Information flow-based Risk Assessment in Access Control Systems Sofiene Boulares, PhD student Luigi Logrippo, Supervisor Université du Québec en Outaouais Gatineau, Québec, Canada sofiene.boulares@uqo.ca; luigi.logrippo@uqo.ca
Agenda Toward flexible risk-based access control Expected Contributions Steps of the proposed Approach Dynamic determination of objects and subjects security levels Information flow-based assessment of intrinsic likelihood Likelihood assessment Impact assessment Risk assessment Overall view of the approach Process flow Based on XACML Architecture Conclusion and future work
Toward flexible risk-based access control Most current access control systems simply give a yes-no answer to access control requests, usually based on security administrator decisions which are taken off-line In many applications, this is too rigid and static No consideration of changing situations We propose an information flow-based risk assessment approach that dynamically evaluates the risk of accessing information Information flow is the transfer of information from subjects to objects and vice versa As information moves in the system, risk levels for subjects and objects change The results of this assessment can be used by access control systems in a variety of ways
Risk based access control Access request Decision Risk(Access request) > Acceptable Risk Score Access control System Policy + Acceptable Risk Score Decision: Deny Risk(Access request) ≤ Acceptable Risk Score Decision: Grant
Expected Contributions Dynamic determination of subjects’ and objects’ security levels : History-based approach with consideration of past accesses Threat likelihood assessment : Information flow-based approach for assessing threat likelihood Risk assessment : Security controls in risk assessment Evaluation principles will be given Evaluation formulas will be proposed
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Basic assumptions Security levels of subjects and sensitivity levels of objects have been previously assessed at initial values They can change as a result of information flow A Read action creates an information flow from an object to a subject A Write action creates an information flow from a subject to an object Subjects can increase their security levels as they acquire information from higher levels Objects can increase sensitivity as they receive information from higher levels The number of accesses to different objects can also be important
Determination of subjects’ and objects’ security levels To analyze the access history, many factors are considered : Levels of subjects and objects Number of previous accesses Inference problems : Aggregation Association Actions requested and Security criteria Access history Object’s security level Subject’s security level
Access history-based Subject security level Arrows show the direction in which information flows through subjects and objects. Security levels are shown by different levels in drawing Subject level (Request 1) < Subject level (Request 2) No objects previously read in example 1 The write request in example 2 is preceded by a read access to an object where the subject’s security level is lower than the object’s security level. Subject level (Request 2) < Subject level (Request 3) The subject of Request 3 has read an object at higher security level than the one of Request 2 Subject level (Request 3) < Subject level (Request 4) The number of objects with higher security levels, previously read, in example 4 is greater than the number of objects previously read in example 3 . Previous read accesses Write access requested Request 1 Request 2 Request 3 Request 4 Example 1 Example 2 Example 3 Example 4
Impact of previous accesses on subject security level Property 1: If the level of objects with higher security levels previously read increases then the security level of the subject increases. Property 2: If the number of objects with higher security levels previously read increases then the security level of the subject increases.
Access history-based Object security level Object level (Request 1) < Object level (Request 2) Only a subject at the same level has written in the object in example 1 The read request in example 2 is preceded by a write access to the object and the writer’s security level is higher than the object’s security level. Object level (Request 2) < Object level (Request 3) The security level of the subject, who has previously written in the object in example 3, is higher than the security level of the subject who has written in the object in example 2 Object level (Request 3) < Object level (Request 4) The number of subjects who have previously written in the object in example 4 is higher than the number of subjects who have previously written in the object in example 3 Previous write accesses Request 1 Request 2 Request 3 Request 4 Read access requested Example 1 Example 2 Example 3 Example 4
Impact of previous accesses on object security level Property 3: If the levels of subjects, who have previously written in an object, increase, then the security level of the object increases. Property 4: If the number of the subjects, who have previously written in an object, increase, then the security level of the object increases.
Inference problems Data inference is considered. There are two important cases of the inference problem 2 : Because of aggregation, a collection of data items can be classified at a higher level than the levels of individual data items by themselves . Example: The content of a medical file is Secret, but the aggregate information concerning all the medical files is Top Secret. Because of data association, two values seen together can be classified at a higher level than the classification of either value individually Example : The file containing the names of the employees and the file containing their social insurance numbers are unclassified, while a combined file giving employee names with their social insurance numbers is classified. (4) (1) (2) (3) (2) (1) A subject who reads the three objects inside the circle will have information with security level 4, even if the level of each object considered separately is less than 4.
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Intrinsic Likelihood Assessment Intuitively, the measure of the intrinsic likelihood of a threat, caused by the action read, is affected by the following two general principles: Principle 1: Intrinsic likelihood increases as object’s confidentiality level increases. Principle 2: Intrinsic likelihood increases as subject’s confidentiality level decreases. The measure of the intrinsic likelihood of a threat, caused by the action write, is affected by the following two general principles: Principle 3: Intrinsic likelihood increases as object’s confidentiality level decreases. Principle 4: Intrinsic likelihood increases as subject’s confidentiality level increases. Intrinsic likelihood : The probability that the risk in question will occur, in the context of the organization concerned, in the absence of any security control 3 .
