Dynamic Security Modeling in Risk Management Using Environmental ...

2014 IEEE 23rd International WETICE Conference

Dynamic Security Modeling in Risk Management Using Environmental Knowledge Mariagrazia Fugini #1, George Hadjichristofi *2, Mahsa Teimourikia #3 #

*

Department of Electronics, Information and Bioengineering Politecnico di Milano Milan, Italy 1 [email protected] 3 [email protected]

Department of Computer Science and Engineering, Frederick University Nicosia/Limassol, Cyprus 2 [email protected]

consider the knowledge about what occurs in a monitored area in terms of factors and conditions detected by various devices. Event is used to model an occurrence of a risky situation in the environment, which modifies the security needs. The concept of a subject models users and entities that take actions in the environment, while an object models resources to be protected and requiring authorization to be acted upon. Objects are informative entities (e.g. data in a database) as well as physical resources, such as areas, tools, or anything that needs authorization to be operated upon. We consider that: 1) environment knowledge should be available to authorized subjects only, according to security rules, respecting the need-to-know security principle; 2) security rules should be flexibly activated/deactivated so as to adapt access of subjects to objects according to events in the environment. For example, if an emergency arises, some objects such as monitoring cameras, which are usually visible to security managers only, should become manageable also by rescue teams. Also, additional objects (e.g., the location and images related to the areas at risk) should be accessible to risk managers at a higher level of details than usual (e.g., with details on people present in the affected areas) for security reasons. Hence, security rules should be adaptive to the environment. We model these concepts by introducing Contexts that indicate which operations can be accessed on objects by subjects in a certain situation. In other words, Contexts constitute a security domain [3] activated in case of risk, and deactivated when the risk is concluded. The novelty of our approach lies in: i) the use of the ABAC paradigm in the scenario of risk management, ii) the definition of dynamic access control in this scenario, and iii) the use of events and Contexts to activate/deactivate security rules depending on what occurs in the environment. For risk modeling, we rely on our proposed solutions in [4]. In particular, we use the terms risk, emergency, and incident in an interleaved manner and consider security

Abstract— This paper presents the design principles for dynamic security modeling in risk-prone environments, where elements of the environment to be protected are classified in Contexts and are monitored and geo-referenced. Based on a motivating scenario, the security model elements are introduced building on the ABAC (Attribute Based Access Control) paradigm. Dynamicity is integrated into the model to make it self-adaptable to dynamic changes in the environment conditions, including the occurrence of risks and emergencies. The model aims at dynamically authorizing subjects to access diverse data and physical objects (resources) based on adaptive activation/deactivation of security rules and changes in subject or object attributes, while still preserving the need-to-know principle. Keywords- risk; adaptive security; dynamic access rules; environment; context;

I.

INTRODUCTION

Data and resources managed for people safety in various risk-prone environments are increasingly relevant issues [1]. In particular, when huge quantities of data are available to monitor areas, to locate people during a crisis, or to intervene to handle a risky event, it is important to preserve data and individual confidentiality and privacy, while allowing dynamic adaptation of security rules (e.g., augmenting permissions of risk management teams) to face risks and emergencies. Adaptivity and flexibility of security models are topics currently popular in various areas of data management, information systems and web applications [2]. Our purpose is to design a security model, which is flexible enough to accommodate varying security rules according to changes in the environment conditions. In this paper, we address adaptation of security rules to environmental risks, meaning that subjects can receive new access privileges, temporarily, on environmental resources to handle the risk, and then return to the “normal” situation having these emergency privileges revoked. The concept of environment is used to 978-1-4799-4249-7/14 $31.00 © 2014 IEEE DOI 10.1109/WETICE.2014.42

429

within such framework, where risks (smoothly-occurring factors that can be prevented) and emergencies (severe factors that need urgent interventions) are modeled and preventive/corrective actions and strategies are given. The paper is organized as follows. Section II presents related work. Section III illustrates risk and security in an example scenario. Section IV presents our security model for risks. Section V discusses adaptivity concepts. Finally, Section VI provides concluding remarks, applications, and future works. II.

RBAC suffers from many limitations that make it insufficient for many applications [12], such as inadequate role granularity for fine-grained authorization, or the need for explicit association between role-users and permissionroles to mention a few. But particularly, it seems unable to adjust to local/global situational states since it cannot accommodate real-time factors as access control parameters. To overcome these limitations, RBAC has been extended to various modes. For example, to include geo aspects in authorization decisions, the GEO-RBAC model [13] utilizes spatial entities to model objects, user positions, and geographically-bounded roles. Roles are activated based on the position of the user. However, these models still have limitations and cannot be applied in several contexts. To overcome the limitations, new models have been proposed including the ABAC [10]. With ABAC, finegrained authorization is possible with no need to explicitly define the relationship between each object and subject. Moreover, dynamically changing attributes, such as the time of the day or spatial attributes, can also be incorporated in the authorization decision that make this model adequate to event-aware contexts in smart environments. Therefore, we adopt the ABAC model as a basis to propose an adaptive security model in risk-prone smart environments. ABAC allows us to model dynamic changes in subject and object attributes as a consequence of environmental changes, in particular those that signal a risk, and which can influence security rules, namely the decision to change privileges on the fly to face the risk. Additionally, assuming a Risk Management System as proposed in [3] be in place that prompts risks, with an event checker module able to recognize events by monitoring the environment components, we want to be able to activate/deactivate security rules at run time. We do so by considering Contexts, as data views, which include elements of interest for dynamic security, and which are activated to face the risks. In the following section this idea of “data view” related to Contexts will be illustrated.

RELATED WORK

In risk management, the issue of providing security to people and various devices according to what happens in the environment is an open issue, as discussed in [5]. The characteristics of a highly distributed and resourceconstrained system makes applying conventional access control models a challenging issue. Security of physical objects and data that have a location in an area is addressed in works such as [6], in which cloud computing services and users’ authorizations to geographic data are studied, where datasets referring to location are transformed before being uploaded to service providers. Authors in [7] propose to enhance security of spatial data in information sharing systems based on workflow services using XML key management, XML digital signatures, and geospatial extensible access control markup languages. With the emergence of the concept of smart environments and the Internet of Things (IoT), security issues which consider both conceptual (data access control) and physical security (access privileges from physical subjects to physical objects performing practical tasks), should be properly addressed [8]. While, securing the data is a challenging task, proper access control mechanisms must be in place for maintaining privacy and security to avoid unauthorized access to data, to prevent users, processes, or applications from misusing data. Considering the dynamicity required by smart environments utilizing IoT and the probability of occurrence of risks and emergencies, there is a need for adoption of a dynamic access control mechanism to adapt to dynamic elements of the environment. In [9], a context-aware Markov game theoretic model is proposed to assess the risk impact of the security metrics in an E-health application utilizing IoT, by which they validate the run-time adaptivity of the security solutions. Coming to security models, recently, there has been considerable interest in Attribute Based Access Control (ABAC) [10] due to the limitations of the dominant and mostly used models, such as Mandatory Access Control (MAC) [11], Discretionary Access Control (DAC) [11], and Role-Based Access Control (RBAC) [11]. ABAC takes into account the attributes of entities (subjects and objects), environmental conditions, and operations to authorize a certain request. ABAC can successfully encompass the benefits of MAC, DAC, and RBAC while surpassing their issues [11].

III.

RISKS AND SECURITY IN A SCENARIO

Our envisioned security scenario deals with issues related to the ''smart environments'' research streamline [1], where various technologies and models are put in place for surveillance of a territory so as to plan interventions in urban planning, transportation management, and in risk management. Consider for instance an Airport smart environment, where “smart” means that the environment is monitored, is aware of what happens in its areas, and is endowed with devices to locate people and objects - a dashboard of surveillance, and advanced ICT solutions for monitoring, and for intervention and planning of operations. The Airport can be modeled as an Object having both open-air areas (parking lots, strips, hangars, etc.) and closed spaces (offices, control tower, travelers’ areas, etc.). The surveillance of open-air areas can be obtained both by sensors located in the airport

