Abstract
Role Based Access Control (RBAC) has received considerable attention as a model of choice for simplified access control over the past decade. More recently, risk awareness in access control has emerged as an important research theme to mitigate risks involved when users exercise their privileges to access resources under different contexts such as accessing a sensitive file from work versus doing the same from home. In this paper, we investigate how to incorporate “risk” in RBAC—in particular, in RBAC sessions. To this end, we propose an extension to the core RBAC model by incorporating risk awareness in sessions where the risk is bounded by a session-based “risk-threshold.” We develop a framework of models for role activation and deactivation in a session based on this threshold. Finally, we provide formal specification of one of these models by enhancing the NIST core RBAC model.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Autrel, F., Cuppens-Boulahia, N., Cuppens, F.: Reaction Policy Model Based on Dynamic Organizations and Threat Context. In: Gudes, E., Vaidya, J. (eds.) Data and Applications Security 2009. LNCS, vol. 5645, pp. 49–64. Springer, Heidelberg (2009)
Baracaldo, N., Joshi, J.: A trust-and-risk aware rbac framework: tackling insider threat. In: SACMAT 2012, pp. 167–176. ACM, New York (2012)
Chen, L., Crampton, J.: Risk-Aware Role-Based Access Control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P., Wagner, G., Reninger, A.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Security and Privacy, 2007, pp. 222–230 (May 2007)
Debar, H., Thomas, Y., Cuppens, F., Cuppens-Boulahia, N.: Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology, 195–210 (2007)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Tran. Inf. Sys. Sec. (2001)
Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Avail., Reliab. and Sec., ARES (August 2011)
Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: CODASPY 2012 (2012)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: ASIACCS 2010, pp. 250–260. ACM, New York (2010)
M. C. J. P. Office: Horizontal integration: Broader access models for realizing information dominance. MITRE Corporation, Tech. Rep. JSR-04-132 (2004)
Salim, F., Reid, J., Dawson, E., Dulleck, U.: An approach to access control under uncertainty. In: Avail., Reliab. and Sec., ARES, pp. 1–8 (August 2011)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. Computer 29(2), 38–47 (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bijon, K.Z., Krishnan, R., Sandhu, R. (2012). Risk-Aware RBAC Sessions. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-35130-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35129-7
Online ISBN: 978-3-642-35130-3
eBook Packages: Computer ScienceComputer Science (R0)