Conference PaperPDF Available

A dynamic risk-based access control architecture for cloud computing

  • May 2014
DOI:10.1109/NOMS.2014.6838319
  • Conference: Network Operations and Management Symposium (NOMS), 2014 IEEE
Authors:
Daniel Ricardo dos Santos at Forescout Technologies
Daniel Ricardo dos Santos
  • Forescout Technologies
Carla Merkle Westphall at Federal University of Santa Catarina
Carla Merkle Westphall
Carlos Becker Westphall at Federal University of Santa Catarina
Carlos Becker Westphall
Download full-text PDF
Read full-text
Download citation

Abstract

Cloud computing is a distributed computing model that still faces problems. New ideas emerge to take advantage of its features and among the research challenges found in the cloud, we can highlight Identity and Access Management. The main problems of the application of access control in the cloud are the necessary flexibility and scalability to support a large number of users and resources in a dynamic and heterogeneous environment, with collaboration and information sharing needs. This paper proposes the use of risk-based dynamic access control for cloud computing. The proposal is presented as an access control model based on an extension of the XACML standard with three new components: the Risk Engine, the Risk Quantification Web Services and the Risk Policies. The risk policies present a method to describe risk metrics and their quantification, using local or remote functions. The risk policies allow users and cloud service providers to define how to handle risk-based access control for their resources, using different quantification and aggregation methods. The model reaches the access decision based on a combination of XACML decisions and risk analysis. A prototype of the model is implemented, showing it has enough expressivity to describe the models of related work. In the experimental results, the prototype takes between 2 and 6 milliseconds to reach access decisions using a risk policy. A discussion on the security aspects of the model is also presented.
Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall on Jun 29, 2014
Content may be subject to copyright.
Link%to%download%the%paper%at%IEEE%Explore:
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6838319%
%
%
6/29/14, 1:44 PMIEEE Xplore Abstract - A dynamic risk-based access control architecture for cloud computing
Page 1 of 2http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6838319
IEEE.org | IEEE Xplore Digital Library | IEEE Standards | IEEE Spectrum | More Sites
For Institutional Users:
Institutional Sign In
Athens/Shibboleth
Browse Conference Publications > Network Operations and Manage ...
A dynamic risk-based access control
architecture for cloud computing
Full Text
Sign-In or Purchase
3
Author(s)
Tweet
Tweet
0
0
Share
Share
Page(s):
1 - 9
Conference Location :
Krakow, Poland
Digital Object Identifier :
10.1109/NOMS.2014.6838319
Publisher:
IEEE
Cloud computing is a distributed computing model that still faces problems. New ideas emerge to
take advantage of its features and among the research challenges found in the cloud, we can
highlight Identity and Access Management. The main problems of the application of access control in
the cloud are the necessary flexibility and scalability to support a large number of users and
resources in a dynamic and heterogeneous environment, with collaboration and information sharing
needs. This paper proposes the use of risk-based dynamic access control for cloud computing. The
proposal is presented as an access control model based on an extension of the XACML standard
with three new components: the Risk Engine, the Risk Quantification Web Services and the Risk
Policies. The risk policies present a method to describe risk metrics and their quantification, using
local or remote functions. The risk policies allow users and cloud service providers to define how to
handle risk-based access control for their resources, using different quantification and aggregation
methods. The model reaches the access decision based on a combination of XACML decisions and
risk analysis. A prototype of the model is implemented, showing it has enough expressivity to
describe the models of related work. In the experimental results, the prototype takes between 2 and
6 milliseconds to reach access decisions using a risk policy. A discussion on the security aspects of
the model is also presented.
