Access Control definition, traditional access control models, their limitations and the possible solutions to overcome those problems, emerging trends in access control
Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.
Data loss is considered by security experts to be one of the most serious threats that businesses currently face.
Maintaining the confidentiality of personal information and data is an essential factor in operating a successful business. People must be able to trust that their service provider takes the appropriate measures to implement security controls that will ultimately protect their privacy.
However, some of the largest and most reputable organizations have fallen victim to data loss security breaches resulting in significant legal, financial, and reputation loss, including [1]:
The Bank of America: Losing the personal employee information of over one million employees
The United States Government: Losing data related to the military
Heartland Payment Systems: Transferring credit card information and other personal records of over 130 million customers
In 2013, it was estimated that data breaches had resulted in the exploitation of over 800 million personal records [2]. This number is also expected to rise over the next several years given the advanced tools that cybercriminals use to steal information and data.
Interestingly, it is not just cybercriminals who represent a threat as:
64% of data loss is caused by well-meaning insiders.
50% of employees leave with data.
$3.5 million average cost of a security breach.
Considering these extensive data breaches, it is practical for organizations to understand where their critical data is located and understanding current security controls that can stop data loss.
Data Loss Prevention (DLP) solutions locate critical and personal data for organizations and help prevent data loss. By having a deeper understanding of efficient DLP security controls, you will help protect the reputation of your organization.
For more information contact: rkopaee@riskview.ca
https://www.threatview.ca
http://www.riskview.ca
DLP Systems: Models, Architecture and AlgorithmsLiwei Ren任力偉
DLP is a data security technology that detects and prevents data breach incidents by monitoring data in-use, in-motion and at-rest. It has been widely applied for regulatory compliances, data privacy and intellectual property protection. This talk will introduce basic concepts and security models to describe DLP systems with high level architecture. DLP is an interesting discipline with content inspection techniques supported by sophisticated algorithms. Special investigation will be taken for a few algorithms: document fingerprinting, data record fingerprinting, scalable M-pattern string match and etc..
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.
Data loss is considered by security experts to be one of the most serious threats that businesses currently face.
Maintaining the confidentiality of personal information and data is an essential factor in operating a successful business. People must be able to trust that their service provider takes the appropriate measures to implement security controls that will ultimately protect their privacy.
However, some of the largest and most reputable organizations have fallen victim to data loss security breaches resulting in significant legal, financial, and reputation loss, including [1]:
The Bank of America: Losing the personal employee information of over one million employees
The United States Government: Losing data related to the military
Heartland Payment Systems: Transferring credit card information and other personal records of over 130 million customers
In 2013, it was estimated that data breaches had resulted in the exploitation of over 800 million personal records [2]. This number is also expected to rise over the next several years given the advanced tools that cybercriminals use to steal information and data.
Interestingly, it is not just cybercriminals who represent a threat as:
64% of data loss is caused by well-meaning insiders.
50% of employees leave with data.
$3.5 million average cost of a security breach.
Considering these extensive data breaches, it is practical for organizations to understand where their critical data is located and understanding current security controls that can stop data loss.
Data Loss Prevention (DLP) solutions locate critical and personal data for organizations and help prevent data loss. By having a deeper understanding of efficient DLP security controls, you will help protect the reputation of your organization.
For more information contact: rkopaee@riskview.ca
https://www.threatview.ca
http://www.riskview.ca
DLP Systems: Models, Architecture and AlgorithmsLiwei Ren任力偉
DLP is a data security technology that detects and prevents data breach incidents by monitoring data in-use, in-motion and at-rest. It has been widely applied for regulatory compliances, data privacy and intellectual property protection. This talk will introduce basic concepts and security models to describe DLP systems with high level architecture. DLP is an interesting discipline with content inspection techniques supported by sophisticated algorithms. Special investigation will be taken for a few algorithms: document fingerprinting, data record fingerprinting, scalable M-pattern string match and etc..
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security orchestration and automation for MSSPs alleviates these challenges and makes the process run effectively and efficiently. Automation and orchestration methods impact MSSPs in several important ways. Here’s how:
Automation : Enables response to low level tasks, while freeing analysts for higher value
Orchestration : One responsibility of an MSSP is to manage the tasks of client SOCs.
