risks in smart environments and adaptive access controls
TRANSCRIPT
Risks in Smart Environments and Adaptive Access Controls
Mariagrazia Fugini1, and Mahsa Teimourikia2
Politecnico di Milano
[email protected], [email protected]
August 2014
Polo Territoriale di Como
Outlines
2
• Motivation and Objectives
• Definitions
• Methodology:
• Risk Management System
• Components of the Security Model
• Adaptivity of the Security Model due to risks
• Conclusion and Future Work
Polo Territoriale di Como
Motivations
1
[1] K. Smith, Environmental hazards: assessing risk and reducing disaster, Routledge, 2013.
• In environmental risk management, providing security for people and various resources dynamically, according what happens in the environment is an open issue [1].
• In monitored environments, where risks can be acknowledged via sensors and spatial data technologies, security rules, in particular access control rules, should be made adaptive to the situation at hand at run time.
Polo Territoriale di Como
Objective
• To design a security model, which is flexible enough to accommodate varying security rules according to fine-grained changes in the environment conditions.
3
Polo Territoriale di Como
The Definition of Risk
4
• Risk: hazards and abnormalities recognized in an environment that indicate a threat to the infrastructures and/or the civilians (e.g., If sensors indicate gas leak, there is a risk of fire and explosion.). Risks can be avoided via preventive strategies (e.g. closing the gas flow). Risks contain attributes like Type, IntensityLevel, and Location.
• Emergency: When the Risk intensity is higher than a threshold, it is considered as an emergency that needs immediate interventions and corrective strategies. (e.g. if the gas leak is very heavy it can indicate an emergency situation where an explosion is going to happen (or have already happened).
Polo Territoriale di Como
A Scenario
• Considering an smart environment (i.e. an airport), in which the objects, people and the environment itself are monitored using sensors, and monitoring devices such as surveillance cameras, check points, wearable devices, and etc.
• The airport Security Staff intervene in case of emergencies,
• the Security Manager, is the subject in charge in case of an emergency with the highest clearance,
• and the Surveillance Personnel are in charge of monitoring the environment and can only intervene in minor security problems.
5
Polo Territoriale di Como
The Risk Management System (RMS) [2]
• The RMS receives the inputs from sensors and monitoring devices, recognizes the risks and emergencies in the environment and produces a Risk Map and preventive or corrective Strategies accordingly.
[2] M. Fugini, C. Raibulet, and L. Ubezio, "Risk assessment in work environments: modeling and simulation," Concurrency and Computation: Practice and Experience, vol. 24, no. 18, pp. 2381-2403, 2012.
6
Polo Territoriale di Como
Security Model: Environment
The security model is based on ABAC including the following components:
Environment: The Environment (EN) includes a set of sections that can be monitored for risks and is modeled using a graph.
7
Polo Territoriale di Como
Security Model: Subjects
Subjects: Subject s S∈ is considered in three different categories:
• Administrative Subjects: Their main responsibility is to assign the Subject, Object, and Environment Attributes
• In Domain Subjects: are active subjects that need permissions to access different kind of resources, and are in charge in the organization, with some kind of an organizational role. (e.g. Security Staff, etc.)
• Out Domain Subjects: are the Subjects that are outside the organizational hierarchy. In our scenario, they are passive subjects in the Environment, such as the travelers in an airport area.
8
Polo Territoriale di Como
Security Model: Subjects (Continued)
In Domain Subjects: These subjects can hold many attributes (Subject Attributes –SA) grouped as follows:
The subject’s PRL is calculated by the RMS as follows:
9
Polo Territoriale di Como
Security Model: Objects
Objects: Object o O∈ abstracts resources that a Subject can access or act on. These resources can be Physical objects or the data. We consider the following attributes (OA) for objects:
10
Polo Territoriale di Como
Security Model: Privileges & Request
• Privileges: Privilege p ∈ P is the operations that a Subject requests to perform on an Object. The privileges can be permissions such as read, write, update, and execute, privileges on physical objects, such as trigger (for alarms), close (for doors and gas pipes), zoom in (for a camera), enter (for a section of the Environment) and so on.
• Request: A request is defined as the result of the application of an evaluate function as follows:
The results of this evaluation can be Permit, Deny and Not applicable.
11
Polo Territoriale di Como
Adaptivity of the Security Model
To dynamically adapt the access control model to risk situations, two different methods are considered:
•Activating/Deactivating Access Control Rules: this is done by considering set of access rules as an access control domain (acd ∈ ACD). Access control domains are statically defined by Administrative Subjects, but are activated and deactivated at run-time to adapt the access control model to risk situations.
• Dynamically Changing Subject/Object/Environment Attributes: Necessary changes are made in the attributes of Subjects, Objects, and the Environment to allow the successful execution of the RMS strategies.
12
Polo Territoriale di Como
Adaptivity: Activating/Deactivating AC Rules
Activating/Deactivating Access Control Rules: This is done by considering acd activation rules using the Event-Condition-Action (ECA) paradigm: If a risk is notified (Event) and a condition holds (Condition), then some acd ActiveACD∈ might be deactivated and some acd ACD∈ that are not in the ActiveACD set should be activated (Action).
•To avoid conflicts between rules, we adopt XACML policy language. Considering single access rules as XACML <Rule>, acd as <Policy> that is a set of rules, and the set of activated acds (ActiveACD) as <PolicySet>.
Example:
13
Polo Territoriale di Como
Adaptivity: Changing the Attributes
Dynamically Changing Subject/Object/Environment Attributes: To let the rescue and security teams intervene, and also execute some of the strategies recommended by the RMS to handle risks, it is necessary to modify the attributes of Subjects, or/and Objects, or/and the Environment segments.
Example 1: Changing an Environment Segments attribute to allow safe evacuation.
14
Polo Territoriale di Como
Adaptivity: Changing the Attributes (Continued)
Example 2: Changing an Subject’s attribute to allow rescue teams to localize them.
Example 3: Changing an Object’s attribute to allow required access permissions.
15
Polo Territoriale di Como
Conclusions
• Considering risks as recognized by a Risk Management System based on monitoring data about the environment, this paper has presented an access control model, which is adaptive to risks.
• To facilitate the adaptivity we employed the concept of ECA to dynamically change the security rules and make changes in attributes of the security model components.
16
Polo Territoriale di Como
Future Works
• As future work, we are working towards formalizing this model using Event Calculus and Impalement it as an addition to out RMS tool [2].
[2] M. Fugini, C. Raibulet, and L. Ubezio, "Risk assessment in work environments: modeling and simulation," Concurrency and Computation: Practice and Experience, vol. 24, no. 18, pp. 2381-2403, 2012.
17
Polo Territoriale di Como
Thank You