Published in:
Network Operations and Management Symposium (NOMS), 2014 IEEE
Date of Conference:
5-9 May 2014
Cart (0) | Create Account | Sign In
Santos, Daniel Ricardo dos ; Networks and Management Laboratory, Federal University of Santa Catarina, Florianópolis - Brazil ; Westphall, Carla Merkle ;
Westphall, Carlos Becker
Authors References Cited By Keywords Metrics SimilarAbstract
0
Like
Like

Supplementary resource (1)

noms-daniel
Data
June 2014
Daniel Ricardo dos Santos · Carla Merkle Westphall · Carlos Becker Westphall
... This model permits or denies access requests dynamically based on the estimated risk value [9]. This model performs risk analysis on each user access request to make the access decision [17]. The essential stage of implementing a risk-based access control model is the risk estimation process. ...
... The risk-based access control model is one of the dynamic models that use the security risk value associated with each access request as a criterion to determine the access decision. It performs a risk analysis to estimate the security risk value for each access request and then uses the estimated risk value to decide either granting or denying access [17,42]. ...
ANFIS for risk estimation in risk-based access control model for smart homes
Article
Full-text available
The risk-based access control model is one of the dynamic models that use the security risk as a criterion to decide the access decision for each access request. This model permits or denies access requests dynamically based on the estimated risk value. The essential stage of implementing this model is the risk estimation process. This process is based on estimating the possibility of information leakage and the value of that information. Several researchers utilized different methods for risk estimation but most of these methods were based on qualitative measures, which cannot suit the access control context that needs numeric and precise risk values to decide either granting or denying access. Therefore, this paper presents a novel Adaptive Neuro-Fuzzy Inference System (ANFIS) model for risk estimation in the risk-based access control model for the Internet of Things (IoT). The proposed ANFIS model was implemented and evaluated against access control scenarios of smart homes. The results demonstrated that the proposed ANFIS model provides an efficient and accurate risk estimation technique that can adapt to the changing conditions of the IoT environment. To validate the applicability and effectiveness of the proposed ANFIS model in smart homes, ten IoT security experts were interviewed. The results of the interviews illustrated that all experts confirmed that the proposed ANFIS model provides accurate and realistic results with a 0.713 in Cronbach’s alpha coefficient which indicates that the results are consistent and reliable. Compared to existing work, the proposed ANFIS model provides an efficient processing time as it reduces the processing time from 57.385 to 10.875 Sec per 1000 access requests, which demonstrates that the proposed model provides effective and accurate risk evaluation in a timely manner.
View
... It can represent nonlinear functions of arbitrary complexity. Based on researcher [30], the fuzzy approach is enhanced with the risk assessment formula to compute the risk factor. Figure 9 shows the fuzzy risk model. ...
... A preliminary analysis is conducted on current risk models to address the Fog-IoT network challenges. A dynamic access control model is used to quantify the risk factor because it considers access policies and dynamic contextual features that can estimate in real-time [30]. This is apt in the Fog-IoT network since it is a distributed and flexible network. ...
Adaptive Contextual Risk-Based Model to Tackle Confidentiality-Based Attacks in Fog-IoT Paradigm
Article
Full-text available
  • Jan 2022
The Internet of Things (IoT) allows billions of physical objects to be connected to gather and exchange information to offer numerous applications. It has unsupported features such as low latency, location awareness, and geographic distribution that are important for a few IoT applications. Fog computing is integrated into IoT to aid these features to increase computing, storage, and networking resources to the network edge. Unfortunately, it is faced with numerous security and privacy risks, raising severe concerns among users. Therefore, this research proposes a contextual risk-based access control model for Fog-IoT technology that considers real-time data information requests for IoT devices and gives dynamic feedback. The proposed model uses Fog-IoT environment features to estimate the security risk associated with each access request using device context, resource sensitivity, action severity, and risk history as inputs for the fuzzy risk model to compute the risk factor. Then, the proposed model uses a security agent in a fog node to provide adaptive features in which the device’s behaviour is monitored to detect any abnormal actions from authorised devices. The proposed model is then evaluated against the existing model to benchmark the results. The fuzzy-based risk assessment model with enhanced MQTT authentication protocol and adaptive security agent showed an accurate risk score for seven random scenarios tested compared to the simple risk score calculations.