Visit - https://www.siemplify.co/mssp-security-orchestration-automation/
Presentation on Zero Trust model, used for the Codecademy Manipal Chapter event. Covers basic information about the Zero trust model, implementation, and benefits.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
We offer a new model for proactive message delivery to mobile phones. SpotEx application can use any Wi-Fi access point as presence sensor that could activate delivery for some user-generated messages right to mobile phones.
The key idea is how to associate some user-defined messages and Wi-Fi access points. As a result we can build rule-based expert system that describes delivery (or visibility) for user-defined content depending on visibility of Wi-Fi hotspots.
SeaCat: SDN End-to-End Application ContainmentUS-Ignite
This demonstration shows how the SeaCat Application Containment Architecture secures a medical record system applications (OPENMRS) in an end-to-end manner. Using this framework, medical personal can securely access patient medial records from mobile devices without fear that patients/ medical records will accidentally be exposed/compromised by malware. Junguk Cho, David Johnson, Makito Kano and Kobus Van der Merwe, University of Utah
Security orchestration and automation for MSSPs alleviates these challenges and makes the process run effectively and efficiently. Automation and orchestration methods impact MSSPs in several important ways. Here’s how:
Automation : Enables response to low level tasks, while freeing analysts for higher value
Orchestration : One responsibility of an MSSP is to manage the tasks of client SOCs.
Visit - https://www.siemplify.co/mssp-security-orchestration-automation/
Presentation on Zero Trust model, used for the Codecademy Manipal Chapter event. Covers basic information about the Zero trust model, implementation, and benefits.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
We offer a new model for proactive message delivery to mobile phones. SpotEx application can use any Wi-Fi access point as presence sensor that could activate delivery for some user-generated messages right to mobile phones.
The key idea is how to associate some user-defined messages and Wi-Fi access points. As a result we can build rule-based expert system that describes delivery (or visibility) for user-defined content depending on visibility of Wi-Fi hotspots.
SeaCat: SDN End-to-End Application ContainmentUS-Ignite
This demonstration shows how the SeaCat Application Containment Architecture secures a medical record system applications (OPENMRS) in an end-to-end manner. Using this framework, medical personal can securely access patient medial records from mobile devices without fear that patients/ medical records will accidentally be exposed/compromised by malware. Junguk Cho, David Johnson, Makito Kano and Kobus Van der Merwe, University of Utah
SecureDroid: An Android Security Framework Extension for Context-Aware policy...Giuseppe La Torre
Mobile devices became the main repository of personal data and source of user-generated contents as well as the principal controller of our social networked life. In this scenario, malicious applications try to take advantage of all the possibilities left open by users and operating systems. In this paper, we propose SecureDroid: an extension of the Android security frame- work able to enforce flexible and declarative security policies at run-time, providing a fine-grained access control system. In particular, we focus on context dependent policies that allow the user to specify the way in which applications work according to current context.
Usability Assessment of a Context-Aware and Personality-Based Mobile Recommen...Matthias Braunhofer
In this paper we present STS (South Tyrol Suggests), a context-aware mobile recommender system for places of interest (POIs) that integrates some innovative components, including: a personality questionnaire, i.e., a brief and entertaining questionnaire used by the system to learn users’ personality; an active learning module that acquires ratings-in-context for POIs that users are likely to have experienced; and a matrix factorization based recommendation module that leverages the personality information and several contextual factors in order to generate more relevant recommendations.
Adopting a system oriented perspective, we describe the assessment of the combination of the implemented components. We focus on usability aspects and report the end-user assessment of STS. It was obtained from a controlled live user study as well as from the log data produced by a larger sample of users that have freely downloaded and tried STS through Google Play Store. The result of the assessment showed that the overall usability of the system falls between “good” and “excellent”, it helped us to identify potential problems and it provided valuable indications for future system improvement.
Accurate and Efficient Secured Dynamic Multi-keyword Ranked SearchDakshineshwar Swain
A practically efficient and flexible searchable encrypted scheme which supports multi-keyword ranked search. To support multi-keyword search and result relevance ranking, we adopt Vector Space Model (VSM) to build the searchable index to achieve accurate search result.
