Skip to main content
SpringerLink
Log in

Balancing Trust and Risk in Access Control

  • Conference paper
  • First Online:
On the Move to Meaningful Internet Systems: OTM 2015 Conferences (OTM 2015)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9415))

Abstract

The increasing availability of large and diverse datasets (big data) calls for increased flexibility in access control so to improve the exploitation of the data. Risk-aware access control systems offer a natural approach to the problem. We propose a novel access control framework that combines trust with risk and supports access control in dynamic contexts through trust enhancement mechanisms and risk mitigation strategies. This allows to strike a balance between the risk associated with a data request and the trustworthiness of the requester. If the risk is too large compared to the trust level, then the framework can identify adaptive strategies leading to a decrease of the risk (e.g., by removing/obfuscation part of the data through anonymization) or to increase the trust level (e.g., by asking for additional obligations to the requester). We outline a modular architecture to realize our model, and we describe how these strategies can be actually realized in a realistic use case.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Trabelsi, S., Ecuyer, A., Alvarez, P.C.Y., Di Cerbo, F.: Optimizing access control performance for the cloud. In: Helfert, M., Desprez, F., Ferguson, D., Leymann, F., Muñoz, V.M. (eds.): CLOSER 2014 - Proceedings of the 4th International Conference on Cloud Computing and Services Science, Barcelona, Spain, April 3–5, 2014, 551–558. SciTePress (2014)

    Google Scholar 

  2. Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  3. Baracaldo, N., Joshi, J.: An adaptive risk management and access control framework to mitigate insider threats. Computers and Security 39, 237–254 (2013)

    Article  Google Scholar 

  4. Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007). Emerging Issues in Collaborative Commerce

    Article  Google Scholar 

  5. Mcknight, D.H., Chervany, N.L.: The meanings of trust. Technical report (1996)

    Google Scholar 

  6. Gambetta, D.: Can we trust trust? In: Trust: Making and Breaking Cooperative Relations 213–237. Basil Blackwell (1988)

    Google Scholar 

  7. Celikel, E., Kantarcioglu, M., Thuraisingham, B., Bertino, E.: A risk management approach to RBAC. Risk Decis. Anal. 1(1), 21–33 (2009)

    Google Scholar 

  8. ISO: Iec 27005: 2011 (en) information technology-security techniques-information security risk management switzerland. ISO/IEC (2011)

    Google Scholar 

  9. Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 2007, pp. 222–230 (2007)

    Google Scholar 

  10. Houmb, S.H., Franqueira, V.N.L., Engum, E.A.: Quantifying security risk level from cvss estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (2010)

    Article  Google Scholar 

  11. Moses, T., et al.: extensible access control markup language (xacml) version 2.0. Oasis Standard 200502 (2005)

    Google Scholar 

  12. Council of Europe: Handbook on european data protection law. Technical report (2014)

    Google Scholar 

  13. Scholl, M.A., Stine, K.M., Hash, J., Bowen, P., Johnson, L.A., Smith, C.D., Steinberg, D.I.: Sp 800–66 rev. 1. an introductory resource guide for implementing the health insurance portability and accountability act (HIPAA) security rule. Technical report (2008)

    Google Scholar 

  14. Clifton, C., Tassa, T.: On syntactic anonymity and differential privacy. Trans. Data Privacy 6(2), 161–183 (2013)

    MathSciNet  Google Scholar 

  15. Dalenius, T.: Finding a needle in a haystack-or identifying anonymous census record. Journal of official statistics 2(3) (1986)

    Google Scholar 

  16. Bezzi, M.: An information theoretic approach for privacy metrics. Transactions on Data Privacy 3(3), 199–215 (2010)

    MathSciNet  Google Scholar 

  17. Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)

    Article  Google Scholar 

  18. Fung, B.C.M., Wang, K., Chen, R., Yu, P.S.: Privacy-preserving data publishing: A survey of recent developments. ACM Comput. Surv. 42(4), 1–53 (2010)

    Article  Google Scholar 

  19. Ciriani, V., De Capitani di Vimercati, S., Foresti, S., Samarati, P.: Theory of privacy and anonymity. In: Atallah, M., Blanton, M. (eds.) Algorithms and Theory of Computation Handbook (2nd edn). CRC Press (2009)

    Google Scholar 

  20. Armando, A., Bezzi, M., Metoui, N., Sabetta, A.: Risk-aware information disclosure. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/SETOP/QASA 2014. LNCS, vol. 8872, pp. 266–276. Springer, Heidelberg (2015)

    Google Scholar 

  21. Committee on Strategies for Responsible Sharing of Clinical Trial Data: Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk. National Academies Press (US), Washington (DC) (2015)

    Google Scholar 

  22. Mont, M.C., Beato, F.: On parametric obligation policies: enabling privacy-aware information lifecycle management in enterprises. In: Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY 2007, pp. 51–55. IEEE (2007)