View
... The risk of an ACP reflects the aggregated risk of the permissions that are permitted by it. ACP modelling or optimization methods can use risk minimization as an objective to reduce the impact of excessive permission assignments (Jin et al., 2016;Dos Santos et al., 2014). High risk is also an indicator for high maintenance priority and can serve as context information for policy engineers and reviewers, based on the assumption that a high risk value suggests a more restrictive handling than a low one (Fuchs et al., 2014). ...
Optimization of Access Control Policies
Article
Full-text available
  • Nov 2022
Organizations undertake complex and costly projects to model high-quality Access Control Policies (ACPs). Once built, these policies must be maintained and managed in an ongoing process to keep their quality high. Insufficient maintenance leads to inaccurate authorization decisions and increases the policies’ administrative effort and susceptibility to errors. While the initial modeling of ACPs has received significant research interest, their optimization is not yet covered as broadly. This work provides a theoretical foundation for ACP quality and its optimization. Furthermore, it analyzes how existing research addresses optimization of ACPs with regard to six crucial optimization dimensions. It presents a structured literature survey tracing these optimization dimensions, the contributed research artifact and data requirements. Building on this literature catalogue, this work elaborates on inaccuracies for user permission assignments, data availability, minimal perturbation and recommendation-based optimization.
View
... To address the above problem, Chen et al. designed a dynamic risk-based access control model by adding risk engines, risk authorization services, and risk policies to XACML [31]. Dos Santos et al. designed a risk matrix for managing users' access to the cloud and proposed a corresponding risk-based access control model [32]. To adaptively compute trust and risk values in dynamic occasions, Shaikh et al. proposed two dynamic risk-based decision methods for access control systems, which could not only allow broader authorities under certain controlled conditions (e.g., if users showed a positive record of use toward the resources they acquired in the past, they can be allowed broader authorities) but also restrict legitimate access of bad authorized users [33]. ...
RTBAC: A Risk-Aware Topic-Based Access Control Model for Text Data with Paragraph-Level Authorization
Article
Full-text available
  • May 2022
Granting users precise access rights is one of the purposes of access control technologies. With the increasing requirements of fine-grained authorization, too strict or too loose access control models may cause many problems. In this paper, aiming at insufficient authorizations in text databases, we propose a risk-aware topic-based access control (RTBAC) model, which uses topics to represent the content relationships between users and data. The RTBAC model also uses risk technologies to grant users corresponding access rights based on their historical behaviours and their access requests. The RTBAC model is a fine-grained access control model, and the authorization of RTBAC can reach the paragraph level. Experimental results show that RTBAC is an efficient access control model and the access control granularity of the RTBAC model is more than 3 times that of the existing content-based access control models.
View
... The risk-based access control model is one of the dynamic models that use the security risk value associated with each access request as a criterion to determine the access decision. It performs a risk analysis to estimate the security risk value for each access request, and then it uses the estimated risk value to decide to either grant or deny access [4,6]. ...
Efficient NFS Model for Risk Estimation in a Risk-Based Access Control Model
Article
Full-text available
Providing a dynamic access control model that uses real-time features to make access decisions for IoT applications is one of the research gaps that many researchers are trying to tackle. This is because existing access control models are built using static and predefined policies that always give the same result in different situations and cannot adapt to changing and unpredicted situations. One of the dynamic models that utilize real-time and contextual features to make access decisions is the risk-based access control model. This model performs a risk analysis on each access request to permit or deny access dynamically based on the estimated risk value. However, the major issue associated with building this model is providing a dynamic, reliable, and accurate risk estimation technique, especially when there is no available dataset to describe risk likelihood and impact. Therefore, this paper proposes a Neuro-Fuzzy System (NFS) model to estimate the security risk value associated with each access request. The proposed NFS model was trained using three learning algorithms: Levenberg–Marquardt (LM), Conjugate Gradient with Fletcher–Reeves (CGF), and Scaled Conjugate Gradient (SCG). The results demonstrated that the LM algorithm is the optimal learning algorithm to implement the NFS model for risk estimation. The results also demonstrated that the proposed NFS model provides a short and efficient processing time, which can provide timeliness risk estimation technique for various IoT applications. The proposed NFS model was evaluated against access control scenarios of a children’s hospital, and the results demonstrated that the proposed model can be applied to provide dynamic and contextual-aware access decisions based on real-time features.