ICRA: Intelligent Platform for Collaboration and InteractionLukas Tencer
Presentation for a class at Polytechnique Montreal. First halve focuses on presentation of the platform, second halve focuses on presentation of algorithms.
Adaptive security systems aim to protect critical
assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment’s topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach
focuses on physical topologies; it maintains at runtime a live
representation of the topology which is updated when assets
or agents move, or when the structure of the physical space
is altered. When the topology changes, we look ahead at a
subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment - including location of assets and agents - as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.
An Ontology-based Decision Support Framework for Personalized Quality of Life...Marina Riga
Publication:
Riga, M., Kontopoulos, E., Karatzas, K., Vrochidis, S., Kompatsiaris, I. (2018) An Ontology-based Decision Support Framework for Personalized Quality of Life Recommendations. In Dargam F. et al. (Eds.) Proceedings of the 4th International Conference on Decision Support System Technology (ICDSST 2018), LNBIP 313, pp. 38–51, Heraklion, Greece, 22–25 May 2018, doi:10.1007/978-3-319-90315-6_4
Micro services Architecture with Vortex -- Part IAngelo Corsaro
Microservice Architectures — which are the norm in some domains — have recently received lots of attentions in general computing and are becoming the mainstream architectural style to develop distributed systems. As suggested by the name, the main idea behind micro services is to decompose complex applications in, small, autonomous and loosely coupled processes communicating through a language and platform independent API. This architectural style facilitates a modular approach to system-building.
This webcast will (1) introduce the main principles of the Microservice Architecture, (2) showcase how the Global Data Space abstraction provided by Vortex ideally support thee microservices architectural pattern, and (3) walk you through the design and implementation of a micro service application for a real-world use case.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
12. Related Work
• Context Aware Access Control
(extensions built on top of a
context insensitive model)
• Context Based Access Control
(inherently context
sensitive)
14. Extended RBAC Models
• Location Based
• Time Based
• Spatial-Temporal Based
• Environmental Role Based
• And many others…..
• Too specific
• Increased
Complexity
• Not widely
applicable
27. References[1] Hu, Vincent C., et al. "Guide to attribute based access control (ABAC) definition
and considerations (draft)." NIST Special Publication 800 (2013): 162.
[2] Hulsebosch, R. J., et al. "Context sensitive access control." Proceedings of the
tenth ACM symposium on Access control models and technologies. ACM, 2005.
[3] Zhang, Guangsen, and Manish Parashar. "Context-aware dynamic access
control for pervasive applications." Proceedings of the Communication Networks and
Distributed Systems Modeling and Simulation Conference. 2004.
[4] Covington, Michael J., and Manoj R. Sastry. "A contextual attribute-based
access control model." On the Move to Meaningful Internet Systems 2006: OTM 2006
Workshops. Springer Berlin Heidelberg, 2006.
[5] Kulkarni, Devdatta, and Anand Tripathi. "Context-aware role-based access
control in pervasive computing systems." Proceedings of the 13th ACM symposium on
Access control models and technologies. ACM, 2008.
[6] Martin, Hervé. "A generalized context-based access control model for pervasive
environments." Proceedings of the 2nd SIGSPATIAL ACM GIS 2009 International
Workshop on Security and Privacy in GIS and LBS. ACM, 2009.
[7] Ferraiolo, David F., et al. "Proposed NIST standard for role-based access
control." ACM Transactions on Information and System Security (TISSEC) 4.3 (2001):
224-274.
28. References[8] Hansen, Frode, and Vladimir Oleshchuk. "SRBAC: A spatial role-based access
control model for mobile systems." Proceedings of the 7th Nordic Workshop on Secure IT
Systems (NORDSEC’03). 2003.
[9] Covington, Michael J., et al. "Securing context-aware applications using
environment roles." Proceedings of the sixth ACM symposium on Access control models
and technologies. ACM, 2001.
[10] Ray, Indrakshi, Mahendra Kumar, and Lijun Yu. "LRBAC: a location-aware
role-based access control model." Information Systems Security. Springer Berlin
Heidelberg, 2006. 147-161.