    Google Scholar 

  23. Ali, M., Bussard, L., Pinsdorf, U.: Obligation language for access control and privacy policies (2010)

    Google Scholar 

  24. Sandhu, R., Park, J.: Usage control: a vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 17–31. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  25. Ardagna, C.A., Cremonini, M., Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. Journal of Computer Security 16(4), 369–397 (2008)

    Google Scholar 

  26. Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. Communications of the ACM 49(9), 39–44 (2006)

    Article  Google Scholar 

  27. Di Cerbo, F., Doliere, F., Gomez, L., Trabelsi, S.: Ppl v2.0: uniform data access and usage control on cloud and mobile. In: Proceedings of the 1st International Workshop on TEchnical and LEgal aspects of data pRIvacy and SEcurity, IEEE (2015)

    Google Scholar 

  28. Trabelsi, S., Sendor, J., Reinicke, S.: Ppl: primelife privacy policy engine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 184–185, June 2011

    Google Scholar 

  29. Bertino, E., Bonatti, P.A., Ferrari, E.: Trbac: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001)

    Article  Google Scholar 

  30. Bonatti, P., Galdi, C., Torres, D.: Erbac: event-driven rbac. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies. SACMAT 2013. ACM NY (2013)

    Google Scholar 

  31. Ahmed, A., Zhang, N.: A context-risk-aware access control model for ubiquitous environments. In: IMCSIT. IEEE (2008)

    Google Scholar 

  32. Chen, L., Crampton, J., Kollingbaum, M.J., Norman, T.J.: Obligations in risk-aware access control. In: Cuppens-Boulahia, N., Fong, P., García-Alfaro, J., Marsh, S., Steghöfer, J. (eds.) PST, pp. 145–152. IEEE (2012)

    Google Scholar 

  33. Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230. IEEE Computer Society (2007)

    Google Scholar 

  34. Dickens, L., Russo, A., Cheng, P.C., Lobo, J.: Towards learning risk estimation functions for access control. In: In Snowbird Learning Workshop (2010)

    Google Scholar 

  35. Shaikh, R.A., Adi, K., Logrippo, L.: Dynamic risk-based decision methods for access control systems 31, 447–464 (2012)

    Google Scholar 

  36. Armando, A., Bezzi, M., Metoui, N., Sabetta, A.: Risk-based privacy-aware information disclosure. International Journal of Secure Software Engineering (IJSSE) 6(2), 70–89 (2015)

    Article  Google Scholar 

  37. Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Provisions and obligations in policy management and security applications. In: Proceedings of the 28th International Conference on Very Large Data Bases. VLDB 2002, pp. 502–513. VLDB Endowment (2002)

    Google Scholar 

  38. Baracaldo, N., Joshi, J.: Beyond accountability: Using obligations to reduce risk exposure and deter insider attacks. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 213–224. ACM, New York (2013)

    Google Scholar 

  39. Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies. SACMAT 2004, pp. 156–162. ACM, New York (2004)

    Google Scholar 

  40. Shah, A., Dahake, S., J., S.H.H.: Valuing data security and privacy using cyber insurance. SIGCAS Comput. Soc. 45(1), 38–41 (2015)

    Google Scholar 

  41. Kelley, P., Komanduri, S., Mazurek, M., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Security & Trust Unit, FBK-Irst, Trento, Italy

    Alessandro Armando & Nadia Metoui

  2. DIBRIS, University of Genova, Genoa, Italy

    Alessandro Armando

  3. SAP Product Security Research, Sophia Antipolis, France

    Michele Bezzi & Francesco Di Cerbo

  4. DISI, University of Trento, Trento, Italy

    Nadia Metoui

Authors
  1. Alessandro Armando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michele Bezzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Francesco Di Cerbo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nadia Metoui
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Trinity College Dublin, Dublin 2, Iran

    Christophe Debruyne

  2. University of Lorraine, Vandoeuvre-les-Nancy Cedex, France

    Hervé Panetto

  3. TU Graz, Graz, Austria

    Robert Meersman

  4. La Trobe University, Melbourne, Australia

    Tharam Dillon

  5. PROFACTOR GmbH, Steyr-Gleink, Austria

    Georg Weichhart

  6. Drexel University, Philadelphia, Pennsylvania, USA

    Yuan An

  7. Università degli Studi di Milano, Crema, Italy

    Claudio Agostino Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Armando, A., Bezzi, M., Di Cerbo, F., Metoui, N. (2015). Balancing Trust and Risk in Access Control. In: Debruyne, C., et al. On the Move to Meaningful Internet Systems: OTM 2015 Conferences. OTM 2015. Lecture Notes in Computer Science(), vol 9415. Springer, Cham. https://doi.org/10.1007/978-3-319-26148-5_45

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26148-5_45

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26147-8

  • Online ISBN: 978-3-319-26148-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation