UWSpace is currently experiencing technical difficulties resulting from its recent migration to a new version of its software. These technical issues are not affecting the submission and browse features of the site. UWaterloo community members may continue submitting items to UWSpace. We apologize for the inconvenience, and are actively working to resolve these technical issues.
 

A Dynamic Risk-Based Access Control Approach: Model and Implementation

Thumbnail Image

Files

Savinov_Sergey.pdf (3.62 MB)

Date

2017-05-18

Authors

Savinov, Sergey

Journal Title

Journal ISSN

Volume Title

Publisher

University of Waterloo

Abstract

Access control (AC) refers to mechanisms and policies that restrict access to resources, thus regulating access to physical or virtual resources of an information system. AC approaches are used to represent these mechanisms and policies by which users are granted access and specific access privileges to the resources or information of the system for which AC is provided. Traditional AC approaches encompass a variety of widely used approaches, including attribute-based access control (ABAC), mandatory access control (MAC), discretionary access control (DAC) and role-based access control (RBAC). Emerging AC approaches include risk adaptive access control (RAdAC), an approach that suggests that AC can adapt depending on specific situations. However, traditional and emerging AC approaches rely on static pre-defined risk mitigation tasks and do not support the adaptation of an AC risk mitigation process (RMP). There are no provided mechanisms and automated support that allow AC approaches to construct RMPs and to adapt to provide more flexible, custom-tailored responses to specific situations in order to minimize risks. Further, although existing AC approaches can operate in several knowledge domains at once, they do not explicitly take into account the relationships among risks related to different dimensions, e.g., security, productivity. In addition, although in the real world, risks accumulate over time, existing AC approaches do not appropriately provide means for risk resolution in situations in which risks accumulate as different, dangerous tasks impact risk measures. This thesis presents the definition, the implementation, and the application through two case studies of a novel AC risk-mitigation approach that combines dynamic RMP construction and risk assessment extended to include forecasting based on multiple risk-related utilities and events; provides support for a dynamic risk assessment that depends on one or multiple risk dimensions (e.g., security and productivity); offers cumulative risk assessment in which each action of interest can impact the risk-related utilities in a dynamic way; and presents an implementation of an adaptive simulation method based on risk-related utilities and events.

Description

Keywords

risk, RAdAC, access control, benefit, mitigation, remediation, dynamic, adaptive, implementation, automated, utility, process construction, quantitative, obligation, resources, process, task sequence, forecasting, projection, events, domain, framework, software development, runtime, real-time, privacy, accumulation, alternative, critical, access denial, deny, information leak, social engineering, XACML, information security, risk analysis, risk assessment

LC Keywords

Citation

URI

http://hdl.handle.net/10012/11917

Collections

Theses
Computer Science