Risk Management in Access Control Policies
Pierrette Annie Evina, Faten Labenne Ayachi, Faouzi Jaidi
DOI: http://dx.doi.org/10.15439/2017F555
Citation: Position Papers of the 2017 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, M. Paprzycki (eds). ACSIS, Vol. 12, pages 107–112 (2017)
Abstract. The evolution of information systems and their openness to their socio-economic environment has led to new needs in terms of security. At the heart of information systems, Database Management Systems (DBMS) are increasingly exposed to specific intrusion types, including internal threats due to authorized users. In addition, the access control policy (PCA) defined on a database schema is stored at the same location as the data it protects and is thus highly prone to corruption attempts such as non-conformity of the roles or permissions assignment in the policy observation state compare to a reference state, especially in the case of the Role-based access Control (RBAC). We establish a correlation between the detected anomalies and we explore the log files and other audit mechanisms to propose a global and comprehensive risk management formal approach that mainly verifies the recommendations of the ISO 31000:2009 standard.
References
- F. Jaidi and F. Labbene Ayachi. “A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies”. In Proceedings of the 12th International Conference on Security and Cryptography (SECRYPT-2015), (pp 454-459). http://dx.doi.org/10.5220/0005577304540459
- International Electrotechnical Commission, International Standard, ISO/IEC 31010:2009, First Edition, 2009.
- R. Sandhu, E. J. Coynek, H. L. Feinsteink, and C. E. Youmank. (1996) “Role-Based Access Control Models”, IEEE Computer, vol. 29, no. 2, (pp. 38-47). http://dx.doi.org/10.1109/2.485845
- K. Z. Bijon , R. Krishnan and R. Sandhu. (2013). “A Framework for Risk-Aware Role Based Access Control”. 6th Symposium on Security Analytics and Automation. http://dx.doi.org/10.1109/CNS.2013.6682761
- International Electrotechnical Commission, International Standard, ISO/IEC 31010:2009, First Edition, 2009.
- P.-C. Cheng, P. Rohatgi, C. Keser, P.A.Karger, G.M. Wagner, A.S. Reninger, (2007). “Fuzzy MLS: An Experiment on Quantified Risk–Adaptive Access Control”, In Security and Privacy, (pp.222–230). http://dx.doi.org/10.1109/SP.2007.21
- J. Ma, (2012). “A formal approach for risk assessment in RBAC systems”. Journal of Universal Computer Science, vol. 18, pp. 2432-2451. http://dx.doi.org/10.3217/jucs-018-17-2432.
- J. Ma, K. Adi, M. Mejri, L. Logrippo, (2010). “Risk analysis in access control systems”. In Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 160-166. http://dx.doi.org/10.1109/PST.2010.5593248.
- N. Baracaldo, J. Joshi, (2013). “An adaptive risk management and access control framework to mitigate insider threats”, Computers & Security. http://dx.doi.org/10.1016/j.cose.2013.08.001.
- F. Feng, C. Lin, D. Peng, J. Li, (2008). “A trust and context based access control model for distributed systems”. In Proc. of the 10th IEEE International Conference on High Performance Computing and Communications, HPCC '08, pp. 629-634. http://dx.doi.org/10.1109/HPCC.2008.37
- L. Chen, J. Crampton, (2011). “Risk-aware role-based access control”. In Proc. of the 7th International Workshop on Security and Trust Management. DOI : 10.1007/978-3-642-29963-6_11
- A. Bouchahda-Ben Tekaya, N. LeThanh, A. Bouhoula, F. Labbene Ayachi, (2010). “An Access Control model for Web Databases”. 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security; DBsec 287-294. DOI : 10.1007/978-3-642-13739-6.
- Ebru Celikel, Murat Kantarcioglu, Bhavani Thuraisingham and Elisa Bertino. A risk management approach to RBAC”. Risk and Decision Analysis 1 (2009) 21–33. DOI 10.3233/RDA-2008-0002. IOS Press.
- F. Jaidi and F. Labbene Ayachi. (2015). “A formal approach based on verification and validation techniques for enhancing the integrity of concrete role based access control policies”. In International Joint Conference (pp. 53-64). Springer International Publishing. http://dx.doi.org/10.1007/978-3-319-19713-5_5.
- Alessandro Colantonio, Roberto Di Pietro, Alberto Ocello, and Nino Vincenzo Verde, “Evaluating the Risk of Adopting RBAC Roles”, ara Foresti; Sushil Jajodia. Data and Applications Security and Privacy XXIV, 6166, Springer, pp.303-310, 2010. http://dx.doi.org/10.1016/j.dss.2010.08.022.
- Chris Burnett, Liang Chen, Peter Edwards and Timothy J. Norman, “TRAAC: Trust and Risk Aware Access Control”, 2014, Twelfth Annual International Conference on Privacy, Security and Trust (PST). http://dx.doi.org/10.1109/PST.2014.6890962.
- Nguyen Ngoc Diep, Le Xuan Hung, Yonil Zhung, Sungyoung Lee, Young-Koo Lee, and Heejo Lee. “Enforcing Access Control Using Risk Assessment”, Proceedings of the Fourth European Conference on Universal Multiservice Networks (ECUMN'07) 0-7695-2768-X/07 $20.00 © 2007. http://dx.doi.org/10.1109/ECUMN.2007.19
- Hemanth Khambhammettu, Sofiene Boulares, Kamel Adi, Luigi Logrippo. “A framework for threat assessment in access control systems” that appeared in Proceedings of 27th IFIP TC 11 Information Security and Privacy Conference (SEC 2012), 2012. http://dx.doi.org/10.1007/978-3-642-30436-1_16
- Pierrette Annie Evina, Faten Labbene Ayachi, Faouzi Jaidi and Adel Bouhoula, “Towards a Reliable Formal Framework for Enhancing Risk Assessment in Access Control Systems”, EPiC Series in Computing Volume 45, 2017, Pages 77–82 SCSS 2017. The 8th International Symposium on Symbolic Computation in Software Science 2017