Balancing Trust and Risk in Access Control

“…However, as will be seen from the subsequent discussion, there is no single accepted definition of what "concrete evidence" is. Trust can be calculated in several ways depending on the application context [71]. Examples include reputation models in which trust ratings from third parties are combined to give a trust rating; behavioural trust where trust is estimated based on a record of historical transaction.…”

“…From an access control perspective, trust expresses the level of confidence the resource controller has in the user not misusing the resource(s) that she wants to access [71] and several trust-based CAAC methods have been proposed.…”

“…Risk-based access control is more permissive than traditional policy-based systems which do not consider contextual risk in making a decision. Risk-based access control system may include a risk mitigation mechanism [71,82,83] to reduce the risk associated with a transaction to an acceptable level-generally an obligatory action to be taken before or after access is granted [84]. Many factors can be included in the risk calculation including contextual, situational/mission, and environmental factors as well as trustworthiness of the subject making the request.…”

“…Armando considered the balance between risk and trustworthiness (of the requestor) in access control [71]. He defines a trust and risk access control architecture as shown in Figure 6.…”

“…e numerous fuzzy logic risk-aware access control approaches could be adapted for ZT trust calculation, e.g., Manchala's [85] fuzzy trust matrix approach could provide a comprehensive access control approach that would map well to both NIST and Google's BeyondCorp ZT architectures. Moreover, Armando's the trust and risk-aware access control framework [71] points out an approach to implementing a trust/risk evaluation system. (7) [32] outline some such challenges including (i) How to capture and derive the relevant contextual conditions from IoT, fog and cloud environments?…”

SoK: Context and Risk Aware Access Control for Zero Trust Systems

“…However, as will be seen from the subsequent discussion, there is no single accepted definition of what "concrete evidence" is. Trust can be calculated in several ways depending on the application context [71]. Examples include reputation models in which trust ratings from third parties are combined to give a trust rating; behavioural trust where trust is estimated based on a record of historical transaction.…”

“…From an access control perspective, trust expresses the level of confidence the resource controller has in the user not misusing the resource(s) that she wants to access [71] and several trust-based CAAC methods have been proposed.…”

“…Risk-based access control is more permissive than traditional policy-based systems which do not consider contextual risk in making a decision. Risk-based access control system may include a risk mitigation mechanism [71,82,83] to reduce the risk associated with a transaction to an acceptable level-generally an obligatory action to be taken before or after access is granted [84]. Many factors can be included in the risk calculation including contextual, situational/mission, and environmental factors as well as trustworthiness of the subject making the request.…”

“…Armando considered the balance between risk and trustworthiness (of the requestor) in access control [71]. He defines a trust and risk access control architecture as shown in Figure 6.…”

“…e numerous fuzzy logic risk-aware access control approaches could be adapted for ZT trust calculation, e.g., Manchala's [85] fuzzy trust matrix approach could provide a comprehensive access control approach that would map well to both NIST and Google's BeyondCorp ZT architectures. Moreover, Armando's the trust and risk-aware access control framework [71] points out an approach to implementing a trust/risk evaluation system. (7) [32] outline some such challenges including (i) How to capture and derive the relevant contextual conditions from IoT, fog and cloud environments?…”

SoK: Context and Risk Aware Access Control for Zero Trust Systems

A Fuzzy Logic Based Trust-ABAC Model for the Internet of Things

Trust and Risk-Based Access Control for Privacy Preserving Threat Detection Systems