430

and by GPS localization. For the closed space, sensors of various kinds (i.e., cameras, check points, and even wearable devices) are used by airport staff, pilots, and security staff. These elements are informative devices collecting knowledge about the environment and are modeled as objects. The airport has a topology that defines extension, location, exits/entrances, etc., of its areas, and the topology is relevant to position the risk-detection devices and the risk mitigation/solution strategies. The collected data, the monitoring devices, the topology aspects, and the intervention strategies, are modeled in detail in [4]. The airport Security Staff (Subject) monitors the airport and executes interventions in case of alarms and related risks/emergencies. Persons are monitored using informative devices; the monitoring data (Objects) need to be warranted from unauthorized disclosure for privacy reasons. The Security Staff needs to be cleared to access services that locate a risky event, or to people/objects exposed to risk. Security Staff members have different security clearances that limit their access to sensitive resources. We assume the existence of a Security Manager Subject who has the highest clearance on the resources and can access them with no limitations in a risk context; the Security Staff subjects have a lower clearance and can execute only some security actions on limited resources; while, a third Subject, an Airport Surveillance personnel, can intervene only for minor problems or first-aid alarms. These three Subjects can receive an upgrade in their access privileges in case of risk. For instance, the Airport Surveillance personnel can gain access to more areas, or to specific details of data acquired from video cameras (e.g., the faces of people in the area), and later have this privilege revoked when the emergency ceases. We introduce Contexts to define which Subjects with which attributes can execute which operations on which Objects with which attributes. As a sample set of Contexts in the Airport, we can have the Risk Context; the Emergency Context; the Flight Context (in which the operations regarding the flight scheduling, runway assignments, and approved flight arrivals or departures take place). A more precise definition of Contexts is given in Section IV. By monitoring the dynamic changes in the environment (e.g., the position of people, the temperature, or the time), some events are triggered that activate and/or deactivate Contexts causing security rules, which are enforced at that given moment to be changed. In other terms, Contexts define the security policies and determine the security mechanism. We will refer to this simplified airport scenario, disregarding the environment topology, the monitoring technologies, and the protection mechanisms (e.g., wearable sensors or protection tools that lower the risk level). We use the term “security” (for short) to refer to confidentiality properties, and to denote “access control” and “authorization”.

IV.

SECURITY MODELING FOR RISKS

First of all, we assume the need-to-know and discretionary access control (DAC) security policies. Security modeling in risk-prone environments is based on the components described below: Subject s: this abstracts a user, an application, or a process wanting to perform an operation on a resource/object. A subject can hold many attributes (SA). We consider the following three groups of SA: 1) General Attributes: identity, name, job title, etc.; 2) Geo Attributes: subject's location; 3) Security Attributes: security clearances, roles, groups, etc. As an example, a security manager in the airport can be described as follows: SM1: {{GeneralAttributes: id: SM1ID, name: John Doe, jobTitle: SecurityManager},{GeoAttributes: geo referenced coordinates},{SecurityAttributes: securityClearance: L4, roles: [Manager, SecurityManager], Groups:[Security, Emergency, Office]}} The securityClearance in Subjects is defined as level Ln, in which n∈ ℕ, and the smaller the index the lower the security clearance1 of the subject. Object o: this abstracts resources that a subject can access or act on. Objects hold three groups of attributes (OA): 1) General Attributes can be object specific and differ depending on the type of the object. 2) Geo Attributes like geo referenced coordinates, number of detail layers defined in a data repository, and so on; 3) Security Attributes, such as level of sensitivity, time restrictions, age/location restrictions, and access groups. Sensor data, cameras, alarms, physical areas, etc., are sample objects in a smart environment. A sample camera object can be defined as: Camera1:{{GeneralAttributes: id: Camera1ID}, {GeoAttributes: geo referenced coordinates}, {SecurityAttributes: sensitivityLevel: S4, TimeRestriction: OfficeHours, Groups:[Surveillance]}} The general attributes here are simplified for shortness. The sensitivityLevel (Sn, n∈ ℕ) indicates the sensitivity of the resources. Therefore, the higher the index of the sensitivityLevel, the more sensitive the resource is. TimeRestriction indicates if the resource can only be accessed during a certain time slot. Groups can categorize the resources and can be adopted in the definition of security rules; for example, the subject SurveillanceStaff can read data on objects belonging to the Surveillance group. Actions and Activities a: these are operations that can be executed by subjects on objects in a given context (where the context is defined hereafter). A triple is a security rule, as in traditional approaches [3]. We consider two types of operations: simple operations (read, write, update, execute, zoom-in/out); complex operations, called activities, which combine simple actions to model a task, a process, an 1