[11] Ray, Indrakshi, and Manachai Toahchoodee. "A spatio-temporal role-based
access control model." Data and Applications Security XXI. Springer Berlin Heidelberg,
2007. 211-226.
[12] Kuhn, D. Richard, Edward J. Coyne, and Timothy R. Weil. "Adding attributes
to role-based access control." Computer 43.6 (2010): 79-81.
[13] Kim, Young-Gab, et al. "Context-aware access control mechanism for ubiquitous
applications." Advances in Web Intelligence. Springer Berlin Heidelberg, 2005. 236-242.
[14] Shen, Hai-bo, and Fan Hong. "An attribute-based access control model for web
services." Parallel and Distributed Computing, Applications and Technologies, 2006.
PDCAT'06. Seventh International Conference on. IEEE, 2006.
[15] Al-Muhtadi, Jalal, et al. "Cerberus: a context-aware security scheme for smart
spaces." Pervasive Computing and Communications, 2003.(PerCom 2003). Proceedings of
the First IEEE International Conference on. IEEE, 2003.
Editor's Notes
The topic of our paper is “XACML Profile for Attribute-Centric Context Based Access Control” and our group members include Arjumand Fatima and Sara Qamar. Our work was a little bit different from what most of you have done because you people presented survey on different topics but we actually proposed a solution based on the existing work done by other researchers.
So what is access control?
Access control can be defined in simple terms as “controlling access to sensitive resources” which means that instead of allowing everyone to do everything, only legitimate people should be allowed to perform legitimate operations.
After defining access control, the next question that comes in our mind is that how is access actually controlled? How access control actually works?
In actual access is controlled based on different factors such as identity, user roles or attributes etc. different access control models have been proposed which consider different decision factors and hence are termed according to these factors.
Traditionally, access control lists (ACLs), identity based access control (IBAC) and role based access control (RBAC) models were the most common ways used to control access. However, each one of them had certain limitations.
These limitations include but are not limited to the following.
All these models or mechanisms are context insensitive. If you are not sure about what exactly is meant by context insensitivity, wait a bit we’ll come to this shortly.
Secondly, they were suitable for static environments in which all the relevant information was available before hand.
Thirdly, they generally provide coarse grained access control and are thus not suitable for situations where fine grained authorization is required.
Fourthly, they require pre-defined users or roles to be available for controlling access. These requirements may not be clear in dynamically changing environments.
In today’s dynamically changing environments, contextual information plays an important role in making access control decisions. But what actually context is? What is meant by contextual information? And why should we really consider it an important factor?
Context can be used to define a specific situation by capturing the environmental settings in which an event occurs. These environmental settings may include who is requesting access from where and when and how is he/she trying to make the request etc.
Context sensitivity makes our applications much more powerful and closer to real life situations. Without considering contextual information, we only consider a user or a resource but with contextual information we consider a number of other factors such as time of day, specific date and day, location, temperature, operating system, type of application, network parameters, usage patterns and so on. Considering these factors make our access control decisions much more accurate and flexible and allow fine grained authorization.
Based on the requirements of diverse applications of today related to computing paradigms such as cloud computing and pervasive computing, and considering the requirements of a flexible access control model as identified by various researchers in the past, we consider a model which is applicable in
Dynamically changing environments,
Allows fine grained access control,
Ensures user anonymity and does not require prior identification or authentication of users,
Considers usage characteristics of users and resources,
Considers user and resource mobility
And hence, is applicable to pervasive and cloud computing applications.
So based on all these requirements we propose a “Context Based Access Control Model.” For simplicity, we ignore the term “Attribute – Centric” and we’ll discuss it shortly. So till now we have established the need of context based access control and we hope you are clear about it.
Next question may come to your mind that isn’t it already implemented or at least considered by researchers in the past? Yes, it isn’t a novel concept and has been under consideration of researchers for around a decade. Now your next question would probably something like “if it’s already available what’s new? What is our novel contribution?” we’ll explain our contribution shortly after explaining what has already been done in the past.
Existing work done by various researchers can be broadly classified as
Context Aware Access Control
Context Based Access Control
Context Aware Access Control covers the solutions which are an extension of existing access control models which were actually context insensitive but were extended or enhanced to deal with contextual information. These extensions were mostly made on the core RBAC model as defined by NIST. If you want to know what RBAC is? Don’t worry we will explain it further.