View
View
Adaptive Access Control Model Using Risk-Based Technique in Dynamic Environment
Chapter
  • Nov 2022
At present, most of the access control techniques are not flexible since they are using the static traits, so they results same in different situations. These access control techniques are also not adaptive in nature according to different environmental factors and unanticipated situations. Since Internet is core communication part of IoT, so security becomes a prime concern in such an environment. In such dynamic communication systems, we need adaptive as well as flexible access control methods. In proposed model, security risk analysis is done for both static and fixed policies as well as dynamic and flexible one. This method uses some real-time information and contextual data to determine decision of access. This model is more stretchable in accessing resources and takes good access decisions in unpredictable conditions. The aim of this paper is to acquire most suitable risk estimation method which can generate appropriate risk value to get correct access decision per access request. In this paper, all traits are collected like criticality of resource, history of user, severity of risk, magnitude of impact, sensitivity of data, and context of user of each access request in IoT communication systems. Collected values are validating against policies and threshold value. If risk value is less than threshold value and passed policy test, then that user request is permitted.
View
Distance Matrix Generation for Dynamic Vehicle Routing Optimization in Transport Fleets Management
Chapter
  • Nov 2022
Generation the Distance Matrix (DMx) is an important aspect that influences the correct solution of the routing problem in the dynamic variant. In the case of a frequent changing of points number and location, a continuous and effective update of the data is required, e.g., from more and more popular services such as Mapping APIs. The time-consuming nature of this process, which may extend the planning process, was emphasized. The article discusses the possibility of estimating the distance matrix based on the correction of the “haversine” distance. Method for the generation and updating of the DMx was proposed. The influence of update progress on some optimization algorithms was investigated. The research was carried out on the example of the real VRP problem. It was found that even a partial DMx update can significantly reduce the discrepancy between the VRP optimization results.
View
Using AI Chatbots in Education: Recent Advances Challenges and Use Case
Chapter
  • Nov 2022
Nowadays, younger generation is much more exposed to technology than previous generations used to. The recent advances in artificial intelligence (AI) and particularly natural language processing (NLP) and understanding (NLU) make it possible to reinforce and widespread the adoption of AI chatbots in education not only to help students in their administrative affairs or in academic advising but also in assisting them and monitoring their performance during their learning experience. This paper presents a review of the different methods and tools devoted to the design of chatbots with an emphasis on their use and challenges in the education field. Additionally, this paper focuses on language-related challenges and obstacles that hinder the implementation of English, Arabic, and other languages of chatbots. To show how AI chatbots benefit education, a use case is described where Hubert.ai chatbot has been used to assess students’ feedback regarding a machine learning course evaluation.
View
In-Depth Analysis and Systematic Literature Review on Risk Based Access Control in Cloud
Article
  • Oct 2022
Security in Cloud is one of the most foremost and critical feature, which can ensure the confidence of the Scientific community on Cloud environment. With the dynamic and ever changing nature of the Cloud computing environment, static access control models become obsolete. Hence, dynamic access control models are required, which is still an emergent and underdeveloped domain in Cloud security. These models utilize not only access policies but also contextual and real-time information to determine the access decision. Out of these dynamic models the Risk-based Access control model, estimates the security risk value related to the access request dynamically to determine the access decision. The exclusive working pattern of this access control model makes it an excellent choice for dynamically changing environment that rules the cloud’s environment. This paper provides a systematic literature appraisal and evaluation of risk-based access control models to provide a detailed understanding of the topic. The contributions of selected articles have been summarized. The security risks in cloud environment have been reviewed, taking in the account of both Cloud Service Provider and Cloud Customer perspectives. Additionally, risk factors used to build the risk-based access control model were extracted and analyzed. Finally, the risk estimation techniques used to evaluate the risks of access control operations have also been identified.