Clearance is used here to denote a level, with no relationship with levels of the MAC policies.

431

application, or a physical action. Examples of activities in an airport are “Redirect the airplane to another runway”, or “Turn on the fire alarm protocol”. Context c: this component indicates a set of security rules, which are valid in a certain situation based on dynamic changes in the environment, including occurence of risks. In other words, Contexts define the operations that can be available to subjects on specific objects in an environment under certain circumstances. The security rules in each Context are defined by a policy function DefineRule(a, c) in which ‘a’ and ‘c’ are the operation and Context, respectively. As an example, in the emergency context, the policy can be that the subject with the emergency manager role and security clearance higher than L3 can turn on (activity) the alarms (object) whose sensitivity level is lower than S4. This policy , for s ∈  and  ∈  , where S and O are the set of all Subjects and all Objects of the environment, respectively, we can state the following rule: R1: DefineRule(turnon, emergencyContext) ← (s.Role =”EmergencyManager”)∧ (s.SecurityClearance > “L3”) ∧ (o.Group = “alarm”) ∧ (o.SensitivityLevel < “S4”). Environment e: this component models the environment (e.g., the smart city, the airport) with its dynamic conditions, which affect the security decisions. Environment conditions can be the time of the day, the geo-spatial data, the type of activities executed therein, and the values of monitored data, which might come from different sources or sensors located in the environment. Risk r / Emergency em: The monitored environment conditions, which change dynamically, can cause the occurrence of some risks/emergencies. A risky/emergency situation is recognized based on parameters such as: type, level, and location determining how to adapt security rules to handle the risk/emergency. Event ev: Changes in the environment monitored through different devices, trigger events that in turn activate/deactivate contextsthat modify the security rules. In particular, under the ABAC paradigm, the attributes of subjects and objects can be modified to reflect the security changes that have to be adopted. Thus, events play a key role in dynamic adaptation of the security decision in response to changes in the environment. These components are shown in the class diagram of Figure 1. The attributes of ABAC Subjects and Objects are listed as attributes in the Subject and Object classes. The Environment class monitors the conditions; it can trigger events that activate/deactivate Contexts and make changes to the subject/object attributes. Hence, through the Context, adaptivity is obtained, with the Environment knowledge driving the security rules that apply in a given dynamic situation. In this model, subject attributes (SA) and object attributes (OA) are assigned by an authoritative subject or group of

subjects that collaborate and balance one another’s decision/control. These subjects can typically be individuals whose level of trust in the system is high and/or whose role in the operation or safety of resources is crucial. Parameters that can be used to assign the role of authoritative subjects, as well as the methodology of doing so are beyond the scope of this research. However, we assume that such individuals exist in our system and that such subject(s) would be able to create or assign specific attributes to other subjects and/or objects that would, to some level, control their access in the system and indirectly their actions.

Figure 1. Modeling the Security Model Components

V.

