XACML and Risk-Aware Access Control

Liang Chen, Luca Gasparini, Timothy J. Norman

2013

Abstract

Risk-aware access control (RAAC) has shown promise as an approach to addressing the increasing need to share information securely in dynamic environments. For such models to realise their promise, however, principled, standard-based software engineering methods are essential. XACML is an XML-based OASIS standard for the specification and evaluation of access control policies. In this paper we explore the use of XACML as a means of implementing RAAC. We abstract core components of RAAC relevant to risk management, and show how these may be implemented using standard XACML features.

References

  1. Bijon, K. Z., Krishnan, R., Sandhu, R. S.: Risk-aware RBAC sessions. In: Proceedings of the 8th International Conference on Information Systems Security. (2012) 59-74
  2. Chen, L., Crampton, J.: Risk-aware role-based access control. In: Proceedings of the 7th International Workshop on Security and Trust Management. (2011) 140-156
  3. Chen, L., Crampton, J., Kollingbaum, M. J., Norman, T. J.: Obligations in risk-aware access control. In: Proceedings of the Tenth Annual Conference on Privacy, Security and Trust. (2012) 145-152
  4. Cheng, P. C., Rohatgi, P., Keser, C., Karger, P. A., Wagner, G. M., Reninger, A. S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy. (2007) 222-230
  5. Kandala, S., Sandhu, R. S., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Proceedings of the Sixth International Conference on Availability, Reliability and Security. (2011) 236-241
  6. Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. (2010) 250-260
  7. OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0. (2013) OASIS Standard (E. Rissanen, editor).
  8. Chen, C., Han, W., Yong, J.: Specify and enforce the policies of quantified risk adaptive access control. In: Proceedings of the 14th International Conference on Computer Supported Cooperative Work in Design. (2010) 110-115
  9. OASIS: XACML v3.0 Core and hierarchical Role Based Access Control (RBAC) profile Version 1.0. (2010) Committee Specification (E. Rissanen, editor).
  10. American National Standards Institute: American National Standard for Information Technology - Role Based Access Control. (2004) ANSI INCITS 359-2004.
  11. OASIS: XACML v3.0 Obligation Families Version 1.0. (2007) OASIS Working Draft (E. Rissanen, editor).
Download


Paper Citation


in Harvard Style

Chen L., Gasparini L. and Norman T. (2013). XACML and Risk-Aware Access Control . In Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013) ISBN 978-989-8565-64-8, pages 66-75. DOI: 10.5220/0004609200660075


in Bibtex Style

@conference{wosis13,
author={Liang Chen and Luca Gasparini and Timothy J. Norman},
title={XACML and Risk-Aware Access Control},
booktitle={Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)},
year={2013},
pages={66-75},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004609200660075},
isbn={978-989-8565-64-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)
TI - XACML and Risk-Aware Access Control
SN - 978-989-8565-64-8
AU - Chen L.
AU - Gasparini L.
AU - Norman T.
PY - 2013
SP - 66
EP - 75
DO - 10.5220/0004609200660075