Advertisement

Challenges in Engineering Self-Adaptive Authorisation Infrastructures

  • Lionel MontrieuxEmail author
  • Rogério de Lemos
  • Chris Bailey
Chapter

Abstract

As organisations expand and interconnect, authorisation infrastructures become increasingly difficult to manage. Several solutions have been proposed, including self-adaptive authorisation, where the access control policies are dynamically adapted at run-time to respond to misuse and malicious behaviour. The ultimate goal of self-adaptive authorisation is to reduce human intervention, make authorisation infrastructures more responsive to malicious behaviour, and manage access control in a more cost-effective way. In this chapter, we scope and define the emerging area of self-adaptive authorisation by describing some of its developments, trends, and challenges. For that, we start by identifying key concepts related to access control and authorisation infrastructures and provide a brief introduction to self-adaptive software systems, which provides the foundation for investigating how self-adaptation can enable the enforcement of authorisation policies. The outcome of this study is the identification of several technical challenges related to self-adaptive authorisation, which are classified according to the different stages of a feedback control loop.

References

  1. 1.
    Axiomatics: Axiomatics policy server [Online], Available from: https://www.axiomatics.com/axiomatics-policy-server.html. Accessed 17 Jan 2014
  2. 2.
    Bailey, C.M.: Self-adaptive Authorisation Infrastructures. Ph.D. thesis, University of Kent (2015)Google Scholar
  3. 3.
    Bailey, C., Chadwick, D.W., de Lemos, R.: Self-adaptive authorization framework for policy based RBAC/ABAC models. In: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, DASC ’11, pp. 37–44. IEEE Computer Society, Washington, DC (2011).  https://doi.org/10.1109/DASC.2011.31
  4. 4.
    Bailey, C., Chadwick, D.W., de Lemos, R.: Self-adaptive federated authorization infrastructures. J. Comput. Syst. Sci. 80(5), 935–952 (2014). http://www.sciencedirect.com/science/article/pii/S0022000014000154, Special Issue on Dependable and Secure Computing the 9th {IEEE} International Conference on Dependable, Autonomic and Secure Computing
  5. 5.
    Bailey, C., Montrieux, L., de Lemos, R., Yu, Y., Wermelinger, M.: Run-time generation, transformation, and verification of access control models for self-protection. In: Proceedings of the 9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2014, pp. 135–144. ACM, New York (2014). https://doi.org/10.1145/2593929.2593945
  6. 6.
    BBC: Credit card details on 20 million South Koreans stolen [Online] (Jan 2014), Available from: http://www.bbc.co.uk/news/technology-25808189. Accessed 5 Jan 2014
  7. 7.
    Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, New York (2005)zbMATHGoogle Scholar
  8. 8.
    Bistarelli, S., Martinelli, F., Santini, F.: A formal framework for trust policy negotiation in autonomic systems: abduction with soft constraints. In: Proceedings of the 7th International Conference on Autonomic and Trusted Computing, ATC’10, vol. 6407, pp. 268–282. Springer, Berlin/Heidelberg (2010). http://dl.acm.org/citation.cfm?id=1927943.1927968 Google Scholar
  9. 9.
    Booth, R., Brooke, H., Moriss, S.: WikiLeaks cables: Bradley Manning faces 52 years in jail [Online] (30 Nov 2010), Available from: http://www.theguardian.com/world/2010/nov/30/wikileaks-cables-bradley-manning. Accessed 5 Jan 2014Google Scholar
  10. 10.
    Brun, Y., Marzo Serugendo, G., Gacek, C., Giese, H., Kienle, H., Litoiu, M., Müller, H., Pezzè, M., Shaw, M.: Software engineering for self-adaptive systems. Engineering Self-Adaptive Systems Through Feedback Loops, pp. 48–70. Springer, Berlin/Heidelberg (2009). https://doi.org/10.1007/978-3-642-02161-9_3 CrossRefGoogle Scholar
  11. 11.
    Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, 1st edn. Addison-Wesley Professional, Upper Saddle River (2012)Google Scholar
  12. 12.
    Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Secur. Priv. 7(6), 14–21 (2009).  https://doi.org/10.1109/MSP.2009.110 CrossRefGoogle Scholar
  13. 13.
    Chadwick, D.W., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT ’02, pp. 135–140. ACM, New York (2002). https://doi.org/10.1145/507711.507732
  14. 14.
    Chadwick, D.W., Zhao, G., Otenko, S., Laborde, R., Su, L., Nguyen, T.A.: PERMIS: a modular authorization infrastructure. Concurr. Comput. Pract. Exp. 20(11), 1341–1357 (2008).  https://doi.org/10.1002/cpe.v20:11 CrossRefGoogle Scholar
  15. 15.
    Demchenko, Y., Gommans, L., Laat, C.: Extending role based access control model for distributed multidomain applications. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., Solms, R. (eds.) New Approaches for Security, Privacy and Trust in Complex Environments, IFIP International Federation for Information Processing, vol. 232, pp. 301–312. Springer (2007). https://doi.org/10.1007/978-0-387-72367-9_26 CrossRefGoogle Scholar
  16. 16.
    de Lemos, R., Potena, P.: Chapter 14 – identifying and handling uncertainties in the feedback control loop. In: Mistrik, I., Ali, N., Kazman, R., Grundy, J., Schmerl, B. (eds.) Managing Trade-Offs in Adaptable Software Architectures. Morgan Kaufmann, pp. 353–367 (2017). ISBN 9780128028551, https://doi.org/10.1016/B978-0-12-802855-1.00014-9 CrossRefGoogle Scholar
  17. 17.
    de Lemos, R., Giese, H., Müller, H., Shaw, M., Andersson, J., Litoiu, M., Schmerl, B., Tamura, G., Villegas, N., Vogel, T., Weyns, D., Baresi, L., Becker, B., Bencomo, N., Brun, Y., Cukic, B., Desmarais, R., Dustdar, S., Engels, G., Geihs, K., Göschka, K., Gorla, A., Grassi, V., Inverardi, P., Karsai, G., Kramer, J., Lopes, A., Magee, J., Malek, S., Mankovskii, S., Mirandola, R., Mylopoulos, J., Nierstrasz, O., Pezzè, M., Prehofer, C., Schäfer, W., Schlichting, R., Smith, D., Sousa, J., Tahvildari, L., Wong, K., Wuttke, J.: Software engineering for self-adaptive systems: a second research roadmap. In: de Lemos, R., Giese, H., Müller, H., Shaw, M. (eds.) Software Engineering for Self-Adaptive Systems II. Lecture Notes in Computer Science, vol. 7475, pp. 1–32. Springer, Berlin/Heidelberg (2013). https://doi.org/10.1007/978-3-642-35813-5_1 CrossRefGoogle Scholar
  18. 18.
    Dobson, S., Denazis, S., Fernández, A., Gaïti, D., Gelenbe, E., Massacci, F., Nixon, P., Saffre, F., Schmidt, N., Zambonelli, F.: A survey of autonomic communications. ACM Trans. Auton. Adapt. Syst. 1(2), 223–259 (2006). https://doi.org/10.1145/1186778.1186782 CrossRefGoogle Scholar
  19. 19.
    Garlan, D., Cheng, S.W., Huang, A.C., Schmerl, B., Steenkiste, P.: Rainbow: architecture-based self-adaptation with reusable infrastructure. Computer 37(10), 46–54 (2004). https://doi.org/10.1109/MC.2004.175 CrossRefGoogle Scholar
  20. 20.
    Hellerstein, J.L., Diao, Y., Parekh, S., Tilbury, D.M.: Feedback Control of Computing Systems. Wiley, New York (2004)CrossRefGoogle Scholar
  21. 21.
    Hu, V.C., Kuhn, D.R., Xie, T., Hwang, J.: Model checking for verification of mandatory access control models and properties. Int. J. Softw. Eng. Knowl. Eng. 21(01), 103–127 (2011)CrossRefGoogle Scholar
  22. 22.
    Hu, V.C., Schnitzer, A., Sandlin, K., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (2013)Google Scholar
  23. 23.
    IBM: IBM Security Intelligence with Big Data [Online], Available from: http://www-03.ibm.com/security/solution/intelligence-big-data/. Accessed 20 July 2014
  24. 24.
    ITU-T Rec. X.509: The Directory: Authentication Framework. ISO/IEC 9594-8 (2000)Google Scholar
  25. 25.
    Janicke, H., Cau, A., Siewe, F., Zedan, H.: Dynamic access control policies. Comput. J. 56(4), 440–463 (2013).  https://doi.org/10.1093/comjnl/bxs102 CrossRefGoogle Scholar
