• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
ISSE 2012 Context-enhanced Authorization

ISSE 2012 Context-enhanced Authorization



Presentation at ISSE 2012 on Context-enhanced Authorization. http://www.isse.eu.com/

Presentation at ISSE 2012 on Context-enhanced Authorization. http://www.isse.eu.com/



Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://www.slashdocs.com 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    ISSE 2012 Context-enhanced Authorization ISSE 2012 Context-enhanced Authorization Presentation Transcript

    • Context-enhaced AuthorizationUsing XACML to implement context-enhanced authorizationsMartijn Oostdijk, NovayISSE 2012, Brussels
    • Research & advisory Formerly known as: organization Telematica Instituut Innovation projectsMulti-disciplinary, ~50 (gov, financial, health)researchers/advisors Identity, Senior Advisor Privacy, Trust Martijn Oostdijk PhD comp. sci. CV: Radboud Univ., Eindhoven Univ. Tech. Riscure, Novay 2
    • centralization authz + nomadic working + authz for the cloud + Context- extended enterprise enhanced + XACML standard Authorization + (insider) attacks Research project with IBM and Rabobank + mobile/context3
    • Context-enhanced authz • XACML PoC at a large Dutch bank • Context = location and more • DYNAMIC!! Policies • Usefulness through use cases + feasibility study through demonstrator • Scope: employees4 Context-enhanced Authorization
    • CEA – the movie • 2:405 Context-enhanced Authorization
    • This presentation is NOT: • Introduction to Attribute based AC • Introduction to XACML standard So that there’s more time for: • Context-enhanced authorization • Use case + demonstrator • Lessons learned6 Context-enhanced Authorization
    • Authorization & Context? (Attribute Based PoC Access Control) • Use cases • Demonstrator7 Context-enhanced Authorization
    • Social PhysiologicalEnvironment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad- @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
    • Domain Type Source1. Environment Weather Buienradar Air polution Weeronline.nl Security incidents SIEM2. Physiological Heart rate ECG sensor, Camera Respiratory rate Camera Blood pressure BP meter (cuff)3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 10 Context-enhanced Authorization
    • Domain Type Source5. Time Office hours System time Lunch time Outlook Calendar6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed7. Network VPN or localnet Network access gateway Wireless or Wired IP address8. Device Type Device mngmt system Ownership Device mngmt system 11 Context-enhanced Authorization
    • Domain Type Source9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 12 Context-enhanced Authorization
    • Use-cases – a high level … • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication  Simple context sources13 Context-enhanced Authorization
    • Demonstrator Proximity dongle User Application NFC reader Context client Google Latitude Policies Outlook Policy Engine Google Calendar Policies incl. context variables Context Device Mgmt server14 Context-enhanced Authorization
    • 17 Context-enhanced Authorization
    • 18 Context-enhanced Authorization
    • 19 Context-enhanced Authorization
    • 20 Context-enhanced Authorization
    • 21 Context-enhanced Authorization
    • 22 Context-enhanced Authorization
    • Context • Location, location, location • Stuff derived from location • Type of device (BYOD, enterprise mobility etc.) • Type of network (VPN/local, AP, browser, OS) • Time-of-day • And, of course, normal usage patterns • Please note: context is just another attribute for XACML, but then dynamic23 Context-enhanced Authorization
    • Authenticity of context • Can we trust the source? Trust me! • Depends on the precise scenario • and on technology • and on who controls the source •  Some sources are more trustworthy than other • Why not just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand and base policies on • How to react to incidents?24 Context-enhanced Authorization
    • Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context25 Context-enhanced Authorization
    • Quality of context • Sources might provide incorrect data (with certain probability) • Sources have limited accuracy (resolution, precision, granularity) • Sources deliver data with certain delay • Data will have a temporal relevancy • Some sensors require user to carry (and not forget) mobile device …26 Context-enhanced Authorization
    • Adoption in applications • XACML-izing applications • SOA oriented applications  easy • Making apps ready for externalization of authz • (Stable versions of) XACML have been around since before 2006 • “Move to cloud” as driver? • Alternatives: provision authz attributes, proprietary authorization APIs27 Context-enhanced Authorization
    • Privacy consequences • Acceptance • Trade-off between privacy and usability (or security?) • Measure only relevant context • Relevant for (what?) purpose • Degrade information (latency, accuracy) • User control (and transparancy), sensors are in mobile • Assumes (some) trust in CM system28 Context-enhanced Authorization
    • Complexity of policies • Policies with many different context variables • Express policies with respect to “raw” context (e.g. long/lat) versus more abstract notions (e.g. @home, @work)29 Context-enhanced Authorization
    • Scalability & performance30 Context-enhanced Authorization
    • Key take-awaysYes it’s useful, yes it’s feasibleContext is mostly location, KISBut w.r.t. context:authenticity, quality & privacyBut w.r.t. dyn attributes / XACML:complexity of policies & scalability
    • More Information http://www.novay.nl/digital-identity martijn.oostdijk@novay.nl http://linkedin.com/in/martijno This presentation was supported by the Dutch national program COMMIT (project P7 SWELL)32 Context-enhanced Authorization