ADAPTIVITY

Permissions related to access control are associated to a security policy, which determines whether a subject can perform an operation on a certain object in a certain context by comparing the necessary attributes of the subject, object, and the security rules that belong to the Context. In order to create a dynamic security model that adjusts according to the environment, some basic subject/object attribute assignment must be done beforehand so as to provide the basic structure over which adaptive rules can be formulated during the system operation, and in a way such that unwanted conflicts are avoided. Events tend to fit the profile of a risk or emergency, which are unpredictable and thus require assignment of security rules to be carried out dynamically as soon as the incident is identified. Specific events due to some conditions

432

activate/deactivate Contexts as depicted in Figure 2. Activation/deactivation of Contexts adaptively determines which security rules apply at a given moment according to the event(s) detected in the environment. There can be multiple rules per context and different contexts can share the same rules. Each context activation should enable the corresponding security rules. Note that there could be scenarios where there would be a need to deactivate for example Context, C3 and activate Context, C2. This security transition could logically pose security and safety breaches for the case where the rules in C3 that are not in C2, conflict with the rules in C2 that are not in C3. More specifically, rules in ⋃(¬⋃(C2,C3)),C3) conflict with rules in ⋃(¬⋃(C2,C3)),C2). This conflict can be avoided by either preventing the transition from Context C3 to C2 or by dynamically adjusting the rules in C2 to take into account the history of previous Context activations. This is a complex topic in itself, as it requires the creation of a framework with metrics that quantify security risks and dynamically adjust the methodology of transition. Thus, this topic is part of our future investigation. In this paper, we assume that such conflicts do not exist or if they exist the decision is to prevent the activation of the next Context.

include context selection rules that are pre-defined (statically, at design time) and that apply at the occurrence of events (dynamically at run time) modifying the contents at the security rule level.

Figure 3. Administrative/Meta rules determining activation/deactivation of Contexts and hence of security rules

To clarify, let us set an example. Suppose in the meta level we have the following ECA statement: Event : ‘fire’ Conditions : (em.Type: ‘explosion’) ˄ (em.Level: ‘high’) ˄ (e.TimeOfDay: ‘AfterOfficeHours’) Actions: Activate {EmergencyContext}, Deactivate {FlightContext}, ChangeAttr( s.SecurityClearance, s.Role: ’RiskManager’, ‘L7’), ChangeAttr( o.TimeRestriction, o.TimeRestriction :’OfficeHour’, ‘none’) This indicates that, in case an event ev is triggered that indicates a fire, if the conditions hold that an emergency em is detected of type explosion with high level of danger, and the office hour is elapsed, then the emergency context should be activated, and the flight context should be deactivated (activation and deactivation procedures are assumed to check if the context is already activated or not). And the subject(s) s with role of Security Manager should get a higher clearance of L7 and the time restrictions should be removed from object(s) o, which had such an attribute. The procedure of activation/deactivation of contexts is illustrated in Figure 4a. Due to some conditions, an event triggered by changes in the environment makes the context selector activate or deactivate certain contexts and update the active contexts database that contains the contexts that are currently active. Considering S, O, A, and, C as the set of all subjects, objects, actions/activities (operations), and contexts, respectively, we are now able to define a policy model based on ABAC. Regarding the single subject sęS , object oęO, action/activity a ę A, and context cęC a policy rule is defined as follows: Rule: CheckAccess (s:S, a:A, o:O, c: C) Considering the action/activity, attributes related to the subject, object, and the rules in the context, the function CheckAccess returns a tuple meaning that the operation a ęA is allowed for subject sę S on object oęO in context cęC. If such a tuple is not found, the action is denied. The ABAC mechanism in Figure 4b is the basis of authorization management in this model. When a subject

Figure 2. Environment and contexts

For the purpose of handling the dynamic adaptation of the security decisions based on the events that are recognized in the environment, we define policies and security rules at two levels as shown in Figure 3, where Administrative/Meta Rules express the policies and Security Rules express the privileges holding between subject/object attributes. Events are handled by Administrative/Meta Rules according to the ECA (Event-Condition-Action) [14] paradigm. An ECA rule indicates that in case of an event, if the condition holds, then a certain action(s) should take place. Note that here the “action” as in the ECA paradigm, is different from “actions” defined in our model (denoting the privileges). The “action” here is the activation/deactivation of a certain context(s) or/and modifications of the attributes of subjects/objects by the function ChangeAttr(attribute, subject/object, value). To activate/deactivate contexts dynamically, the meta rules

433

ACKNOLEDEGMENTS

makes a request to execute an operation on an object, the Policy Enforcement Point (PEP) receives the request and sends the description of this request to the Policy Decision Point (PDP). Considering, subject and object attributes, and the active contexts, PDP makes the authorization decision and sends the result back to the PEP. Later, PEP will enforce the decision on the object.

