SlideShare ist ein Scribd-Unternehmen logo
1 von 29
Downloaden Sie, um offline zu lesen
Context-enhaced Authorization
Using XACML to implement context-
enhanced authorizations
Martijn Oostdijk, Novay
ISSE 2012, Brussels
Research & advisory                 Formerly known as:
       organization                 Telematica Instituut




                                   Innovation projects
Multi-disciplinary, ~50
                                   (gov, financial, health)
researchers/advisors




                                                     Identity,
                 Senior Advisor                      Privacy, Trust

                                  Martijn
                                  Oostdijk

              PhD comp. sci.                        CV: Radboud Univ.,
        Eindhoven Univ. Tech.                       Riscure, Novay
   2
centralization authz

            +
      nomadic working

            +
    authz for the cloud

            +                            Context-
    extended enterprise                 enhanced
            +
      XACML standard
                                       Authorization

            +
      (insider) attacks     Research project with
                              IBM and Rabobank
            +
        mobile/context
3
Context-enhanced authz

    • XACML PoC at a large Dutch bank
    • Context = location and more
    • DYNAMIC!! Policies
    • Usefulness through use cases +
      feasibility study through demonstrator
    • Scope: employees



4   Context-enhanced Authorization
CEA – the movie

    • 2:40




5   Context-enhanced Authorization
This presentation is NOT:

    • Introduction to Attribute based AC
    • Introduction to XACML standard

    So that there’s more time for:
    • Context-enhanced authorization
    • Use case + demonstrator
    • Lessons learned
6   Context-enhanced Authorization
Authorization & Context?




                                                 (Attribute Based
                           PoC
                                                 Access Control)
                                • Use cases
                                • Demonstrator

7     Context-enhanced Authorization
Social
                   Physiological
Environment
                                       - people nearby
                     - heart rate
    - weather                             - behaviour
                         - skin
  -air pollution                            - friends
                        - voice
                                      - Twitter activities


  Location              Time               Mental

     - long/lat       -office hours         - happy
    - proximity       - lunch time         - scared
  - country/city   - between points           - sad
- @home/@work             in time         - stressed


                       Device
   Network                               Activities
                         - type
  - IP-address                            - working
                      - ownership
      - VPN                              - travelling
                         (BYO)
      - LAN                               - meeting
                    - OS and apps
  - WiFi or 3G                           - sleeping
                     -patch status
Domain                     Type                   Source
1. Environment             Weather                Buienradar
                           Air polution           Weeronline.nl
                           Security incidents     SIEM
2. Physiological           Heart rate             ECG sensor, Camera
                           Respiratory rate       Camera
                           Blood pressure         BP meter (cuff)
3. Social                  People nearby          Bluetooth, Google
                                                  Lattitude, Outlook
                                                  Calendar

                           SN Friends             LinkedIn, Facebook
                           Activity               Twitter
4. Location                Long/Lat               GPS, GSM Cell-Id
                           City                   GPS, Geo-IP
                           Proximity              Bluetooth, RFID/NFC

 10              Context-enhanced Authorization
Domain                 Type                   Source
5. Time                Office hours           System time
                       Lunch time             Outlook Calendar
6. Mental              Happy/sad              Sound sensor
                       Scared                 Galvanic skin
                                              responses
                       Stressed
7. Network             VPN or localnet        Network access
                                              gateway
                       Wireless or Wired      IP address
8. Device              Type                   Device mngmt system
                       Ownership              Device mngmt system




 11          Context-enhanced Authorization
Domain                  Type                   Source
9. Activity             Travelling             GPS, accelerometer
                        Meeting                Calendar, Proximity
                                               sources
                        Sleeping               Heart sensor, ECG,
                                               sound




         Some observations:
         • Inter-dependencies between domains/types
         • Some inference is needed in some types
         • Most domains/types can benefit from multiple measurements
           over time
         • What characteristics determine which domains / types /
           sources are most suitable in a given scenario?


 12           Context-enhanced Authorization
Use-cases – a high level …
     • Finer grained access to application
       with “hit-n-run” functionality
     • Data loss prevention when traveling
     • More flexible authentication

      Simple context sources


13    Context-enhanced Authorization
Demonstrator
      Proximity
       dongle                        User                Application

     NFC reader
                               Context client

       Google
       Latitude

                                                         Policies
       Outlook                                  Policy
                                                Engine
       Google
      Calendar                                              Policies incl.
                                                            context variables
                                  Context
     Device Mgmt                  server

14         Context-enhanced Authorization
17   Context-enhanced Authorization
18   Context-enhanced Authorization
19   Context-enhanced Authorization
20   Context-enhanced Authorization
21   Context-enhanced Authorization
22   Context-enhanced Authorization
Context

     •   Location, location, location
     •   Stuff derived from location
     •   Type of device (BYOD, enterprise mobility etc.)
     •   Type of network (VPN/local, AP, browser, OS)
     •   Time-of-day
     •   And, of course, normal usage patterns
     •   Please note: context is just another attribute for
         XACML, but then dynamic