  26. 26.
    Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY ’03, pp. 120–131. IEEE Computer Society (2003). http://dl.acm.org/citation.cfm?id=826036.826869
  27. 27.
    Kephart, J.O., Chess, D.M.: The vision of autonomic computing. Computer 36(1), 41–50 (2003). https://doi.org/10.1109/MC.2003.1160055 MathSciNetCrossRefGoogle Scholar
  28. 28.
    Koutsonikola, V., Vakali, A.: LDAP: framework, practices, and trends. IEEE Internet Comput. 8(5), 66–72 (2004).  https://doi.org/10.1109/MIC.2004.44 CrossRefGoogle Scholar
  29. 29.
    Kramer, J., Magee, J.: Self-managed systems: an architectural challenge. In: 2007 Future of Software Engineering, FOSE ’07, pp. 259–268. IEEE Computer Society, Washington, DC (2007).  https://doi.org/10.1109/FOSE.2007.19
  30. 30.
    Lopez, J., Oppliger, R., Pernul, G.: Authentication and authorization infrastructures (AAIS): a comparative survey. Comput. Secur. 23(7), 578–590 (2004). https://doi.org/10.1016/j.cose.2004.06.013 CrossRefGoogle Scholar
  31. 31.
    McGraw, R.: Risk-adaptable access control (RADac). Technical report, National Institute of Standards and Technology (NIST) (2009)Google Scholar
  32. 32.
    Moore, A.P., Hanley, M., Mundie, D.: A pattern for increased monitoring for intellectual property theft by departing insiders. Technical report, CMU/SEI-2012-TR-008, Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2012)Google Scholar
  33. 33.
    Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the Shibboleth approach. EDUCAUSE Q. 27(4), 12–17 (2004). http://www.eric.ed.gov/ERICWebPortal/detail?accno=EJ854029 Google Scholar
  34. 34.
    Mu, C., Li, Y.: An intrusion response decision-making model based on hierarchical task network planning. Expert Syst. Appl. 37(3), 2465–2472 (2010)CrossRefGoogle Scholar
  35. 35.
    NIST: INCITS 359-2004 – Role Based Access Control (2004)Google Scholar
  36. 36.
    Nurse, J.R., Buckley, O., Legg, P.A., Goldsmith, M., Creese, S., Wright, G.R., Whitty, M.: Understanding insider threat: a framework for characterising attacks. In: Workshop on Research for Insider Threat (WRIT) Held as Part of the IEEE Computer Society Security and Privacy Workshops (SPW14), in conjunction with the IEEE Symposium on Security and Privacy (SP), pp. 214–228. IEEE (2014). http://www.sei.cmu.edu/community/writ2014/
  37. 37.
    OASIS: Security Assertion Markup Language (SAML) Version 2.0 (2005)Google Scholar
  38. 38.
    OASIS: eXtensible Access Control Markup Language (XACML) v3.0 (2013)Google Scholar
  39. 39.
    O’Conner, A.C., Loomis, R.J.: 2010 economic analysis of role-based access control. Technical report, RTI International, NIST (2010)Google Scholar
  40. 40.
    Oltsik, J.: The 2013 Vormetric insider threat report [Online] (2013), Available from: http://www.vormetric.com/sites/default/files/vormetric-insider-threat-report-oct-2013.pdf. Accessed 12 June 2014Google Scholar
  41. 41.
    Oreizy, P., Gorlick, M.M., Taylor, R.N., Heimbigner, D., Johnson, G., Medvidovic, N., Quilici, A., Rosenblum, D.S., Wolf, A.L.: An architecture-based approach to self-adaptive software. IEEE Intell. Syst. 14(3), 54–62 (1999). https://doi.org/10.1109/5254.769885 CrossRefGoogle Scholar
  42. 42.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004). https://doi.org/10.1145/984334.984339 CrossRefGoogle Scholar
  43. 43.
    Pashalidis, A., Mitchell, C.J.: A taxonomy of single sign-on systems. In: Proceedings of the 8th Australasian Conference on Information Security and Privacy, ACISP’03, pp. 249–264. Springer, Berlin/Heidelberg (2003). http://dl.acm.org/citation.cfm?id=1760479.1760507 CrossRefGoogle Scholar
  44. 44.
    Pasquale, L., Menghi, C., Salehie, M., Cavallaro, L., Omoronyia, I., Nuseibeh, B.: Securitas: a tool for engineering adaptive security. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE ’12, pp. 19:1–19:4. ACM, New York (2012). https://doi.org/10.1145/2393596.2393618
