A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies

Jaidi, Faouzi; Ayachi, Faten Labbene

doi:10.5220/0005577304540459

Cited by 8 publications

(6 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This process is iterative in the sense that the modifications introduced by the security architect must be checked until no anomaly is detected. Our risk assessment approach aims to measure the distance of evolution, in terms of risk, between two instances of a security policy [70]. We focused when defining our approach on how to help the security architect to quantify that risk.…”

Section: Formal Validation Of the Conformity Of Rbac Policiesmentioning

confidence: 99%

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Jaidi

Ayachi

Bouhoula

2018

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

Substantial advances in Information and Communication Technologies (ICT) bring out novel concepts, solutions, trends, and challenges to integrate intelligent and autonomous systems in critical infrastructures. A new generation of ICT environments (such as smart cities, Internet of Things,edge-fog-social-cloudcomputing, and big data analytics) is emerging; it has different applications to critical domains (such as transportation, communication, finance, commerce, and healthcare) and different interconnections via multiple layers of public and private networks, forming a grid of critical cyberphysical infrastructures. Protecting sensitive and private data and services in critical infrastructures is, at the same time, a main objective and a great challenge for deploying secure systems. It essentially requires setting up trusted security policies. Unfortunately, security solutions should remain compliant and regularly updated to follow and track the evolution of security threats. To address this issue, we propose an advanced methodology for deploying and monitoring the compliance of trusted access control policies. Our proposal extends the traditional life cycle of access control policies with pertinent activities. It integrates formal and semiformal techniques allowing the specification, the verification, the implementation, the reverse-engineering, the validation, the risk assessment, and the optimization of access control policies. To automate and facilitate the practice of our methodology, we introduce our systemSVIRVROthat allows managing the extended life cycle of access control policies. We refer to an illustrative example to highlight the relevance of our contributions.

show abstract

Section: Formal Validation Of the Conformity Of Rbac Policiesmentioning

confidence: 99%

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Jaidi

Ayachi

Bouhoula

2018

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

show abstract

“…Visibly, they were considering that the access control policy was reliable and valid. Thus policies are in fact exposed to various threats and the literature provides very little works that address the technical problems derived from the implementation of the access control policy [1].…”

Section: The Problem Statementmentioning

confidence: 99%

“…That treatment plan precise the different actions to be taken, the persons responsible of applying the plan, the resource requirements, the performance measures and constraints, the reporting and monitoring requirements and the timing and schedule. [1] The concrete process of our risk approach related to our framework is shown in the following (figure 2)  design of an intrusion detection system for unauthorized update of access control policy  detection of induced faults by establishing a correlation between the detected anomalies  list of the recurrent targeted and sensitive data  detection and establishment of the intrusive user behavior and thus, reinforcement of the Intrusion Detection Systems  production of a global and comprehensive system for risk management for access control systems…”

Section: Fig 1 : a Framework For Risk Managementmentioning

confidence: 99%

“…So, to verify that ACP' is conform to ACP, their elements are compared. In [1], this comparison has been done and among others, the following anomalies have been defined : -hidden users which are visible when new users, not initially defined, are injected in the concrete instance ACP' -hidden roles are observable when new roles, not initially planned, are introduced in the concrete policy ACP'. -hidden access flow (HiddenACF) is perceptible in the case of illegal assignments of roles to roles, roles to users or permissions to roles.…”

Section: Fig 1 : a Framework For Risk Managementmentioning

confidence: 99%

“…The risk treatment consist mainly in avoiding risk, mitigating it, and removing its source or changing the likelihood of it occurrence as recommend in [1]. A risk treatment plan is usually put in place and shows the procedure.…”

Section: Fig 1 : a Framework For Risk Managementmentioning

confidence: 99%

See 2 more Smart Citations

Risk Management in Access Control Policies

Evina¹,

Ayachi²,

Jaidi³

2017

Annals of Computer Science and Information Systems

Self Cite

View full text Add to dashboard Cite

Abstract-The evolution of information systems and their openness to their socio-economic environment has led to new needs in terms of security. At the heart of information systems, Database Management Systems (DBMS) are increasingly exposed to specific intrusion types, including internal threats due to authorized users. In addition, the access control policy (ACP) defined on a database schema is stored at the same location as the data it protects and is thus highly prone to corruption attempts such as non-conformity of the roles or permissions assignment in the policy observation state compared to a reference state, especially in the case of the Role-based access Control (RBAC). We establish a correlation between the detected anomalies and we explore the log files and other audit mechanisms to propose a global and comprehensive risk management formal approach that mainly verifies the recommendations of the ISO 31000:2009 standard.

show abstract

A Novel Concept of Firewall-Filtering Service Based on Rules Trust-Risk Assessment

Jaidi

2019

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies

Cited by 8 publications

References 15 publications

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

A Methodology and Toolkit for Deploying Reliable Security Policies in Critical Infrastructures

Risk Management in Access Control Policies

A Novel Concept of Firewall-Filtering Service Based on Rules Trust-Risk Assessment

Contact Info

Product

Resources

About