Skip to main content
Springer Nature Link
Log in

Risk-Aware Role-Based Access Control

  • Conference paper
Security and Trust Management (STM 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7170))

Included in the following conference series:

  • 1054 Accesses

Abstract

The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. The standard RBAC model is designed to operate in a relatively stable, closed environment and does not include any support for risk. In this paper, we explore a number of ways in which the RBAC model can be extended to incorporate notions of risk. In particular, we develop three simple risk-aware RBAC models that differ in the way in which risk is represented and accounted for in making access control decisions. We also propose a risk-aware RBAC model that combines all the features of three simple models and consider some issues related to its implementation. Compared with existing work, our models have clear authorization semantics and support richer types of access control decisions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. American National Standards Institute: American National Standard for Information Technology – Role Based Access Control (2004), ANSI INCITS 359-2004

    Google Scholar 

  2. Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring role based access control policies using risk semantics. Journal of High Speed Networks 15(3), 261–273 (2006)

    Google Scholar 

  3. Bacon, J., Moody, K., Yao, W.: A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security 5(4), 492–540 (2002)

    Article  Google Scholar 

  4. Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 197–206 (2009)

    Google Scholar 

  5. Celikel, E., Kantarcioglu, M., Thuraisingham, B.M., Bertino, E.: A risk management approach to RBAC. Risk and Decision Analysis 1(1), 21–33 (2009)

    Google Scholar 

  6. Chen, L., Crampton, J.: On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the 2008 ACM Symposium on Information Computer and Communications Security, pp. 356–369 (2008)

    Google Scholar 

  7. Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 222–230 (2007)

    Google Scholar 

  8. Clark, J.A., Tapiador, J.E., McDermid, J.A., Cheng, P.C., Agrawal, D., Ivanic, N., Slogget, D.: Risk based access control with uncertain and time-dependent sensitivity. In: Proceedings of the International Conference on Security and Cryptography, pp. 5–13 (2010)

    Google Scholar 

  9. Crampton, J., Huth, M.: Detecting and countering insider threats: Can policy-based access control help? In: Proceedings of the 5th International Workshop on Security and Trust Management (2009)

    Google Scholar 

  10. Crampton, J., Morisset, C.: An Auto-Delegation Mechanism for Access Control Systems. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 1–16. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  11. Dimmock, N., Belokosztolszki, A., Eyers, D.M., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 156–162 (2004)

    Google Scholar 

  12. Ferraiolo, D.F., Kuhn, D.R.: Role-based access controls. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)

    Google Scholar 

  13. Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 134–143 (2006)

    Google Scholar 

  14. JASON Program Office: Horizontal integration: Broader access models for realizing information dominance. Technical Report JSR-04-132, MITRE Corporation (2004)

    Google Scholar 

  15. Landoll, D.J.: The Security Risk Assessment Handbook: A Complete Guide for Peforming Security Risk Assessments. CRC Press (2005)

    Google Scholar 

  16. Molloy, I., Cheng, P.C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 107–125 (2008)

    Google Scholar 

  17. National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems (2002), NIST Special Publication 800-30

    Google Scholar 

  18. Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information Computer and Communications Security, pp. 250–260 (2010)

    Google Scholar 

  19. Nissanke, N., Khayat, E.J.: Risk based security analysis of permissions in RBAC. In: Proceedings of the 2nd International Workshop on Security in Information Systems, pp. 332–341 (2004)

    Google Scholar 

  20. Moses, T. (ed.): OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard (February 1, 2005)

    Google Scholar 

  21. Park, J., Sandhu, R.S.: The UCONABC usage control model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)

    Article  Google Scholar 

  22. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceeding of the IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  23. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  24. Srivatsa, M., Balfe, S., Paterson, K.G., Rohatgi, P.: Trust management for secure information flows. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 175–188 (2008)

    Google Scholar 

  25. Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (BARAC). In: Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 45–53 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group and Department of Mathematics, Royal Holloway, University of London, UK

    Liang Chen & Jason Crampton

Authors
  1. Liang Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason Crampton
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Naval Research Laboratory, Code 5543, 20375, Washington, DC, USA

    Catherine Meadows

  2. Department of Computer Science, University of Malaga, 29071, Málaga, Spain

    Carmen Fernandez-Gago

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chen, L., Crampton, J. (2012). Risk-Aware Role-Based Access Control. In: Meadows, C., Fernandez-Gago, C. (eds) Security and Trust Management. STM 2011. Lecture Notes in Computer Science, vol 7170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29963-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29963-6_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29962-9

  • Online ISBN: 978-3-642-29963-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics