SlideShare uma empresa Scribd logo

ISSE 2012 Context-enhanced Authorization

Martijn Oostdijk
Martijn Oostdijk

Presentation at ISSE 2012 on Context-enhanced Authorization. http://www.isse.eu.com/

Tecnologia
1 de 29
Baixar para ler offline
Context-enhaced Authorization Using XACML to implement context- enhanced authorizations Martijn Oostdijk, Novay ISSE 2012, Brussels
Research & advisory Formerly known as: organization Telematica Instituut Innovation projects Multi-disciplinary, ~50 (gov, financial, health) researchers/advisors Identity, Senior Advisor Privacy, Trust Martijn Oostdijk PhD comp. sci. CV: Radboud Univ., Eindhoven Univ. Tech. Riscure, Novay 2
centralization authz + nomadic working + authz for the cloud + Context- extended enterprise enhanced + XACML standard Authorization + (insider) attacks Research project with IBM and Rabobank + mobile/context 3
Context-enhanced authz • XACML PoC at a large Dutch bank • Context = location and more • DYNAMIC!! Policies • Usefulness through use cases + feasibility study through demonstrator • Scope: employees 4 Context-enhanced Authorization
CEA – the movie • 2:40 5 Context-enhanced Authorization
This presentation is NOT: • Introduction to Attribute based AC • Introduction to XACML standard So that there’s more time for: • Context-enhanced authorization • Use case + demonstrator • Lessons learned 6 Context-enhanced Authorization
Authorization & Context? (Attribute Based PoC Access Control) • Use cases • Demonstrator 7 Context-enhanced Authorization
Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl Security incidents SIEM 2. Physiological Heart rate ECG sensor, Camera Respiratory rate Camera Blood pressure BP meter (cuff) 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 10 Context-enhanced Authorization
Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 11 Context-enhanced Authorization
Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 12 Context-enhanced Authorization
Use-cases – a high level … • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication  Simple context sources 13 Context-enhanced Authorization
Demonstrator Proximity dongle User Application NFC reader Context client Google Latitude Policies Outlook Policy Engine Google Calendar Policies incl. context variables Context Device Mgmt server 14 Context-enhanced Authorization
17 Context-enhanced Authorization
18 Context-enhanced Authorization
19 Context-enhanced Authorization
20 Context-enhanced Authorization
21 Context-enhanced Authorization
22 Context-enhanced Authorization
Context • Location, location, location • Stuff derived from location • Type of device (BYOD, enterprise mobility etc.) • Type of network (VPN/local, AP, browser, OS) • Time-of-day • And, of course, normal usage patterns • Please note: context is just another attribute for XACML, but then dynamic 23 Context-enhanced Authorization
Authenticity of context • Can we trust the source? Trust me! • Depends on the precise scenario • and on technology • and on who controls the source •  Some sources are more trustworthy than other • Why not just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand and base policies on • How to react to incidents? 24 Context-enhanced Authorization
Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context 25 Context-enhanced Authorization
Quality of context • Sources might provide incorrect data (with certain probability) • Sources have limited accuracy (resolution, precision, granularity) • Sources deliver data with certain delay • Data will have a temporal relevancy • Some sensors require user to carry (and not forget) mobile device … 26 Context-enhanced Authorization
Adoption in applications • XACML-izing applications • SOA oriented applications  easy • Making apps ready for externalization of authz • (Stable versions of) XACML have been around since before 2006 • “Move to cloud” as driver? • Alternatives: provision authz attributes, proprietary authorization APIs 27 Context-enhanced Authorization
Privacy consequences • Acceptance • Trade-off between privacy and usability (or security?) • Measure only relevant context • Relevant for (what?) purpose • Degrade information (latency, accuracy) • User control (and transparancy), sensors are in mobile • Assumes (some) trust in CM system 28 Context-enhanced Authorization
Complexity of policies • Policies with many different context variables • Express policies with respect to “raw” context (e.g. long/lat) versus more abstract notions (e.g. @home, @work) 29 Context-enhanced Authorization
Scalability & performance 30 Context-enhanced Authorization
Key take-aways Yes it’s useful, yes it’s feasible Context is mostly location, KIS But w.r.t. context: authenticity, quality & privacy But w.r.t. dyn attributes / XACML: complexity of policies & scalability
More Information http://www.novay.nl/digital-identity martijn.oostdijk@novay.nl http://linkedin.com/in/martijno This presentation was supported by the Dutch national program COMMIT (project P7 SWELL) 32 Context-enhanced Authorization