View
View
Toward Quantified Risk-Adaptive Access Control for Multi-tenant Cloud Computing
Article
Full-text available
Cloud computing is the new trend in information science that is capable to change drastically the way we were using Internet. Despite all its advantages, users are always reluctant to host their data in the cloud because they are doubtful about its security, particularly the security related to the multi-tenant environment. Traditional access controls were implemented in the cloud in order to make the multi-tenant environment secure. But the issue is those access controls are static while the cloud is dynamic, leading to legitimate doubts on the ability of those to fulfill the security needs of the cloud. We propose to use Risk-Adaptive Access Control, which is a flexible real-time access control model that can naturally support the dynamism of cloud environments. We identified four security risks we will quantify by using tools available in statistical machine learning.
View
Cloud federation
Conference Paper
Full-text available
  • Jan 2011
This paper suggests a definition of the term Cloud Federation, a concept of service aggregation characterized by interoperability features, which addresses the economic problems of vendor lock-in and provider integration. Furthermore, it approaches challenges like performance and disaster-recovery through methods such as co-location and geographic distribution. The concept of Cloud Federation enables further reduction of costs due to partial outsourcing to more cost-efficient regions, may satisfy security requirements through techniques like frag-mentation and provides new prospects in terms of legal aspects. Based on this concept, we discuss a reference architecture that enables new service models by horizontal and vertical integration. The definition along with the reference architecture serves as a common vocabulary for discussions and suggests a template for creating value-added software solutions.
View
View
View
View
View
Access control systems. Security, identity management and trust models
Article
  • Jan 2006
Access Control Systems: Security, Identity Management and Trust Models provides a thorough introduction to the foundations of programming systems security, delving into identity management, trust models, and the theory behind access control models. The book details access control mechanisms that are emerging with the latest Internet programming technologies, and explores all models employed and how they work. The latest role-based access control (RBAC) standard is also highlighted. This unique technical reference is designed for security software developers and other security professionals as a resource for setting scopes of implementations with respect to the formal models of access control systems. The book is also suitable for advanced-level students in security programming and system design. © 2006 Springer Science+Business Media, Inc., All rights reserved.
View
Using Risk in Access Control for Cloud-Assisted eHealth
Conference Paper
  • Jun 2012
Cloud computing is a cutting edge technology. eHealth is one promising application of this technology. In this paper, we describe a prototype implementation of an HL7-based eHealth application on the cloud. The system is secured with a risk-aware task-based access control. We demonstrate that our access control technique is more effective for preventing unauthorized access of medical information when compared to context-aware access controls, with a small access delay of approximately one second.
View
Inter-Cloud Architectures and Application Brokering: Taxonomy and Survey
Article
Though Cloud computing itself has many open problems, researchers in the field have already made the leap to envision Inter-Cloud computing. Their goal is to achieve better overall Quality of Service (QoS), reliability and cost efficiency by utilizing multiple clouds. Inter-Cloud research is still in its infancy and the body of knowledge in the area has not been well defined yet. In this work, we propose and motivate taxonomies for Inter-Cloud architectures and application brokering mechanisms. We present a detailed survey of the state of the art in terms of both academic and industry developments (20 projects) and we fit each project onto the discussed taxonomies. We discuss how the current Inter-Cloud environments facilitate brokering of distributed applications across clouds considering their non-functional requirements. Finally, we analyse the existing works and identify open challenges and trends in the area of Inter-Cloud application brokering.
View