SlideShare una empresa de Scribd logo

Govcert2011 - Context-enhanced Authorization

Martijn Oostdijk
Martijn Oostdijk

Context-enhanced Authorization overview for GOVCERT.NL symposium in Rotterdam.

TecnologíaEmpresariales
1 de 26
Descargar para leer sin conexión
Context-enhanced Authorization GOVCERT symposium 16 november 2011 Martijn Oostdijk
Authorization & Context? Solution Problem: ant Drivers: •A uthorization import • Context : • GRC • Authorization not • A BA C Drivers • Insider dynamic enough • Mobil e fraud • Cloud • Nomadic working (“HNW”) (Attribute Based Access Control) 2 Context-enhanced Authorization
Context-enhanced Authz • Research project within SII TOP programme • Goal: assess feasibility of context-enhanced authorization w/ focus on employees • Method: through desktop research, use cases, and a demonstrator • Novay, together with a big Dutch bank, and IBM 3 Context-enhanced Authorization
Context 4 Context-enhanced Authorization
Context Solution For example: • Context - Time of day twork) • A BA C - Lo cation (Geo IP, office ne - Location (GPS) - Proximity , BYOD) - Device (PC vs mobile rs (social?) - Relation to other use - Authentication level - … 5 Context-enhanced Authorization
Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl 2. Physiological Heart rate ECG sensor 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 7 Context-enhanced Authorization
Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 8 Context-enhanced Authorization
Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 9 Context-enhanced Authorization
Authorization 10 Context-enhanced Authorization
Authorization 101 • Authentication: who is this user? • Authorization: is this user supposed to be doing that? RBA MA C AC L C B ABAC ell- Lapa Subject DA C Actionultd-ulaObject M i Level Attribute Based Access Control Permit or Deny 11 Context-enhanced Authorization
ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C App PEP PDP App PEP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Policy Information Point AP AP Policy Administration Point 12 Context-enhanced Authorization
ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C GUI Banking PEP Service IBM TSPM App PEP PDP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Context Policy Information Point AP Server Policy Administration Point GUI 13 Context-enhanced Authorization
PAP (in TIP) 14 Context-enhanced Authorization
15 Context-enhanced Authorization
16 Context-enhanced Authorization
17 Context-enhanced Authorization
18 Context-enhanced Authorization
Context – AuthZ levels • All • @office, proximity, IT-dept. mngd laptop • A lot • @home, proximity, IT-dept. mngd laptop, time in 6.00-23.00 • Some • @office, user mngd (but registered) iPad, agenda, time in 6.00- 23.00 • IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00 • A little • Proximity, registered device • Nothing 19 Context-enhanced Authorization
Use-cases • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication 20 Context-enhanced Authorization
Challenges • Adoption in applications • Architectural choices • Authenticity of context • Complexity of policies • Lack of standards for context management • Linking context to user identities • Privacy consequences • Quality of context • Scalability and performance • … 21 Context-enhanced Authorization
Authenticity of context • Can we trust the source? • Depends on the precise scenario • and on technology • and on who controls the source • Some sources are more trustworthy than other • Just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand 22 Context-enhanced Authorization
Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context mon saction catio p atio nced in n u ng la Auth + step Exp itori a Auth ext-enh n enti Tran + CeA CeA oriz t Con 23 Context-enhanced Authorization
Scalability & performance 24 Context-enhanced Authorization
(Preliminary) conclusions • Using context-information in authz policies • Some use-cases • Challenges in selecting the right types of context, in adoptation, in how to deal with quality of context (incl. authenticity) • Demonstrator under construction, due the next couple of weeks 25 Context-enhanced Authorization
26 Context-enhanced Authorization

Recomendados

ISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationMartijn Oostdijk
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Situational Web
Situational WebSituational Web
Situational WebPaul Golding
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Webwasvel
 
Mobile Capture Solution for Banking
Mobile Capture Solution for BankingMobile Capture Solution for Banking
Mobile Capture Solution for BankingNewgen Software Technologies Limited
 
Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielsonguest43dc4b
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008scottw
 

Recomendados

ISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationMartijn Oostdijk
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Situational Web
Situational WebSituational Web
Situational WebPaul Golding
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Webwasvel
 
Mobile Capture Solution for Banking
Mobile Capture Solution for BankingMobile Capture Solution for Banking
Mobile Capture Solution for BankingNewgen Software Technologies Limited
 
Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielsonguest43dc4b
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008scottw
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)marti_hearst
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03nilesh1111
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers IrelandSean O'Sullivan
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAli Ivmark
 
Usability and Health IT
Usability and Health ITUsability and Health IT
Usability and Health ITRobert Schumacher
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and SocialWaterfall Mobile
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachJiang Zhu
 
10 fn s15
10 fn s1510 fn s15
10 fn s15Scott Foster
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...HSA Foundation
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group PresentationNeal Lathia
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Mobile testing
Mobile testingMobile testing
Mobile testingSathyan Sethumadhavan
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...wegdam
 
Envision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision Network Technologies Pvt. Ltd.
 