Recomendados

Govcert2011 - Context-enhanced Authorization
Govcert2011 - Context-enhanced AuthorizationGovcert2011 - Context-enhanced Authorization
Govcert2011 - Context-enhanced Authorization
Martijn Oostdijk
 
Proximity Marketing Platform Bluevibe Presentation
Proximity Marketing Platform Bluevibe PresentationProximity Marketing Platform Bluevibe Presentation
Proximity Marketing Platform Bluevibe Presentation
Vagelis Antoniadis
 
Bluevibe presentation v2.2
Bluevibe presentation v2.2Bluevibe presentation v2.2
Bluevibe presentation v2.2
Vagelis Antoniadis
 
A Triple Space-Based Semantic Distributed Middleware for Internet of Things
A Triple Space-Based Semantic Distributed Middleware for Internet of ThingsA Triple Space-Based Semantic Distributed Middleware for Internet of Things
A Triple Space-Based Semantic Distributed Middleware for Internet of Things
Open University, KMi
 
Sprx Npo
Sprx NpoSprx Npo
Sprx Npo
dogpower
 
Spr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual BroadcastingSpr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual Broadcasting
dogpower
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008
scottw
 
Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0
lbiggenden
 

Recomendados

Govcert2011 - Context-enhanced Authorization
Govcert2011 - Context-enhanced AuthorizationGovcert2011 - Context-enhanced Authorization
Govcert2011 - Context-enhanced Authorization
Martijn Oostdijk
 
Proximity Marketing Platform Bluevibe Presentation
Proximity Marketing Platform Bluevibe PresentationProximity Marketing Platform Bluevibe Presentation
Proximity Marketing Platform Bluevibe Presentation
Vagelis Antoniadis
 
Bluevibe presentation v2.2
Bluevibe presentation v2.2Bluevibe presentation v2.2
Bluevibe presentation v2.2
Vagelis Antoniadis
 
A Triple Space-Based Semantic Distributed Middleware for Internet of Things
A Triple Space-Based Semantic Distributed Middleware for Internet of ThingsA Triple Space-Based Semantic Distributed Middleware for Internet of Things
A Triple Space-Based Semantic Distributed Middleware for Internet of Things
Open University, KMi
 
Sprx Npo
Sprx NpoSprx Npo
Sprx Npo
dogpower
 
Spr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual BroadcastingSpr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual Broadcasting
dogpower
 
Presence @ Winterschool 2008
Presence @ Winterschool 2008Presence @ Winterschool 2008
Presence @ Winterschool 2008
scottw
 
Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0Nephos technologies lee_biggenden_c_expo13_v2.0
Nephos technologies lee_biggenden_c_expo13_v2.0
lbiggenden
 
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Merlien Institute
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)
marti_hearst
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
wegdam
 
MoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der KleinMoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der Klein
Mobile Monday Amsterdam
 
Maya
MayaMaya
Maya
NASAPMC
 
Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065 Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065
Cynthia Calongne
 
QR codes and the mobile web
QR codes and the mobile webQR codes and the mobile web
QR codes and the mobile web
Sophie McDonald
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Web
wasvel
 
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
Zornitza Yovcheva
 
Poken for Sales
Poken for SalesPoken for Sales
Poken for Sales
pokenjedi
 
Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
Martijn Oostdijk
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
Martijn Oostdijk
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
Aaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
OpenStorageSummit
 
Mobile testing
Mobile testingMobile testing
Mobile testing
Sathyan Sethumadhavan
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
Andris Soroka
 
Games With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platformGames With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platform
James Burns
 
Mobi hoc panel_arpanpal
Mobi hoc panel_arpanpalMobi hoc panel_arpanpal
Mobi hoc panel_arpanpal
Arpan Pal
 

Mais conteúdo relacionado

Mais procurados

A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Web
wasvel
 
Poken for Sales
Poken for SalesPoken for Sales
Poken for Sales
pokenjedi
 

Mais procurados (10)

Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
Developing a Product Behaviour Framework: Mobile Insights lead to Product Use...
 
The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)The Future of Search (Keynote at I-Know 2010)
The Future of Search (Keynote at I-Know 2010)
 
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
XACML pilot at a large Dutch bank, Using XACML to implement context-enhanced ...
 
MoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der KleinMoMo #8 - Raimo van der Klein
MoMo #8 - Raimo van der Klein
 
Maya
MayaMaya
Maya
 
Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065 Privacy is a Myth TCC 2_12065
Privacy is a Myth TCC 2_12065
 
QR codes and the mobile web
QR codes and the mobile webQR codes and the mobile web
QR codes and the mobile web
 
A Context Aware Mobile Social Web
A Context Aware Mobile Social WebA Context Aware Mobile Social Web
A Context Aware Mobile Social Web
 
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
3D context-aware mobile maps for tourism - ENTER2011 PhD Workshop
 
Poken for Sales
Poken for SalesPoken for Sales
Poken for Sales
 

Destaque

Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
Aaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 

Destaque (7)

Smart Cards, ePassports, and open source
Smart Cards, ePassports, and open sourceSmart Cards, ePassports, and open source
Smart Cards, ePassports, and open source
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Semelhante a ISSE 2012 Context-enhanced Authorization

OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
OpenStorageSummit
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
Locaid Technologies
 
DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012
d_rdgz
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Paris live eddiesatterly_022013
Paris live eddiesatterly_022013Paris live eddiesatterly_022013
Paris live eddiesatterly_022013
jenny_splunk
 

Semelhante a ISSE 2012 Context-enhanced Authorization (20)

OSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal SternOSS Presentation Keynote by Hal Stern
OSS Presentation Keynote by Hal Stern
 
Mobile testing
Mobile testingMobile testing
Mobile testing
 
DSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGADSS ITSEC 2012 ForeScout Technical RIGA
DSS ITSEC 2012 ForeScout Technical RIGA
 
Games With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platformGames With Sensors: CommonSenses - A proposed health game platform
Games With Sensors: CommonSenses - A proposed health game platform
 
Mobi hoc panel_arpanpal
Mobi hoc panel_arpanpalMobi hoc panel_arpanpal
Mobi hoc panel_arpanpal
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and Organization
 
IoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshareIoT = device + cloud. how to architect an iot solution slideshare
IoT = device + cloud. how to architect an iot solution slideshare
 
Context is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next ScenarioContext is King: AR, AI, Salience, and the Constant Next Scenario
Context is King: AR, AI, Salience, and the Constant Next Scenario
 
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
1+1=3 Combining IP Intelligence and Mobile Network Location for Authentication
 
Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3Iot vupico-damien-contreras-2018-05-17-light-v3
Iot vupico-damien-contreras-2018-05-17-light-v3
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012DavidRodriguez ISCRAM summerschool 2012
DavidRodriguez ISCRAM summerschool 2012
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
 
Iit kgp workshop
Iit kgp workshopIit kgp workshop
Iit kgp workshop
 
Ensuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applicationsEnsuring quality in cloud and mobile applications
Ensuring quality in cloud and mobile applications
 
Paris live eddiesatterly_022013
Paris live eddiesatterly_022013Paris live eddiesatterly_022013
Paris live eddiesatterly_022013
 
Cps innovation lab kolkata iiest
Cps innovation lab kolkata iiestCps innovation lab kolkata iiest
Cps innovation lab kolkata iiest
 
Blueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT ProductBlueprint for creating a Secure IoT Product
Blueprint for creating a Secure IoT Product
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