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Access requests risk knowledge base To assess the risk of access requests, we use an access requests risk knowledge base that includes: The description of the characteristic elements of each access request risk The information on the relevant security controls for each type of risk The relationship between the quality of these controls The effectiveness of risk reduction factors
Security controls for likelihood reduction “Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of a system and its information” [4] Example : Case 1 : Access request in an environment where maximum level security controls are implemented (strong authentication, efficient encryption algorithm, etc.) Case 2 : The same access request in an environment where fewer security controls are implemented Intuitively, Likelihood in case 1 is higher than in case 2. Security controls are a parameter to be considered when assessing the risk of access requests
Security controls categories Dissuasive and preventive controls that act on likelihood Dissuasive controls: Access auditing Preventive controls: Strong authentication Protective and palliative controls that act on impact Protective: Interdiction of accesses Palliative: for integrity, backing up files before authorizing access
Likelihood assessment with reductions Suitable controls can reduce risk likelihood through diverse mechanisms that may act independently or cumulatively Security controls for likelihood reduction can be divided into two types : Dissuasive controls, which target human actions and aim at making it less likely that an actor will actually perform the action Preventive controls, which aim at making it less likely that any action leads to the occurrence of the reduction Dissuasion and prevention are likelihood reduction factors. These factors should be evaluated Security controls for likelihood reduction Intrinsic Likelihood Likelihood Likelihood : The probability that a specific risk will occur, in the context of the organization concerned 3 Likelihood (s, o, a, E) = 𝐼𝑛𝑡𝑟𝑖𝑛𝑠𝑒𝑐 𝑙𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 (𝑠,𝑎,𝑜) 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑_𝑐𝑜𝑛𝑡𝑟𝑜𝑙𝑠 (𝑠,𝑎,𝑜,𝐸)
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Object’s security level Impact Assessment Suitable controls can reduce risk impact (the level of its consequences) through diverse mechanisms that may act independently or cumulatively Security controls for impact reduction can be classified into two types : Confinement controls, which aim to limit the magnitude of direct consequences Palliative controls, which aim to minimize the indirect consequences of a risk by anticipating crisis management Confinement and palliation constitute the impact reduction factors. These factors should be evaluated. Security controls for impact reduction Object’s security level Impact Impact : The consequence, for the organization concerned, if the risk in question occurs 3 Impact (o, a, E) = 𝑂𝑏𝑗𝑒𝑐𝑡 𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑙𝑒𝑣𝑒𝑙 (𝑜, 𝑎) 𝐼𝑚𝑝𝑎𝑐𝑡_𝑐𝑜𝑛𝑡𝑟𝑜𝑙𝑠 (𝑜,𝑎,𝐸)
Steps of the proposed approach for risk assessment Security levels determination of objects and subjects Intrinsic likelihood assessment Likelihood assessment Impact assessment Risk assessment
Risk assessment S : set of subjects, s ∈S; O : Set of objects, o ∈ O; A : Set of actions, a ∈ A; E : Environment Risk (s, o, a, E) = Impact (o, a, E) × Likelihood (s, o, a, E ) Impact is a function of: Object's security level Security controls for impact reduction Impact Likelihood Risk Likelihood is a function of : Subject’s security level Object’s security level Security controls for likelihood reduction × can denote multiplication or another suitable function
Overall view of the proposed approach (Putting it all together) Access history Security controls for impact reduction Object’s security level Subject’s security level Security controls for likelihood reduction Intrinsic Impact Intrinsic Likelihood Impact Likelihood Risk
Process flow Based on XACML Architecture In our proposed method : Subject and object attributes keep a history of all accesses Risk calculator analyzes attributes, security levels and the security controls to compute the risk The Policy Decision point (PDP) requests information about the risk values and then takes the decision Obligations update attributes after granting access and reduce the risk when needed
Conclusion Risk-based access control decisions, considering impact and likelihood Impact and likelihood calculations are based on security levels of subjects and objects, determined according to information flow i.e. access histories Security Controls for impact and likelihood reduction are also considered
Future work Formalization of concepts. Formulae for subjects and objects level determination Formulae for likelihood and impact assessment. Consideration of time and location to determine security levels of objects and subjects Identification of obligations to act on precise parameters with precise values of risk reduction.
Research Framework This project is in the framework of other projects of our group that are investigating: Policy languages and Access Control models for the Cloud and for the Web Data access and flow control in workflow contexts
References [1] http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf [2] http://profsandhu.com/articles/auerbach/a93dsc.pdf [3] http://www.clusif.asso.fr/fr/production/ouvrages/pdf/MEHARI-2010- Principles-Specifications.pdf [4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 53r4.pdf