2. Authorization & Context?
Solution
Problem:
ant
Drivers: •A uthorization import • Context
:
• GRC • Authorization not • A BA C Drivers
• Insider dynamic enough • Mobil
e
fraud • Cloud
• Nomadic
working
(“HNW”)
(Attribute Based
Access Control)
2 Context-enhanced Authorization
3. Context-enhanced Authz
• Research project within SII TOP programme
• Goal: assess feasibility of context-enhanced
authorization w/ focus on employees
• Method: through desktop research, use cases,
and a demonstrator
• Novay, together with a big Dutch bank, and
IBM
3 Context-enhanced Authorization
5. Context
Solution
For example: • Context
- Time of day
twork) • A BA C
- Lo cation (Geo IP, office ne
- Location (GPS)
- Proximity
, BYOD)
- Device (PC vs mobile
rs (social?)
- Relation to other use
- Authentication level
- …
5 Context-enhanced Authorization
6. Social
Physiological
Environment
- people nearby
- heart rate
- weather - behaviour
- skin
-air pollution - friends
- voice
- Twitter activities
Location Time Mental
- long/lat -office hours - happy
- proximity - lunch time - scared
- country/city - between points - sad
- @home/@work in time - stressed
Device
Network Activities
- type
- IP-address - working
- ownership
- VPN - travelling
(BYO)
- LAN - meeting
- OS and apps
- WiFi or 3G - sleeping
-patch status
7. Domain Type Source
1. Environment Weather Buienradar
Air polution Weeronline.nl
2. Physiological Heart rate ECG sensor
3. Social People nearby Bluetooth, Google
Lattitude, Outlook
Calendar
SN Friends LinkedIn, Facebook
Activity Twitter
4. Location Long/Lat GPS, GSM Cell-Id
City GPS, Geo-IP
Proximity Bluetooth, RFID/NFC
7 Context-enhanced Authorization
8. Domain Type Source
5. Time Office hours System time
Lunch time Outlook Calendar
6. Mental Happy/sad Sound sensor
Scared Galvanic skin
responses
Stressed
7. Network VPN or localnet Network access
gateway
Wireless or Wired IP address
8. Device Type Device mngmt system
Ownership Device mngmt system
8 Context-enhanced Authorization
9. Domain Type Source
9. Activity Travelling GPS, accelerometer
Meeting Calendar, Proximity
sources
Sleeping Heart sensor, ECG,
sound
Some observations:
• Inter-dependencies between domains/types
• Some inference is needed in some types
• Most domains/types can benefit from multiple measurements
over time
• What characteristics determine which domains / types /
sources are most suitable in a given scenario?
9 Context-enhanced Authorization
11. Authorization 101
• Authentication: who is this user?
• Authorization: is this user supposed to be doing that?
RBA MA C AC L
C B
ABAC ell-
Lapa
Subject
DA C Actionultd-ulaObject
M i
Level
Attribute Based
Access Control
Permit or Deny
11 Context-enhanced Authorization
12. ABAC
Solution
• Context
Defacto standard:
XACML 2.0 • ABA C
App PEP
PDP
App PEP Policies
PIP PIP
Policy Decision Point
PAP
Policy Enforcement Point
Policy Information Point
AP AP
Policy Administration Point
12 Context-enhanced Authorization
13. ABAC
Solution
• Context
Defacto standard:
XACML 2.0 • ABA C
GUI
Banking
PEP
Service IBM
TSPM
App PEP PDP Policies
PIP PIP
Policy Decision Point
PAP
Policy Enforcement Point Context
Policy Information Point
AP
Server
Policy Administration Point
GUI
13 Context-enhanced Authorization
19. Context – AuthZ levels
• All
• @office, proximity, IT-dept. mngd laptop
• A lot
• @home, proximity, IT-dept. mngd laptop, time in 6.00-23.00
• Some
• @office, user mngd (but registered) iPad, agenda, time in 6.00-
23.00
• IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00
• A little
• Proximity, registered device
• Nothing
19 Context-enhanced Authorization
20. Use-cases
• Finer grained access to
application with “hit-n-run”
functionality
• Data loss prevention when
traveling
• More flexible authentication
20 Context-enhanced Authorization
21. Challenges
• Adoption in applications
• Architectural choices
• Authenticity of context
• Complexity of policies
• Lack of standards for context management
• Linking context to user identities
• Privacy consequences
• Quality of context
• Scalability and performance
• …
21 Context-enhanced Authorization
22. Authenticity of context
• Can we trust the source?
• Depends on the precise scenario
• and on technology
• and on who controls the source
• Some sources are more trustworthy than other
• Just fuse with more context sources?
• Multi-factor context, harder to fake for attacker
• But also harder to understand
22 Context-enhanced Authorization
23. Authenticity of context
CeA vs TM (SIEM, …):
Needed
trust in
authenticity
of context
mon saction
catio p
atio nced
in
n
u
ng
la
Auth + step
Exp
itori
a
Auth ext-enh
n
enti
Tran
+
CeA
CeA
oriz
t
Con
23 Context-enhanced Authorization
25. (Preliminary) conclusions
• Using context-information in
authz policies
• Some use-cases
• Challenges in selecting the right types of
context, in adoptation, in how to deal with
quality of context (incl. authenticity)
• Demonstrator under construction,
due the next couple of weeks
25 Context-enhanced Authorization