Embed Size (px)
Citation preview
Information flow-based Risk Assessment
in Access Control Systems
Sofiene Boulares, PhD student
Luigi Logrippo, Supervisor
Université du Québec en Outaouais
Gatineau, Québec, Canada
Agenda
I. Toward flexible risk-based access controlII. Risk based access controlIII. Expected ContributionsIV. Steps of the proposed Approach
1. Dynamic determination of objects and subjects security levels2. Information flow-based assessment of intrinsic likelihood3. Likelihood assessment4. Impact assessment 5. Risk assessment
V. Overall view of the approachVI. Process flow Based on XACML ArchitectureVII. Conclusion and future work 2
Toward flexible risk-based access control
• Most current access control systems simply give a yes-no answer to access control
requests, usually based on security administrator decisions which are taken off-line
• In many applications, this is too rigid and static
• No consideration of changing situations
• We propose an information flow-based risk assessment approach that dynamically
evaluates the risk of accessing information
• Information flow is the transfer of information from subjects to objects and vice versa
• As information moves in the system, risk levels for subjects and objects change
•The results of this assessment can be used by access control systems in a variety of
ways 3
Risk based access control
Decision
Policy
+ Acceptable Risk Score
Risk(Access request)
≤ Acceptable Risk Score
Access request
Risk(Access request)
> Acceptable Risk Score
Decision: Deny
Decision: Grant
Access control System
4
Expected Contributions
• Dynamic determination of subjects’ and objects’ security levels :• History-based approach with consideration of past accesses
• Threat likelihood assessment :• Information flow-based approach for assessing threat
likelihood• Risk assessment :
• Security controls in risk assessment• Evaluation principles will be given• Evaluation formulas will be proposed
5
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects
2. Intrinsic likelihood assessment
3. Likelihood assessment
4. Impact assessment
5. Risk assessment
6
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects2. Intrinsic likelihood assessment
3. Likelihood assessment
4. Impact assessment
5. Risk assessment
7
Basic assumptions
• Security levels of subjects and sensitivity levels of objects have been previously
assessed at initial values
• They can change as a result of information flow
• A Read action creates an information flow from an object to a subject
• A Write action creates an information flow from a subject to an object
• Subjects can increase their security levels as they acquire information from
higher levels
• Objects can increase sensitivity as they receive information from higher levels
• The number of accesses to different objects can also be important 8
Determination of subjects’ and objects’ security levels
9
Object’s security level
Subject’s security level
Access history
To analyze the access history, many factors are considered :
• Levels of subjects and objects• Number of previous accesses• Inference problems :
• Aggregation • Association
• Actions requested and Security criteria
Access history-based Subject security level
Previous read accesses
Write access requested
Example 1 Example 2 Example 3 Example 4
10
.
Arrows show the direction in which information flows through subjects and objects.Security levels are shown by different levels in drawing
• Subject level (Request 1) < Subject level (Request 2)
1. No objects previously read in example 12. The write request in example 2 is preceded by a read
access to an object where the subject’s security level is lower than the object’s security level.
• Subject level (Request 2) < Subject level (Request 3)1. The subject of Request 3 has read an object at higher
security level than the one of Request 2
• Subject level (Request 3) < Subject level (Request 4)1. The number of objects with higher security levels, previously
read, in example 4 is greater than the number of objects previously read in example 3
Request 1 Request 2 Request 3 Request 4
Impact of previous accesses on subject security level
11
10 20 30 40 50
0
1
2
3
4
5
12
34
1.2 1.4 1.6 1.8 1.99
2.2 2.4 2.6 2.8 2.99
3.2 3.4 3.6 3.8 3.99
4.2 4.4 4.6 4.8 4.99
Number of Previous read accesses
Subje
ct’S
Secu
rity
leve
l
Secu
rity
leve
ls o
f o
bje
cts
read
Property 1: If the level of objects with higher security levels previously read increases then the security level of the subject increases.
Property 2: If the number of objects with higher security levels previously read increases then the security level of the subject increases.
Access history-based Object security level
Previous writeaccesses
Read accessrequested
Example 1 Example 2 Example 3 Example 4
12
Request 1 Request 2 Request 3 Request 4
• Object level (Request 1) < Object level (Request 2)
1. Only a subject at the same level has written in the object in example 1
2. The read request in example 2 is preceded by a write access to the object and the writer’s security level is higher than the object’s security level.
• Object level (Request 2) < Object level (Request 3)
1. The security level of the subject, who has previously written in the object in example 3, is higher than the security level of the subject who has written in the object in example 2
• Object level (Request 3) < Object level (Request 4)
1. The number of subjects who have previously written in the object in example 4 is higher than the number of subjects who have previously written in the object in example 3
Impact of previous accesses on object security level
13
10 20 30 40 50
0
1
2
3
4
5
12
34
1.2 1.4 1.6 1.8 1.99
2.2 2.4 2.6 2.8 2.99
3.2 3.4 3.6 3.8 3.99
4.2 4.4 4.6 4.8 4.99
Number of Previous write accesses
obje
ct’S
Secu
rity
leve
l
Secu
rity
leve
ls o
f su
bje
cts
havi
ng p
revi
ousl
y w
ritt
en
Property 3: If the levels of subjects, who have previously written in an object, increase, then the security level of the object increases.
Property 4: If the number of the subjects, who have previously written in an object, increase, then the
security level of the object increases.
Inference problems
14
(2)
(1)(3)
(1)(4)
(2)
Data inference is considered. There are two important cases of the inference problem :
• Because of aggregation, a collection of data items can be classified at a higher level than the levels of individual data items by themselves . • Example: The content of a medical file is Secret, but the aggregate
information concerning all the medical files is Top Secret.
