Attribute Threat Analysis and Risk Assessment for ABAC and TBAC Systems

Leonard Bradatsch; Artur Hermann; Frank Kargl

doi:10.5220/0012715300003767

Attribute Threat Analysis and Risk Assessment for ABAC and TBAC Systems

Leonard Bradatsch, Artur Hermann, Frank Kargl

2024

Abstract

As enterprises increasingly adopt Zero Trust security, access control based on attributes is regaining attention as a core aspect of Zero Trust. Evaluating the accuracy of access decisions is a vital aspect of securing access control systems, typically involving threat analysis and risk assessment. A notable threat is attackers gaining illegitimate access by compromising the attributes checked by the access control policies. However, a systematic methodology for assessing attribute compromise risk is lacking. Knowing this risk aids in designing more accurate access control policies. This paper introduces a novel framework to address this gap, using modeled attackers and enterprises for risk assessment of attribute compromise. We also present a detailed case study featuring six attackers and two enterprises, demonstrating the framework’s practicality and providing insights into the security strength of fifteen common access control attributes. In the context of the case study, attributes such as Certificate Authentication , along with User Usage and Device Usage, which both reflect the coupling of users and devices, demonstrated high resilience against compromise attempts.

Download

Paper Citation

in Harvard Style

Bradatsch L., Hermann A. and Kargl F. (2024). Attribute Threat Analysis and Risk Assessment for ABAC and TBAC Systems. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 26-39. DOI: 10.5220/0012715300003767

in Bibtex Style

@conference{secrypt24,
author={Leonard Bradatsch and Artur Hermann and Frank Kargl},
title={Attribute Threat Analysis and Risk Assessment for ABAC and TBAC Systems},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={26-39},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012715300003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - Attribute Threat Analysis and Risk Assessment for ABAC and TBAC Systems
SN - 978-989-758-709-2
AU - Bradatsch L.
AU - Hermann A.
AU - Kargl F.
PY - 2024
SP - 26
EP - 39
DO - 10.5220/0012715300003767
PB - SciTePress