Más contenido relacionado

La actualidad más candente

The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)marti_hearst
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03nilesh1111
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers IrelandSean O'Sullivan
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAli Ivmark
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and SocialWaterfall Mobile
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachJiang Zhu
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...HSA Foundation
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group PresentationNeal Lathia
 

La actualidad más candente (10)

The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers Ireland
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
 
Usability and Health IT
Usability and Health ITUsability and Health IT
Usability and Health IT
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data Approach
 
10 fn s15
10 fn s1510 fn s15
10 fn s15
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group Presentation
 

Destacado

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Destacado (7)

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar a Govcert2011 - Context-enhanced Authorization

DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...wegdam
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for AuthenticationLocaid Technologies
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioClark Dodsworth
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewallvfmindia
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Damien Contreras
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringCorrelsense
 

Similar a Govcert2011 - Context-enhanced Authorization (20)

Mobile testing
Mobile testingMobile testing
Mobile testing
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
 
Envision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision - An Overview of Solutions & Services
Envision - An Overview of Solutions & Services
 
Envision Solution & Services Overview
Envision Solution & Services Overview Envision Solution & Services Overview
Envision Solution & Services Overview
 
2008, IBM: WSN by John Dorn
2008, IBM: WSN by John Dorn2008, IBM: WSN by John Dorn
2008, IBM: WSN by John Dorn
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next Scenario
 
London hug
London hugLondon hug
London hug
 
Secure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & IntelSecure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & Intel
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
 
Dragonfruit
DragonfruitDragonfruit
Dragonfruit
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
The Guardian
The GuardianThe Guardian
The Guardian
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
Smart Santander project Jose M. Hernandez Munoz
Smart Santander project Jose M. Hernandez MunozSmart Santander project Jose M. Hernandez Munoz
Smart Santander project Jose M. Hernandez Munoz
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and Monitoring
 
Droid 4
Droid 4Droid 4
Droid 4
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Govcert2011 - Context-enhanced Authorization

  • 2. Authorization & Context? Solution Problem: ant Drivers: •A uthorization import • Context : • GRC • Authorization not • A BA C Drivers • Insider dynamic enough • Mobil e fraud • Cloud • Nomadic working (“HNW”) (Attribute Based Access Control) 2 Context-enhanced Authorization
  • 3. Context-enhanced Authz • Research project within SII TOP programme • Goal: assess feasibility of context-enhanced authorization w/ focus on employees • Method: through desktop research, use cases, and a demonstrator • Novay, together with a big Dutch bank, and IBM 3 Context-enhanced Authorization
  • 4. Context 4 Context-enhanced Authorization
  • 5. Context Solution For example: • Context - Time of day twork) • A BA C - Lo cation (Geo IP, office ne - Location (GPS) - Proximity , BYOD) - Device (PC vs mobile rs (social?) - Relation to other use - Authentication level - … 5 Context-enhanced Authorization
  • 6. Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
  • 7. Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl 2. Physiological Heart rate ECG sensor 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 7 Context-enhanced Authorization
  • 8. Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 8 Context-enhanced Authorization
  • 9. Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 9 Context-enhanced Authorization
  • 10. Authorization 10 Context-enhanced Authorization
  • 11. Authorization 101 • Authentication: who is this user? • Authorization: is this user supposed to be doing that? RBA MA C AC L C B ABAC ell- Lapa Subject DA C Actionultd-ulaObject M i Level Attribute Based Access Control Permit or Deny 11 Context-enhanced Authorization
  • 12. ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C App PEP PDP App PEP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Policy Information Point AP AP Policy Administration Point 12 Context-enhanced Authorization
  • 13. ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C GUI Banking PEP Service IBM TSPM App PEP PDP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Context Policy Information Point AP Server Policy Administration Point GUI 13 Context-enhanced Authorization
  • 14. PAP (in TIP) 14 Context-enhanced Authorization
  • 15. 15 Context-enhanced Authorization
  • 16. 16 Context-enhanced Authorization
  • 17. 17 Context-enhanced Authorization
  • 18. 18 Context-enhanced Authorization
  • 19. Context – AuthZ levels • All • @office, proximity, IT-dept. mngd laptop • A lot • @home, proximity, IT-dept. mngd laptop, time in 6.00-23.00 • Some • @office, user mngd (but registered) iPad, agenda, time in 6.00- 23.00 • IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00 • A little • Proximity, registered device • Nothing 19 Context-enhanced Authorization
  • 20. Use-cases • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication 20 Context-enhanced Authorization
  • 21. Challenges • Adoption in applications • Architectural choices • Authenticity of context • Complexity of policies • Lack of standards for context management • Linking context to user identities • Privacy consequences • Quality of context • Scalability and performance • … 21 Context-enhanced Authorization
  • 22. Authenticity of context • Can we trust the source? • Depends on the precise scenario • and on technology • and on who controls the source • Some sources are more trustworthy than other • Just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand 22 Context-enhanced Authorization
  • 23. Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context mon saction catio p atio nced in n u ng la Auth + step Exp itori a Auth ext-enh n enti Tran + CeA CeA oriz t Con 23 Context-enhanced Authorization
  • 24. Scalability & performance 24 Context-enhanced Authorization
  • 25. (Preliminary) conclusions • Using context-information in authz policies • Some use-cases • Challenges in selecting the right types of context, in adoptation, in how to deal with quality of context (incl. authenticity) • Demonstrator under construction, due the next couple of weeks 25 Context-enhanced Authorization
  • 26. 26 Context-enhanced Authorization