conference on Very Large Data Bases. VLDB 2002, pp. 502–513. VLDB Endowment (2002)
Baracaldo, N., Joshi, J.: Beyond accountability: Using obligations to reduce risk exposure and deter insider attacks. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 213–224. ACM, New York (2013)
Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies. SACMAT 2004, pp. 156–162. ACM, New York (2004)
Shah, A., Dahake, S., J., S.H.H.: Valuing data security and privacy using cyber insurance. SIGCAS Comput. Soc. 45(1), 38–41 (2015)
Kelley, P., Komanduri, S., Mazurek, M., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Armando, A., Bezzi, M., Di Cerbo, F., Metoui, N. (2015). Balancing Trust and Risk in Access Control. In: Debruyne, C., et al. On the Move to Meaningful Internet Systems: OTM 2015 Conferences. OTM 2015. Lecture Notes in Computer Science(), vol 9415. Springer, Cham. https://doi.org/10.1007/978-3-319-26148-5_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-26148-5_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26147-8
Online ISBN: 978-3-319-26148-5
eBook Packages: Computer ScienceComputer Science (R0)