Access control obligation specification and enforcement using behavior pattern language
Date
2018-01-01
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Increasing the use of Internet-based devices offers novel opportunities for users
to access and share resources anywhere and anytime so that such a collaborative
environment complicates the design of an accountable resource access control system.
Relying on only predefined access control policies based on an entity's attributes,
as in traditional access control solutions, cannot provide enough flexibility to apply
continuous adjustments in order to adapt to any kind of operative run time conditions.
The limited scope and precision of the existing policy-based access control solutions
have put considerable limitations on adequately satisfying the challenging security
aspects of the IT enterprises.
In this research, we focus on the obligatory behavior that can play an important
role in access control to protect resources and services of a typical system. Since
traditional access control is performed only once before the resource is accessed by
the subject, the access control system is unable to control the fulfillment of obligation
while the access is in progress. Practically, such a requirement is implemented in
hard-coded and proprietary ways. Consequently, the lack of sophisticated means
for specification and enforcement of obligation in access control system decreases its
flexibility and may also lead to the security breach in sensitive environments.
We provide a descriptive language that is capable of defining a variety of complex
behavior patterns based on a sequence of user actions. Such a description can be used
to specify different elements of the obligation in order to attach to a policy language,
and it is also used to generate queries for behavior matching purposes.
Moreover, we propose a behavior pattern matching framework to approve the
fulfillment of the obligation by looking into the audit logs. However, this method is
extremely inadequate for ongoing obligations. Therefore, we proposed a compliance
engine by utilizing complex event processing in order to make a decision to revoke
or continue the access in a timely manner. We implemented both frameworks that
can be used to approve the obligation fulfillment as well as to evaluate the expressive
power and complexity of our proposed language.
Description
Keywords
Access control, Obligation, Behavior, Language