We acknowledge the Tekne and Industria 2015 Projects of Italian MIUR for support to this research. We thank Filippo Ramoni and Claudia Raibulet for work on risk modeling and simulation. REFERENCES [1] H. Chourabi, T. Nam, S. Walker, J. R. Gil-Garcia, S. Mellouli, K. Nahon and H. J. Scholl, "Understanding smart cities: An integrative framework," in the 45th Hawaii International Conference on System Science (HICSS), 2012. [2] M. René, H. R. Schmidtke and S. Sigg, "Security and trust in context-aware applications," in Personal and Ubiquitous Computing, 2014. [3] W. Stallings and B. Lawrie, Computer Security, Pearson Education, 2008. [4] M. Fugini, C. Raibulet and L. Ubezio, "Risk assessment in work environments: modeling and simulation.," Concurrency and computation: Practice and experience, vol. 24, no. 18, pp. 2381-2403, 2012. [5] K. Smith, Environmental hazards: assessing risk and reducing disaster, Routledge, 2013. [6] G. S. Li, "Research on security mechanism of sharing system based on geographic information service," in the International Conference on Information Engineering and Applications (IEA), 2013. [7] J. Tompson and S. W. Kennedy, "Where exactly is the target market? Using geographic information systems for locating potential customers of a small business," Entrepreneurial Practice Review, vol. 2, no. 4, 2013. [8] R. H. Weber, " Internet of Things–New security and privacy challenges," Computer Law & Security Review, vol. 26, no. 1, pp. 23-30, 2010. [9] R. M. Savola and A. Habtamu, "Metrics-driven security objective decomposition for an e-health application with adaptive security management," in Proceedings of the International Workshop on Adaptive Security, 2013. [10] V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller and K. Scarfone, "Guide to Attribute Based Access Control (ABAC) definition and considerations," NIST Special Publication, vol. 800, p. 162, 2014. [11] X. Jin, R. Krishnan and R. Sandhu, "A unified attribute-based access control model covering DAC, MAC and RBAC," in Data and Applications Security and Privacy XXVI, 2012. [12] R. Sandhu, "The authorization leap from rights to attributes: maturation or chaos?," in the 17th ACM symposium on Access Control Models and Technologies, 2012. [13] M. L. Damiani, E. Bertino, B. Catania and P. Perlasca, "GeoRBAC: A spatially aware RBAC," Transactions on Information and System Security (TISSEC), vol. 10, no. 1, p. 2, 2007. [14] M. Y. Wu, C. K. Ke and J. S. Liu, "Active Role-based Access Control Model with Event-Condition-Action Rule and CaseBased Reasoning," Journal of Convergence Information Technology, vol. 6, no. 4, 2011.

a)

b) Figure 4. a) Dynamic activation/deactivation of contexts by triggered events b) Attribute based access control mechanism

VI.

CONCLUSIONS AND FUTURE WORKS

This paper presented the design principles for dynamic security modeling taking into account environmental risks. We motivate our work based on a smart environment scenario (airport) that requires environment information to be integrated into the security decision process. Based on the ABAC paradigm we have proposed extensions that focus on making our access model more dynamic and adaptive. To facilitate this adaptivity, we introduced the notion of Context to dynamically authorize subjects to access data and physical objects (resources) based on the activation of security rules. We have presented the overall framework of our model and the inner workings of its operation. As future work, we intend to focus on the topics of binding environmental and spatial information, on the dynamics of assigning authoritative roles to administrators, and on ways to handle conflicting Context switching. We are working towards inclusion of this security model in the Risk Management Tool simulator developed for risk management and described in [3], based on Matlab and on a web application deployment environment.

434