SlideShare ist ein Scribd-Unternehmen logo

Govcert2011 - Context-enhanced Authorization

Martijn Oostdijk
Martijn Oostdijk

Context-enhanced Authorization overview for GOVCERT.NL symposium in Rotterdam.

TechnologieBusiness
1 von 26
Downloaden Sie, um offline zu lesen
Context-enhanced Authorization GOVCERT symposium 16 november 2011 Martijn Oostdijk
Authorization & Context? Solution Problem: ant Drivers: •A uthorization import • Context : • GRC • Authorization not • A BA C Drivers • Insider dynamic enough • Mobil e fraud • Cloud • Nomadic working (“HNW”) (Attribute Based Access Control) 2 Context-enhanced Authorization
Context-enhanced Authz • Research project within SII TOP programme • Goal: assess feasibility of context-enhanced authorization w/ focus on employees • Method: through desktop research, use cases, and a demonstrator • Novay, together with a big Dutch bank, and IBM 3 Context-enhanced Authorization
Context 4 Context-enhanced Authorization
Context Solution For example: • Context - Time of day twork) • A BA C - Lo cation (Geo IP, office ne - Location (GPS) - Proximity , BYOD) - Device (PC vs mobile rs (social?) - Relation to other use - Authentication level - … 5 Context-enhanced Authorization
Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl 2. Physiological Heart rate ECG sensor 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 7 Context-enhanced Authorization
Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 8 Context-enhanced Authorization
Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 9 Context-enhanced Authorization
Authorization 10 Context-enhanced Authorization
Authorization 101 • Authentication: who is this user? • Authorization: is this user supposed to be doing that? RBA MA C AC L C B ABAC ell- Lapa Subject DA C Actionultd-ulaObject M i Level Attribute Based Access Control Permit or Deny 11 Context-enhanced Authorization
ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C App PEP PDP App PEP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Policy Information Point AP AP Policy Administration Point 12 Context-enhanced Authorization
ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C GUI Banking PEP Service IBM TSPM App PEP PDP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Context Policy Information Point AP Server Policy Administration Point GUI 13 Context-enhanced Authorization
PAP (in TIP) 14 Context-enhanced Authorization
15 Context-enhanced Authorization
16 Context-enhanced Authorization
17 Context-enhanced Authorization
18 Context-enhanced Authorization
Context – AuthZ levels • All • @office, proximity, IT-dept. mngd laptop • A lot • @home, proximity, IT-dept. mngd laptop, time in 6.00-23.00 • Some • @office, user mngd (but registered) iPad, agenda, time in 6.00- 23.00 • IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00 • A little • Proximity, registered device • Nothing 19 Context-enhanced Authorization
Use-cases • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication 20 Context-enhanced Authorization
Challenges • Adoption in applications • Architectural choices • Authenticity of context • Complexity of policies • Lack of standards for context management • Linking context to user identities • Privacy consequences • Quality of context • Scalability and performance • … 21 Context-enhanced Authorization
Authenticity of context • Can we trust the source? • Depends on the precise scenario • and on technology • and on who controls the source • Some sources are more trustworthy than other • Just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand 22 Context-enhanced Authorization
Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context mon saction catio p atio nced in n u ng la Auth + step Exp itori a Auth ext-enh n enti Tran + CeA CeA oriz t Con 23 Context-enhanced Authorization
Scalability & performance 24 Context-enhanced Authorization
(Preliminary) conclusions • Using context-information in authz policies • Some use-cases • Challenges in selecting the right types of context, in adoptation, in how to deal with quality of context (incl. authenticity) • Demonstrator under construction, due the next couple of weeks 25 Context-enhanced Authorization
26 Context-enhanced Authorization

Empfohlen

ISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationMartijn Oostdijk
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Situational Web
Situational WebSituational Web
Situational WebPaul Golding
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Webwasvel
 
Mobile Capture Solution for Banking
Mobile Capture Solution for BankingMobile Capture Solution for Banking
Mobile Capture Solution for BankingNewgen Software Technologies Limited
 
Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielsonguest43dc4b
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008scottw
 