23   Context-enhanced Authorization
Authenticity of context
     • Can we trust the source?                              Trust me!
       • Depends on the precise scenario
       • and on technology
       • and on who controls the source
       •  Some sources are more trustworthy than other
     • Why not just fuse with more context sources?
       • Multi-factor context, harder to fake for attacker
       • But also harder to understand and base policies on
     • How to react to incidents?
24       Context-enhanced Authorization
Authenticity of context
          CeA vs TM (SIEM, …):




     Needed
     trust in
     authenticity
     of context




25             Context-enhanced Authorization
Quality of context

     • Sources might provide incorrect data (with
       certain probability)
     • Sources have limited accuracy (resolution,
       precision, granularity)
     • Sources deliver data with certain delay
     • Data will have a temporal relevancy
     • Some sensors require user to carry (and not
       forget) mobile device
     …

26   Context-enhanced Authorization
Adoption in applications

     • XACML-izing applications
          • SOA oriented applications  easy
          • Making apps ready for externalization of authz

     • (Stable versions of) XACML have
       been around since before 2006
     • “Move to cloud” as driver?
          • Alternatives: provision authz attributes,
            proprietary authorization APIs

27   Context-enhanced Authorization
Privacy consequences

     • Acceptance
          • Trade-off between privacy and usability (or
            security?)

     • Measure only relevant context
          • Relevant for (what?) purpose
          • Degrade information (latency, accuracy)
          • User control (and transparancy), sensors are
            in mobile
          • Assumes (some) trust in CM system

28   Context-enhanced Authorization
Complexity of policies

     • Policies with many different
       context variables
          • Express policies with respect to “raw” context
            (e.g. long/lat) versus more abstract notions
            (e.g. @home, @work)




29   Context-enhanced Authorization
Scalability & performance




30   Context-enhanced Authorization
Key take-aways

Yes it’s useful, yes it’s feasible

Context is mostly location, KIS

But w.r.t. context:
authenticity, quality & privacy

But w.r.t. dyn attributes / XACML:
complexity of policies & scalability
More Information
     http://www.novay.nl/digital-identity
     martijn.oostdijk@novay.nl

     http://linkedin.com/in/martijno



     This presentation was supported by the Dutch national
     program COMMIT (project P7 SWELL)




32   Context-enhanced Authorization

Weitere ähnliche Inhalte

Was ist angesagt?

Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...Merlien Institute
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)marti_hearst
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...wegdam
 
Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065 Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065 Cynthia Calongne
 
QR codes and the mobile web
QR codes and the mobile webQR codes and the mobile web
QR codes and the mobile webSophie McDonald
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Webwasvel
 
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD WorkshopZornitza Yovcheva
 
Poken for Sales
Poken for SalesPoken for Sales
Poken for Salespokenjedi
 

Was ist angesagt? (10)

Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
 
MoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der KleinMoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der Klein
 
Maya
MayaMaya
Maya
 
Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065 Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065
 
QR codes and the mobile web
QR codes and the mobile webQR codes and the mobile web
QR codes and the mobile web
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Web
 
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
 
Poken for Sales
Poken for SalesPoken for Sales
Poken for Sales
 

Andere mochten auch

Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceMartijn Oostdijk
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Andere mochten auch (7)

Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Ähnlich wie ISSE 2012 Context-enhanced Authorization

OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOpenStorageSummit
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGAAndris Soroka
 
Games With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platformGames With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platformJames Burns
 
Mobi hoc panel_arpanpal
Mobi hoc panel_arpanpalMobi hoc panel_arpanpal
Mobi hoc panel_arpanpalArpan Pal
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
IoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshareIoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshareGuy Vinograd ☁
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioClark Dodsworth
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for AuthenticationLocaid Technologies
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Damien Contreras
 
DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012d_rdgz
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...benaam
 
Iit kgp workshop
Iit kgp workshopIit kgp workshop
Iit kgp workshopArpan Pal
 
Ensuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applicationsEnsuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applicationsYuan Zhou
 
Paris live eddiesatterly_022013
Paris live eddiesatterly_022013Paris live eddiesatterly_022013
Paris live eddiesatterly_022013jenny_splunk
 
Cps innovation lab kolkata iiest
Cps innovation lab kolkata iiestCps innovation lab kolkata iiest
Cps innovation lab kolkata iiestArpan Pal
 
Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductGuy Vinograd ☁
 

Ähnlich wie ISSE 2012 Context-enhanced Authorization (20)

OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
Mobile testing
Mobile testingMobile testing
Mobile testing
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
 
Games With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platformGames With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platform
 
Mobi hoc panel_arpanpal
Mobi hoc panel_arpanpalMobi hoc panel_arpanpal
Mobi hoc panel_arpanpal
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and Organization
 
IoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshareIoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshare
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next Scenario
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
 
Iit kgp workshop
Iit kgp workshopIit kgp workshop
Iit kgp workshop
 
Ensuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applicationsEnsuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applications
 