ISSE 2012 Context-enhanced Authorization

  • 1. Context-enhaced Authorization Using XACML to implement context- enhanced authorizations Martijn Oostdijk, Novay ISSE 2012, Brussels
  • 2. Research & advisory Formerly known as: organization Telematica Instituut Innovation projects Multi-disciplinary, ~50 (gov, financial, health) researchers/advisors Identity, Senior Advisor Privacy, Trust Martijn Oostdijk PhD comp. sci. CV: Radboud Univ., Eindhoven Univ. Tech. Riscure, Novay 2
  • 3. centralization authz + nomadic working + authz for the cloud + Context- extended enterprise enhanced + XACML standard Authorization + (insider) attacks Research project with IBM and Rabobank + mobile/context 3
  • 4. Context-enhanced authz • XACML PoC at a large Dutch bank • Context = location and more • DYNAMIC!! Policies • Usefulness through use cases + feasibility study through demonstrator • Scope: employees 4 Context-enhanced Authorization
  • 5. CEA – the movie • 2:40 5 Context-enhanced Authorization
  • 6. This presentation is NOT: • Introduction to Attribute based AC • Introduction to XACML standard So that there’s more time for: • Context-enhanced authorization • Use case + demonstrator • Lessons learned 6 Context-enhanced Authorization
  • 7. Authorization & Context? (Attribute Based PoC Access Control) • Use cases • Demonstrator 7 Context-enhanced Authorization
  • 8. Social Physiological Environment - people nearby - heart rate - weather - behaviour - skin -air pollution - friends - voice - Twitter activities Location Time Mental - long/lat -office hours - happy - proximity - lunch time - scared - country/city - between points - sad - @home/@work in time - stressed Device Network Activities - type - IP-address - working - ownership - VPN - travelling (BYO) - LAN - meeting - OS and apps - WiFi or 3G - sleeping -patch status
  • 9. Domain Type Source 1. Environment Weather Buienradar Air polution Weeronline.nl Security incidents SIEM 2. Physiological Heart rate ECG sensor, Camera Respiratory rate Camera Blood pressure BP meter (cuff) 3. Social People nearby Bluetooth, Google Lattitude, Outlook Calendar SN Friends LinkedIn, Facebook Activity Twitter 4. Location Long/Lat GPS, GSM Cell-Id City GPS, Geo-IP Proximity Bluetooth, RFID/NFC 10 Context-enhanced Authorization
  • 10. Domain Type Source 5. Time Office hours System time Lunch time Outlook Calendar 6. Mental Happy/sad Sound sensor Scared Galvanic skin responses Stressed 7. Network VPN or localnet Network access gateway Wireless or Wired IP address 8. Device Type Device mngmt system Ownership Device mngmt system 11 Context-enhanced Authorization
  • 11. Domain Type Source 9. Activity Travelling GPS, accelerometer Meeting Calendar, Proximity sources Sleeping Heart sensor, ECG, sound Some observations: • Inter-dependencies between domains/types • Some inference is needed in some types • Most domains/types can benefit from multiple measurements over time • What characteristics determine which domains / types / sources are most suitable in a given scenario? 12 Context-enhanced Authorization
  • 12. Use-cases – a high level … • Finer grained access to application with “hit-n-run” functionality • Data loss prevention when traveling • More flexible authentication  Simple context sources 13 Context-enhanced Authorization
  • 13. Demonstrator Proximity dongle User Application NFC reader Context client Google Latitude Policies Outlook Policy Engine Google Calendar Policies incl. context variables Context Device Mgmt server 14 Context-enhanced Authorization
  • 14. 17 Context-enhanced Authorization
  • 15. 18 Context-enhanced Authorization
  • 16. 19 Context-enhanced Authorization
  • 17. 20 Context-enhanced Authorization
  • 18. 21 Context-enhanced Authorization
  • 19. 22 Context-enhanced Authorization
  • 20. Context • Location, location, location • Stuff derived from location • Type of device (BYOD, enterprise mobility etc.) • Type of network (VPN/local, AP, browser, OS) • Time-of-day • And, of course, normal usage patterns • Please note: context is just another attribute for XACML, but then dynamic 23 Context-enhanced Authorization
  • 21. Authenticity of context • Can we trust the source? Trust me! • Depends on the precise scenario • and on technology • and on who controls the source •  Some sources are more trustworthy than other • Why not just fuse with more context sources? • Multi-factor context, harder to fake for attacker • But also harder to understand and base policies on • How to react to incidents? 24 Context-enhanced Authorization
  • 22. Authenticity of context CeA vs TM (SIEM, …): Needed trust in authenticity of context 25 Context-enhanced Authorization
  • 23. Quality of context • Sources might provide incorrect data (with certain probability) • Sources have limited accuracy (resolution, precision, granularity) • Sources deliver data with certain delay • Data will have a temporal relevancy • Some sensors require user to carry (and not forget) mobile device … 26 Context-enhanced Authorization
  • 24. Adoption in applications • XACML-izing applications • SOA oriented applications  easy • Making apps ready for externalization of authz • (Stable versions of) XACML have been around since before 2006 • “Move to cloud” as driver? • Alternatives: provision authz attributes, proprietary authorization APIs 27 Context-enhanced Authorization
  • 25. Privacy consequences • Acceptance • Trade-off between privacy and usability (or security?) • Measure only relevant context • Relevant for (what?) purpose • Degrade information (latency, accuracy) • User control (and transparancy), sensors are in mobile • Assumes (some) trust in CM system 28 Context-enhanced Authorization
  • 26. Complexity of policies • Policies with many different context variables • Express policies with respect to “raw” context (e.g. long/lat) versus more abstract notions (e.g. @home, @work) 29 Context-enhanced Authorization
  • 27. Scalability & performance 30 Context-enhanced Authorization
  • 28. Key take-aways Yes it’s useful, yes it’s feasible Context is mostly location, KIS But w.r.t. context: authenticity, quality & privacy But w.r.t. dyn attributes / XACML: complexity of policies & scalability
  • 29. More Information http://www.novay.nl/digital-identity martijn.oostdijk@novay.nl http://linkedin.com/in/martijno This presentation was supported by the Dutch national program COMMIT (project P7 SWELL) 32 Context-enhanced Authorization