  45. 45.
    Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: A community authorization service for group collaboration. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY’02), pp. 50–59. IEEE Computer Society, Washington, DC (2002). http://dl.acm.org/citation.cfm?id=863632.883495
  46. 46.
    PERMIS Standalone Authorisation Server: [Online], Available from: http://sec.cs.kent.ac.uk/permis/. Accessed 5 Jan 2014
  47. 47.
    Ratha, N.K., Bolle, R.M., Pandit, V.D., Vaish, V.: Robust fingerprint authentication using local structural similarity. In: Fifth IEEE Workshop on Applications of Computer Vision, 2000, pp. 29–34. IEEE (2000). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.19.8588&rep=rep1&type=pdf
  48. 48.
    Serrano, M., Meer, S., Strassner, J., Paoli, S., Kerr, A., Storni, C.: Trust and reputation policy-based mechanisms for self-protection in autonomic communications. In: Proceedings of the 6th International Conference on Autonomic and Trusted Computing, ATC ’09, pp. 249–267. Springer, Berlin/Heidelberg (2009). https://doi.org/10.1007/978-3-642-02704-8_19 Google Scholar
  49. 49.
    SimpleSAMLphp: [Online], Available from: http://simplesamlphp.org/. Accessed 5 Jan 2014
  50. 50.
    Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)Google Scholar
  51. 51.
    Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: AINA. vol. 7, pp. 428–435 (2007)Google Scholar
  52. 52.
    Strasburg, C., Stakhanova, N., Basu, S., Wong, J.S.: A framework for cost sensitive assessment of intrusion response selection. In: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, COMPSAC ’09, vol. 01, pp. 355–360. IEEE Computer Society, Washington, DC (2009).  https://doi.org/10.1109/COMPSAC.2009.54
  53. 53.
    Thompson, M., Johnston, W., Mudumbai, S., Hoo, G., Jackson, K., Essiari, A.: Certificate-based access control for widely distributed resources. In: Proceedings of the 8th Conference on USENIX Security Symposium, SSYM’99, pp. 17–30. USENIX Association, Berkeley (1999). http://dl.acm.org/citation.cfm?id=1251421.1251438
  54. 54.
    Walsh, C.: New data theft scandal rocks subcontinent’s call centres [Online] (3 Sept 2006), Available from: http://www.theguardian.com/money/2006/sep/03/business.india. Accessed 5 Jan 2014Google Scholar
  55. 55.
    Weyns, D.: Software engineering of self-adaptive systems: an organised tour and future challenges. In: Cha, S., Taylor, R.N., Kang, K.C. (eds.) Handbook of Software Engineering. Springer, Cham (2018)Google Scholar
  56. 56.
    Weyns, D., Malek, S., Andersson, J.: Forms: unifying reference model for formal specification of distributed self-adaptive systems. ACM Trans. Auton. Adapt. Syst. 7(1), 8:1–8:61 (2012). https://doi.org/10.1145/2168260.2168268 CrossRefGoogle Scholar
  57. 57.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the IEEE International Conference on Web Services, ICWS ’05, pp. 561–569. IEEE Computer Society, Washington, DC (2005).  https://doi.org/10.1109/ICWS.2005.25
  58. 58.
    Yuan, E., Malek, S., Schmerl, B., Garlan, D., Gennari, J.: Architecture-based self-protecting software systems. In: Proceedings of the 9th International ACM Sigsoft Conference on Quality of Software Architectures, pp. 33–42. ACM (2013)Google Scholar
  59. 59.
    Yuan, E., Esfahani, N., Malek, S.: A systematic survey of self-protecting software systems. ACM Trans. Auton. Adapt. Syst. 8(4), 17:1–17:41 (2014). https://doi.org/10.1145/2555611 CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Lionel Montrieux
    • 1
    Email author
  • Rogério de Lemos
    • 2
    • 3
  • Chris Bailey
    • 4
  1. 1.National Institute of InformaticsTokyoJapan
  2. 2.University of KentCanterburyUK
  3. 3.University of CoimbraCoimbraPortugal
  4. 4.University of KentCanterburyUK

Personalised recommendations