Paris live eddiesatterly_022013
Paris live eddiesatterly_022013Paris live eddiesatterly_022013
Paris live eddiesatterly_022013
 
Cps innovation lab kolkata iiest
Cps innovation lab kolkata iiestCps innovation lab kolkata iiest
Cps innovation lab kolkata iiest
 
Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT Product
 

Kürzlich hochgeladen

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Kürzlich hochgeladen (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

ISSE 2012 Context-enhanced Authorization

  • 1. Context-enhaced Authorization Using XACML to implement context- enhanced authorizations Martijn Oostdijk, Novay ISSE 2012, Brussels
  • 2. Research & advisory Formerly known as: organization Telematica Instituut Innovation projects Multi-disciplinary, ~50 (gov, financial, health) researchers/advisors Identity, Senior Advisor Privacy, Trust Martijn Oostdijk PhD comp. sci. CV: Radboud Univ., Eindhoven Univ. Tech. Riscure, Novay 2
  • 3. centralization authz + nomadic working + authz for the cloud + Context- extended enterprise enhanced + XACML standard Authorization + (insider) attacks Research project with IBM and Rabobank + mobile/context 3
  • 4. Context-enhanced authz • XACML PoC at a large Dutch bank • Context = location and more • DYNAMIC!! Policies • Usefulness through use cases + feasibility study through demonstrator • Scope: employees 4 Context-enhanced Authorization
  • 5. CEA – the movie • 2:40 5 Context-enhanced Authorization
  • 6. This presentation is NOT: • Introduction to Attribute based AC • Introduction to XACML standard So that there’s more time for: • Context-enhanced authorization • Use case + demonstrator • Lessons learned 6 Context-enhanced Authorization
  • 7. Authorization & Context? (Attribute Based PoC Access Control) • Use cases • Demonstrator 7 Context-enhanced Authorization
  • 8. Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
  • 9. Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl Security incidents SIEM 2. Physiological Heart rate ECG sensor, Camera Respiratory rate Camera Blood pressure BP meter (cuff) 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 10 Context-enhanced Authorization
  • 10. Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 11 Context-enhanced Authorization
  • 11. Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 12 Context-enhanced Authorization
  • 12. Use-cases – a high level … • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication  Simple context sources 13 Context-enhanced Authorization
  • 13. Demonstrator Proximity dongle User Application NFC reader Context client Google Latitude Policies Outlook Policy Engine Google Calendar Policies incl. context variables Context Device Mgmt server 14 Context-enhanced Authorization
  • 14. 17 Context-enhanced Authorization
  • 15. 18 Context-enhanced Authorization
  • 16. 19 Context-enhanced Authorization
  • 17. 20 Context-enhanced Authorization
  • 18. 21 Context-enhanced Authorization
  • 19. 22 Context-enhanced Authorization
  • 20. Context • Location, location, location • Stuff derived from location • Type of device (BYOD, enterprise mobility etc.) • Type of network (VPN/local, AP, browser, OS) • Time-of-day • And, of course, normal usage patterns • Please note: context is just another attribute for XACML, but then dynamic 23 Context-enhanced Authorization
  • 21. Authenticity of context • Can we trust the source? Trust me! • Depends on the precise scenario • and on technology • and on who controls the source •  Some sources are more trustworthy than other • Why not just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand and base policies on • How to react to incidents? 24 Context-enhanced Authorization
  • 22. Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context 25 Context-enhanced Authorization
  • 23. Quality of context • Sources might provide incorrect data (with certain probability) • Sources have limited accuracy (resolution, precision, granularity) • Sources deliver data with certain delay • Data will have a temporal relevancy • Some sensors require user to carry (and not forget) mobile device … 26 Context-enhanced Authorization
  • 24. Adoption in applications • XACML-izing applications • SOA oriented applications  easy • Making apps ready for externalization of authz • (Stable versions of) XACML have been around since before 2006 • “Move to cloud” as driver? • Alternatives: provision authz attributes, proprietary authorization APIs 27 Context-enhanced Authorization
  • 25. Privacy consequences • Acceptance • Trade-off between privacy and usability (or security?) • Measure only relevant context • Relevant for (what?) purpose • Degrade information (latency, accuracy) • User control (and transparancy), sensors are in mobile • Assumes (some) trust in CM system 28 Context-enhanced Authorization
  • 26. Complexity of policies • Policies with many different context variables • Express policies with respect to “raw” context (e.g. long/lat) versus more abstract notions (e.g. @home, @work) 29 Context-enhanced Authorization
  • 27. Scalability & performance 30 Context-enhanced Authorization
  • 28. Key take-aways Yes it’s useful, yes it’s feasible Context is mostly location, KIS But w.r.t. context: authenticity, quality & privacy But w.r.t. dyn attributes / XACML: complexity of policies & scalability
  • 29. More Information http://www.novay.nl/digital-identity martijn.oostdijk@novay.nl http://linkedin.com/in/martijno This presentation was supported by the Dutch national program COMMIT (project P7 SWELL) 32 Context-enhanced Authorization