FASE CONSTRUCTIVA

As discussed previously, the potential for the abuse of privileged access rights is seen as a major vulnerability for organisations in being susceptible to insider threat [104]. This thesis positions that whilst access control seeks to provide as- surances in confidentiality and availability of an organisation’s resources, it also presents vulnerabilities given the fact that users can abuse their access. Tradi- tional approaches can no longer be seen as enough to assure confidentiality of resources, as no assumption is made about how a user is utilising their access. It is therefore important to consider user behaviour alongside the traditional assign- ment of user privileges, prior to awarding access.

To this end, a number of recent methods extend access control away from the traditional mechanisms presented by RBAC and instead enable dynamic qualities. These dynamic access control approaches [18, 19, 66, 109] incorporate mechanisms from detection based systems, as well as expand upon the criteria of access to decide upon access.

Usage Control (UCON) [109] builds upon traditional access control models whereby obligations and conditions are used to assess a subject’s usage of a re- source, as part of an access decision. A novel aspect of UCON is its ability to capture a subject’s state within a resource, and use this as a contributing factor within the access decision. Whilst the UCON model is sophisticated in identifying and managing a subject’s usage, it only allows for a transient solution to man- aging insider threat. For example, a subject could invalidate usage requirements for a particular resource, but go on to access other resources despite being seen as a threat. In addition, the UCON approach to access control has the poten- tial to become complex, with usage rules woven with traditional access control rules on a per resource basis. Lastly, whilst UCON extends access control to con- strain access, its view of usage is scoped only to user access of protected resources. To build an accurate picture of insider threat, additional dimensions should be

CHAPTER 2. LITERATURE REVIEW 24

considered, such as social factors and contextual information (i.e., whether the subject is accessing the resource from an untrustworthy connection).

A step forward from usage is the inclusion of trust and reputation when gen- erating an access control decision, via a Trust Policy Decision Point [19]. Here, a weighting of trust is calculated based on the usage or feedback from resources, providing additional context to a subject’s usage. Serrano et al. [127] explore trust management to achieve access control. Within trust management, subjects and protected resources are given a level of trust, calculated from dimensions, such as past behaviour of the subject, the access rights they already own, the issuer of access rights, and feedback from other subjects / resource owners.

In similar works by Bistarelli et al. [18], a formal framework for trust policy negotiation is proposed. In contrast to Serrano et al., access is awarded through the reasoning of access control policies and a trust level generated from a subject’s given set of credentials. An interesting aspect of this work is that Bistarelli et al. state that not all subjects will know all the required credentials for access. There- fore they propose an additional control that notifies the subject of the required credentials, providing a subject is deemed trustworthy enough. This adds an extra level of security to prevent unnecessary revealing of requirements for access, as knowledge of which could be abused by a malicious subject.

Both works attempt to ensure a better accuracy of access (and mitigating insider threat) by assessment of a level of trust / reputation of subjects. Potential applications of such methods are more favourable towards federated environments, where Serrano et al. suggest Paypal as an application domain (using trust in terms of authorising payments). However, the methods proposed demonstrate a singular authorisation technique, lacking integration with current standards (RBAC) and existing access control systems. In addition, neither address the problem caused by the occurrence of an insider attack, where the approach may fail to mitigate an insider attack. If a subject abuses their credentials you may expect, from the viewpoint of a system administrator, the credentials or access rights of a subject are removed entirely. Trust management is limited in this case, as static rules are defined that result in transient limitations of access.

Lastly, similar dynamic approaches specialise in expressing access control rules with a set of temporal constraints [66]. In this instance, access control policies contain a set of branch like rules, relevant to a set of system and environment states. Given a state that conforms to a temporal constraint or one that exhibits a particular event, access control mechanisms are constrained to a branch of relevant

access control rules. This approach to enabling dynamic access control (along with the aforementioned) is defined as dynamic policies.

The dynamic policy approach, whilst capable in preventing access based on foreseen threats, has several limitations. Here, it is necessary for dynamic policies to contain a comprehensive set of access control rules to accommodate for all potential risk of abuse at runtime. The approach is also vulnerable in the sense that any prevention of access is bounded to a particular state, meaning that it is open to potential subterfuge (i.e., in perception of trust of a subject) and that prevention of access is transitive.