Situational Awareness based Risk-adaptable Access Control in Enterprise Networks

Brian Lee, Roman Vanickis, Franklin Rogelio, Paul Jacob

Abstract

As the computing landscape evolves towards distributed architectures such as Internet of Things (IoT), enterprises are moving away from traditional perimeter based security models toward so called “zero trust networking” (ZTN) models that treat both the intranet and Internet as equally untrustworthy. Such security models incorporate risk arising from dynamic and situational factors, such as device location and security risk level risk, into the access control decision. Researchers have developed a number of risk models such as RAdAC (Risk Adaptable Access Control) to handle dynamic contexts and these have been applied to medical and other scenarios. In this position paper we describe our ongoing work to apply RAdAC to ZTN. We develop a policy management framework, FURZE, to facilitate fuzzy risk evaluation that also defines how to adapt to dynamically changing contexts. We also consider how enterprise security situational awareness (SSA) - which describes the potential impact to an organisations mission based on the current threats and the relative importance of the information asset under threat - can be incorporated into a RAdAC scheme.

References

  1. Broadhurst, R., Grabosky, P., Alazab, M., Bouhours, B., and Chon, S., 2014.An Analysis of the Nature of Groups engaged in Cyber Crime, International Journal of Cyber Criminology January-June 2014, Volume 8 (1): 1-20.
  2. Carvalho, J.P. and Tomè, J.A., 1999. Rule based fuzzy cognitive maps-fuzzy causal relations. Computational Intelligence for Modelling, Control and Automation, Edited by M. Mohammadian.
  3. Chen P-C., Rohatgi P., Keser C. ,. Karger P. A,. Wagner G.M, and Reninger A. S.. 2007,Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. IEEE Symposium on Security and Privacy, pages 222-230. IEEE Computer Society, 2007.
  4. Cisco Corp. 2010 Zone-Based Policy Firewall Design and Application Guide. Available at <http:// www.cisco.com/c/en/us/support/docs/security/iosfirewall/98628-zone-design-guide.html#topic6 >
  5. Forrester Research, 2013. Developing a Framework to Improve Critical Infrastructure Cybersecurity, Available at <http://csrc.nist.gov/cyberframework/ rfi_comments/040813_forrester_research.pdf>.Access ed Oct21 2016.
  6. Farroha, B., and Farroha, D. 2012, Challenges of “Operationalizing” Dynamic System Access Control: Transitioning from ABAC to RAdAC, Proceedings IEEE International Systems Conference (SysCon) 2012.
  7. Fernandez, R., 2006, Enterprise Dynamic Access Control.
  8. Version 2, Overview, NIST, Available.
  9. <csrc.nist.gov/rbac/EDACv2overview.pdf> ,
  10. Accessed Oct 15, 2016.
  11. Gontarczyk A., McMillan P. and Pavlovski C. 2015, Blueprint for Cybersecurity Zone Modelling, Commonwealth Bank of Australia Sydney, IT in Industry, Vol. 3, No. 2, 2015, pp 38-46.
  12. Giannakou A., Rilling L, Morin C., Pasage J-L., ALSAFE: A Secure Self-Adaptable Application-Level Firewall for IaaS Clouds, SEC2 2016 - Second workshop on Security in Clouds, Lorient,. 2016.
  13. Holspopple, J., and Yang, S.J. 2013, Handling Temporal and Functional Changes for Mission Impact Assessment, Proceedings International Multidisciplinary Conference on Cognitive Methods in Situational Awareness and Decision Support (CogSIMA) San Diego, 2013.
  14. Hu, V. C. et al., 2013, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, NIST Special Publication 800-162, April 2013.
  15. IEC 61131-7:2000 Programmable Controllers - Fuzzy Control Programming, International Electrotechnical Commission. Available at <https://webstore.iec.ch/ publication/4556?
  16. Innerhofer-Oberperfler, F. and Breu, R., 2006, Using an Enterprise Architecture for IT Risk Management, Proceedings Information Security South Africa, 2006.
  17. Jakobson, G., 2011, Mission Cyber Security Situation Assessment Using Impact Dependency Graphs, Proceedings 14th International Conference on Information Fusion, Chicago, Illinois, USA, July 5-8, 2011.
  18. Kandala, S, Sandhu, R. and Bhamidipati, V., 2011, An Attribute Based Framework for Risk-Adaptive Access Control Models, ARES 11, Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security :236-241.
  19. Kosko, B., 1986. Fuzzy cognitive maps. International Journal of Man-Machine Studies, 24(1), pp.65-75.
  20. Lobo J., Marchi M. and Provetti. 2012 A.,Firewall Configuration Policies for the Specification and Implementation of Private Zones , Proceedings IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 78-85 (2012).
  21. McGraw, R.,, 2009, Risk Adaptable Access Control, National Security Agency, Sept. 2009 Available at <http://csrc.nist.gov/news_events/privilegemanagement-workshop/radac-Paper0001.pdf> Accessed Oct 18 2016.
  22. Ni Q., Bertino E. and Lobo J., 2010,Risk-based Access Control Systems Built on Fuzzy Inferences, Proceedings of the 5th ACM Symposium on Information, ASIACCS'10 April 13-16, 2010,
  23. OASIS 2013, “eXtensible Access Control Markup Language (XACML)”, Available at <http://www. oasis-1690 open.org/committees/xacml/> Accessed Nov 18 2016.
  24. Osborne, B., Mcwillians J., Beyer B. and Saltonstall M., 2016, BeyondCorp: Design to Deployment at Google, ;login, Vol 41, No. 1, pp. 28-34, Spring 2016.
  25. Vensmer, A. and Kiesel, S. 2012, DynFire: Dynamic Firewalling in Heterogeneous Networks, Proceedings World Congress on Internet Security (WorldCIS), 2012, Pages: 57 - 58.
  26. Ward, R. and Beyer, B., 2014., BeyondCorp: A New Approach to Enterprise Security, ;login: December 2014.
  27. Watters, J., Morrisey, S., Bodeau, D., Powers, S.C., 2009 The Risk-to-Mission Assessment Process (RiskMAP): A Sensitivity Analysis and an Extension to Treat Confidentiality Issues, The Mitre Corporation Research Report 09-2994, July 2009.
  28. Zhang. B. Al-Shaer E., Jagadeesan R., Riley J., Pitcher C 2007, Specifications of a high-level conflict-free firewall policy language for multi-domain networks, SACMAT 2007, Proceedings of the 12th AC Symposium on Access Control Models and Technologies, pp. 185-194.
Download


Paper Citation


in Harvard Style

Lee B., Vanickis R., Rogelio F. and Jacob P. (2017). Situational Awareness based Risk-adaptable Access Control in Enterprise Networks . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 400-405. DOI: 10.5220/0006363404000405


in Bibtex Style

@conference{iotbds17,
author={Brian Lee and Roman Vanickis and Franklin Rogelio and Paul Jacob},
title={Situational Awareness based Risk-adaptable Access Control in Enterprise Networks},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={400-405},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006363404000405},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - Situational Awareness based Risk-adaptable Access Control in Enterprise Networks
SN - 978-989-758-245-5
AU - Lee B.
AU - Vanickis R.
AU - Rogelio F.
AU - Jacob P.
PY - 2017
SP - 400
EP - 405
DO - 10.5220/0006363404000405