• Because of data association, two values seen together can be classified at a higher level than the classification of either value individually • Example : The file containing the names of the employees and the
file containing their social insurance numbers are unclassified, while a combined file giving employee names with their social insurance numbers is classified.
A subject who reads the three objects inside the circle will have information with security level 4, even if the level of each object considered separately is less than 4.
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects
2. Intrinsic likelihood assessment3. Likelihood assessment
4. Impact assessment
5. Risk assessment
15
Intrinsic Likelihood Assessment
16
Intuitively, the measure of the intrinsic likelihood of a threat, caused by the action read, is affected by the following two general principles:
Principle 1: Intrinsic likelihood increases as object’s confidentiality level increases.
Principle 2: Intrinsic likelihood increases as subject’s confidentiality level decreases.
The measure of the intrinsic likelihood of a threat, caused by the action write, is affected by the following two general principles:
Principle 3: Intrinsic likelihood increases as object’s confidentiality level decreases.
Principle 4: Intrinsic likelihood increases as subject’s confidentiality level increases.
Intrinsic likelihood :The probability that the risk in question will occur, in the context of the organization concerned, in the absence of
any security control
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects
2. Intrinsic likelihood assessment
3. Likelihood assessment4. Impact assessment
5. Risk assessment
17
Access requests risk knowledge base
To assess the risk of access requests, we use an access requests risk knowledge base that includes:
• The description of the characteristic elements of each access request risk
• The information on the relevant security controls for each type of risk
• The relationship between the quality of these controls
• The effectiveness of risk reduction factors13
Security controls for likelihood reduction
• “Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity,
and availability of a system and its information” [4]
Example : • Case 1 : Access request in an environment where maximum level security controls are
implemented (strong authentication, efficient encryption algorithm, etc.)• Case 2 : The same access request in an environment where fewer security controls
are implemented
• Intuitively, Likelihood in case 1 is higher than in case 2.
Security controls are a parameter to be considered when assessing the risk
of access requests19
Security controls categories
• Dissuasive and preventive controls that act on likelihood• Dissuasive controls: Access auditing• Preventive controls: Strong authentication
• Protective and palliative controls that act on impact• Protective: Interdiction of accesses • Palliative: for integrity, backing up files before authorizing
access
20
Security controlsfor likelihood
reduction
Intrinsic Likelihood
Likelihood
21
Likelihood : The probability that a specific risk will occur, in the context of the organization concerned
Likelihood (s, o, a, E) =
Suitable controls can reduce risk likelihood through diverse mechanisms that may act independently or cumulatively
Security controls for likelihood reduction can be divided into two types :
– Dissuasive controls, which target human actions and aim at making it less likely that an actor will actually perform the action
– Preventive controls, which aim at making it less likely that any action leads to the occurrence of the reduction
– Dissuasion and prevention are likelihood reduction factors. These factors should be evaluated
Likelihood assessment with reductions
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects
2. Intrinsic likelihood assessment
3. Likelihood assessment
4. Impact assessment 5. Risk assessment
22
Object’s security level
Impact
Security controlsfor impact reduction
23
• Suitable controls can reduce risk impact (the level of its consequences) through diverse mechanisms that may act independently or cumulatively
• Security controls for impact reduction can be classified into two types :
• Confinement controls, which aim to limit the magnitude of direct consequences
• Palliative controls, which aim to minimize the indirect consequences of a risk by anticipating crisis management
• Confinement and palliation constitute the impact reduction factors. These factors should be evaluated.
Impact : The consequence, for the organization concerned, if the risk in question occurs
Impact (o, a, E) =
Impact Assessment
Steps of the proposed approach for risk assessment
1. Security levels determination of objects and subjects
2. Intrinsic likelihood assessment
3. Likelihood assessment
4. Impact assessment
5. Risk assessment
24
Risk assessment
S : set of subjects, s O : Set of objects, o O; A : Set of actions, a A; E : Environment
Risk (s, o, a, E) = Impact (o, a, E) × Likelihood (s, o, a, E )
• Impact is a function of:• Object's security level• Security controls for impact reduction
25
Impact Likelihood
Risk
• Likelihood is a function of :• Subject’s security level• Object’s security level• Security controls for likelihood reduction
× can denote multiplication or another suitable function
Security controlsfor likelihood
reduction
Object’s security level
Subject’s security level
Intrinsic Likelihood
Impact Likelihood
Security controlsfor impact reduction
Risk
Access history
26
Overall view of the proposed approach(Putting it all together)
Intrinsic Impact
Process flow Based on XACML Architecture
27
In our proposed method :
1. Subject and object attributes keep a history of all accesses
2. Risk calculator analyzes attributes, security levels and the security controls to compute the risk
3. The Policy Decision point (PDP) requests information about the risk values and then takes the decision
4. Obligations update attributes after granting access and reduce the risk when needed
Conclusion
• Risk-based access control decisions, considering impact and likelihood
• Impact and likelihood calculations are based on security levels of subjects and objects, determined according to information flow i.e. access histories
• Security Controls for impact and likelihood reduction are also considered
28
Future work
• Formalization of concepts.• Formulae for subjects and objects level determination• Formulae for likelihood and impact assessment.• Consideration of time and location to determine security levels of objects and subjects
• Identification of obligations to act on precise parameters with precise values of risk reduction.
29
30
Research Framework
This project is in the framework of other projects of our group that are investigating: Policy languages and Access Control models for the Cloud and for the Web
Data access and flow control in workflow contexts
References
[1] http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
[2] http://profsandhu.com/articles/auerbach/a93dsc.pdf
[3] http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010-Principles-Specifications.pdf
[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
31