Empfohlen

ISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationISSE 2012 Context-enhanced Authorization
ISSE 2012 Context-enhanced AuthorizationMartijn Oostdijk
 
Complex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBaseComplex Er[jl]ang Processing with StreamBase
Complex Er[jl]ang Processing with StreamBasedarach
 
Situational Web
Situational WebSituational Web
Situational WebPaul Golding
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Webwasvel
 
Mobile Capture Solution for Banking
Mobile Capture Solution for BankingMobile Capture Solution for Banking
Mobile Capture Solution for BankingNewgen Software Technologies Limited
 
Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk talk at re think conference 4 18 12
Gigwalk talk at re think conference 4 18 12Gigwalk
 
Ct 1 Danielson
Ct 1 DanielsonCt 1 Danielson
Ct 1 Danielsonguest43dc4b
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008scottw
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)marti_hearst
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03nilesh1111
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers IrelandSean O'Sullivan
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAli Ivmark
 
Usability and Health IT
Usability and Health ITUsability and Health IT
Usability and Health ITRobert Schumacher
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and SocialWaterfall Mobile
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachJiang Zhu
 
10 fn s15
10 fn s1510 fn s15
10 fn s15Scott Foster
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...HSA Foundation
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group PresentationNeal Lathia
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Mobile testing
Mobile testingMobile testing
Mobile testingSathyan Sethumadhavan
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...wegdam
 
Envision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision Network Technologies Pvt. Ltd.
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)marti_hearst
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03nilesh1111
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers IrelandSean O'Sullivan
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAli Ivmark
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and SocialWaterfall Mobile
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachJiang Zhu
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...HSA Foundation
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group PresentationNeal Lathia
 

Was ist angesagt? (10)

The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)
 
Anssivanjoki nmic 03
Anssivanjoki nmic 03Anssivanjoki nmic 03
Anssivanjoki nmic 03
 
Software Development Engineers Ireland
Software Development Engineers IrelandSoftware Development Engineers Ireland
Software Development Engineers Ireland
 
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware SolutionsAdobe MAX 2009: Design Considerations for Contextually Aware Solutions
Adobe MAX 2009: Design Considerations for Contextually Aware Solutions
 
Usability and Health IT
Usability and Health ITUsability and Health IT
Usability and Health IT
 
5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social5 Strategies For Effectively Integrating SMS, IVR and Social
5 Strategies For Effectively Integrating SMS, IVR and Social
 
BehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data ApproachBehavioMetrics: A Big Data Approach
BehavioMetrics: A Big Data Approach
 
10 fn s15
10 fn s1510 fn s15
10 fn s15
 
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
ARM Techcon Keynote 2012: Sensor Integration and Improved User Experiences at...
 
MobiSys Group Presentation
MobiSys Group PresentationMobiSys Group Presentation
MobiSys Group Presentation
 

Andere mochten auch

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Andere mochten auch (7)

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Ähnlich wie Govcert2011 - Context-enhanced Authorization

DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...wegdam
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for AuthenticationLocaid Technologies
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioClark Dodsworth
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewallvfmindia
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Damien Contreras
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringCorrelsense
 

Ähnlich wie Govcert2011 - Context-enhanced Authorization (20)

Mobile testing
Mobile testingMobile testing
Mobile testing
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
 
Envision - An Overview of Solutions & Services
Envision - An Overview of Solutions & ServicesEnvision - An Overview of Solutions & Services
Envision - An Overview of Solutions & Services
 
Envision Solution & Services Overview
Envision Solution & Services Overview Envision Solution & Services Overview
Envision Solution & Services Overview
 
2008, IBM: WSN by John Dorn
2008, IBM: WSN by John Dorn2008, IBM: WSN by John Dorn
2008, IBM: WSN by John Dorn
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next Scenario
 
London hug
London hugLondon hug
London hug
 
Secure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & IntelSecure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & Intel
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
 
Dragonfruit
DragonfruitDragonfruit
Dragonfruit
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
The Guardian
The GuardianThe Guardian
The Guardian
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
Smart Santander project Jose M. Hernandez Munoz
Smart Santander project Jose M. Hernandez MunozSmart Santander project Jose M. Hernandez Munoz
Smart Santander project Jose M. Hernandez Munoz
 
The Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and MonitoringThe Essentials of Mobile App Performance Testing and Monitoring
The Essentials of Mobile App Performance Testing and Monitoring
 
Droid 4
Droid 4Droid 4
Droid 4
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Kürzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Govcert2011 - Context-enhanced Authorization

  • 2. Authorization & Context? Solution Problem: ant Drivers: •A uthorization import • Context : • GRC • Authorization not • A BA C Drivers • Insider dynamic enough • Mobil e fraud • Cloud • Nomadic working (“HNW”) (Attribute Based Access Control) 2 Context-enhanced Authorization
  • 3. Context-enhanced Authz • Research project within SII TOP programme • Goal: assess feasibility of context-enhanced authorization w/ focus on employees • Method: through desktop research, use cases, and a demonstrator • Novay, together with a big Dutch bank, and IBM 3 Context-enhanced Authorization
  • 4. Context 4 Context-enhanced Authorization
  • 5. Context Solution For example: • Context - Time of day twork) • A BA C - Lo cation (Geo IP, office ne - Location (GPS) - Proximity , BYOD) - Device (PC vs mobile rs (social?) - Relation to other use - Authentication level - … 5 Context-enhanced Authorization
  • 6. Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
  • 7. Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl 2. Physiological Heart rate ECG sensor 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 7 Context-enhanced Authorization
  • 8. Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 8 Context-enhanced Authorization
  • 9. Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 9 Context-enhanced Authorization
  • 10. Authorization 10 Context-enhanced Authorization
  • 11. Authorization 101 • Authentication: who is this user? • Authorization: is this user supposed to be doing that? RBA MA C AC L C B ABAC ell- Lapa Subject DA C Actionultd-ulaObject M i Level Attribute Based Access Control Permit or Deny 11 Context-enhanced Authorization
  • 12. ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C App PEP PDP App PEP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Policy Information Point AP AP Policy Administration Point 12 Context-enhanced Authorization
  • 13. ABAC Solution • Context Defacto standard: XACML 2.0 • ABA C GUI Banking PEP Service IBM TSPM App PEP PDP Policies PIP PIP Policy Decision Point PAP Policy Enforcement Point Context Policy Information Point AP Server Policy Administration Point GUI 13 Context-enhanced Authorization
  • 14. PAP (in TIP) 14 Context-enhanced Authorization
  • 15. 15 Context-enhanced Authorization
  • 16. 16 Context-enhanced Authorization
  • 17. 17 Context-enhanced Authorization
  • 18. 18 Context-enhanced Authorization
  • 19. Context – AuthZ levels • All • @office, proximity, IT-dept. mngd laptop • A lot • @home, proximity, IT-dept. mngd laptop, time in 6.00-23.00 • Some • @office, user mngd (but registered) iPad, agenda, time in 6.00- 23.00 • IT-dept. mngd laptop, proximity, agenda, time in 6.00-23.00 • A little • Proximity, registered device • Nothing 19 Context-enhanced Authorization
  • 20. Use-cases • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication 20 Context-enhanced Authorization
  • 21. Challenges • Adoption in applications • Architectural choices • Authenticity of context • Complexity of policies • Lack of standards for context management • Linking context to user identities • Privacy consequences • Quality of context • Scalability and performance • … 21 Context-enhanced Authorization
  • 22. Authenticity of context • Can we trust the source? • Depends on the precise scenario • and on technology • and on who controls the source • Some sources are more trustworthy than other • Just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand 22 Context-enhanced Authorization
  • 23. Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context mon saction catio p atio nced in n u ng la Auth + step Exp itori a Auth ext-enh n enti Tran + CeA CeA oriz t Con 23 Context-enhanced Authorization
  • 24. Scalability & performance 24 Context-enhanced Authorization
  • 25. (Preliminary) conclusions • Using context-information in authz policies • Some use-cases • Challenges in selecting the right types of context, in adoptation, in how to deal with quality of context (incl. authenticity) • Demonstrator under construction, due the next couple of weeks 25 Context-enhanced Authorization
  • 26. 26 Context-enhanced Authorization