Feb 9, 2012

Context-enhanced Authorization

Context information can make authorization management more flexible and more secure. Knowing when and where users are, and what they are up to helps in determining which access rules to apply. We recently did a project with Rabobank and IBM where we ask (and answer) questions such as: 
  • What authorization related use-cases could benefit from context information?
  • Which context-sources are relevant, mature enough, secure enough to be used today (or in the very near future)?
  • How to deal with the (lack of) quality and authenticity of context?
  • How does context information interact with authorization standards such as XACML and today's implementations of those standards? (See my previous posts for more technical details on the hands-on XACML work that we did in that project.)


The main lessons learned (the answers to the above questions) are:
  • Typical use-cases can be found in the area of the mobile workforce ("nomadic working", etc.). As organizations introduce these new ways of working, traditional security policies that are only based on (authenticated) identity and static roles and entitlements are too strict and too coarse-grained. Context can make a difference here and allows finer-grained access so that, for example, medium level security tasks can be performed from home if the context allows this.
  • A model for context-information can be constructed around different context-types, some traditional (location, time, ...), some more exotic (physiological, mental, social, ...). The above use-cases can already be adressed with the more traditional context-sources: location, time, proximity, device id, network id. These basic context-sources are readily available, and are under control of the organization.
  • The easiest way to deal with authenticity and quality of context is to rely on trusted context-sources that are under control of the organization.
  • Externalization of authorization, such as propagated by the Attribute Based Access Control (ABAC) paradigm (and facilitated by standards such as XACML) works well in practice when combined with context information. In a demonstrator (see video above) we showed that adding context to authorization policies managed by Tivoli Security Policy Manager (a XACML IBM product) comes down to adding a policy information point. Relying applications only need to understand XACML in order to become context-enabled.
Obviously, there are questions left for future research. How to deal with privacy issues is one of them. Complexity of policies and other scalability and performance issues form another. Want to read more? Go check out the project page or read the white paper.

4 comments:

  1. PTLLS Course is introduced to produces skillful bulk of youngsters to ensure sound security procedures, This is elaborated with evaluation and assignments in a reasonable fee......

    ReplyDelete
  2. Hi,
    It is very informative and very helpful on my research regarding seo techniques. Thanks for sharing this post.
    Authentication Services

    ReplyDelete
  3. Very interesting post. Thanks for sharing it! It is always a joy to learn something that I didn't know. I have you to thank for teaching me something new, and I appreciate it very much. :-)

    see here my post topic on Lead acid batteries manufacturers

    Recycled PP granules Manufacturers

    ReplyDelete
  4. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in IBM TIVOLI IDENTITY/ACESS MANAGER , kindly contact us http://www.maxmunus.com/contact
    MaxMunus Offer World Class Virtual Instructor led training on IBM TIVOLI IDENTITY/ACESS MANAGER. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Avishek Priyadarshi
    MaxMunus
    E-mail: avishek@maxmunus.com
    Skype id: avishek_2 .
    Ph:(0) 8553177744 / 080 - 41103383
    http://www.maxmunus.com/

    ReplyDelete