Context Based Access Control. This category includes access control solutions that are inherently context sensitive and consider contextual attributes as a fundamental factor for making access control decisions. Our proposed solution is a Context Based Access Control Model. We’ll explain our model in detail in the next section.
Context Aware Access Control solutions proposed previously were mostly based on Role Based Access Control Model. As the name specifies, RBAC model controls access based on the organizational roles.
In the past various researchers proposed different extensions to the core RBAC model proposed by NIST. A few of these extensions included
Location Based RBAC
Time Based RBAC
Spatial-Temporal Based RBAC
Environmental RBAC
And similarly many others…..
However, all these proposed solutions had some common problems.
They were too specific because each of these models was focused on considering a specific contextual parameter such as time or location or environment etc.
In trying to add context awareness to RBAC model, things became too complex.
These solutions were not widely applicable as they focused on solving problems related to a specific domain only.
The core RBAC model proposed by NIST can be considered as a 3 step process. The first step is role engineering which involves identifying the appropriate roles in a system or organization.
Second step in RBAC is assigning permissions to these roles based on the requirements of access control.
The third step is assigning these previously identified roles to users.
We discussed these 3 steps with you in order to demonstrate the complexity and pre-processing involved in using RBAC model.
This may become a costly and time consuming process if the management hierarchy is not well defined. RBAC is most appropriate for an enterprise setup in which well-defined and disjoint roles can be identified. It may become inappropriate in situations where users cannot be identified or predicted before hand.
Apart from the role engineering and permission assignment steps, roles further need to be activated and deactivated from time to time. Failure to activate and deactivate these roles may result in unauthorized access to sensitive resources. Consider for example, I have been working in SEECS as a RA from 9am to 5pm and then studying from 5.30pm to 8.30pm. Following an RBAC approach, the RA role should be activated from 9am to 5pm and deactivated otherwise. Similarly student role should be activated only from 5.30pm to 8.30pm.
Consider there is a role manager. All the people working under a designation “manager” are assigned that role. But after some time the organization feels that there is a difference in the responsibilities of managers working in the evening shift from those working in the morning. So instead of one manager role, two roles are now required i.e. manager_morning, manager_evening. Then sometime later the organization feels that managers working in different regions may have different rights. The roles are further increased e.g. manager_morning_north, manager_morning_south, manager_evening_north and so on. Hence, as the requirements become more and more clarified, the identified roles may increase to such an extent that their management becomes too complex and costly. This results in role explosion.
A relatively newer model for controlling access is known as Attribute Based Access Control (ABAC) Model. This model controls access based on the attributes of Subject, Resource as well as Environment. This provides a greater flexibility for making access control decisions as compared to traditional methods which were mostly subject-centric and did not consider resource or environment as the primary factor.
Examples of Subject Attributes include but are not limited to a unique identity, may be non-unique name, age, role, department, designation, location, membership and experience etc. It must be noted that the identity as well as roles are merely attributes in this model as compared to the only factor for controlling access in IBAC and RBAC models respectively.
Examples of resource attributes include but are not limited to the unique resource identity and various other non-unique attributes such as size, content, path, access time, creation time, last modification time, location, resource owned by, content type and so on.
Environment attributes can be considered as the information which is independent of both subject and resource but are required for controlling access to resources. Examples may include but are not limited to time, date, day, month, year, season, temperature, weather conditions, occurrence of some specific event such as cycling race or spring festival, presence of some specific location such as on a picnic spot or sea view.
In 2010, an IEEE publication by kuhn et. al. presented “Adding attributes to role based access control”. In their work, they presented 9 possible ways of combining the user/subject identity, roles and other attributes to control access. Resultantly, 7 different approaches can be used for this purpose. Previously, work has been done on one of these approaches namely role centric approach.
One of those 7 possible ways was termed as attribute centric approach. It considers user/subject identity and roles as mere attributes for controlling access to sensitive resources. We found this approach to be the most appropriate for designing a Context Based Access Control Model.
We reviewed these papers during our effort to propose the presented model.