Context-Aware Access Control Policy Systems

1. Kamran Sheikh, Univ of Twente, Netherlands

2. Context-Aware Access Control Policy Systems Kamran Sheikh 9th June 2006 ASNA PhD day University of Twente

3. Introduction • Pervasive context-aware systems • collect, process, store and communicate user context information • Context is information that characterizes situation of an entity’ [Dey et al.] • Quality of Context (QoC) describes how closely context reflects the physical reality. • Probability of correctness • Trustworthiness • Resolution • Up-to-dateness [Buchholz et al.] Kamran Sheikh, Univ of Twente, Netherlands

4. Outline • New challenges in providing Access Control in Context-Aware infrastructures. • Requirement of QoC for • Access control to context information • Access control based on context information • Approach • Current Status Kamran Sheikh, Univ of Twente, Netherlands

5. Access Control to context information • Relation between privacy and QoC • Users prefer to provide degraded information • Traditional policy evaluation gives allow/deny (boolean) result. • To avoid providing ‘too much’ information we • need policies that dictate the allowable QoC • according to user preferences Kamran Sheikh, Univ of Twente, Netherlands

6. Context Requester Policy Store PEP User preferences Policy Decision Context PDP Context Source Sensors Privacy preferences Context Owner Position of problem max QoC constraint for context Kamran Sheikh, Univ of Twente, Netherlands

7. Context Source Context-aware service Service requester Context Service Access based on context • Importance of context for making access control decisions has been studied. • QoC used to decide on usability of context. • Services need to express constraints through policies. Min QoC constraints Kamran Sheikh, Univ of Twente, Netherlands

8. Approach – Modeling • Current policies are single subject-centric • Access control based on subject attributes • Static attributes, e.g. identification • Dynamic attributes, e.g. context • QoC concerns context information rather than the subject (owner). • Additional level of indirection in policy parameters is required. Kamran Sheikh, Univ of Twente, Netherlands

9. Approach – Modeling (contd.) Kamran Sheikh, Univ of Twente, Netherlands

10. Approach – ‘Contextual Situations’ • Group subject/context –based policies into ‘situations’, e.g. Subject is in situation ‘needs ambulance’ if • Subject is a registered heart patient • Abnormal heart activity with probability > 30% • Not at home probability > 50% • … • Reduced complexity • Easier maintenance QoC Context Kamran Sheikh, Univ of Twente, Netherlands

11. Approach – Cascading • Reduced expressiveness • Inefficient context Tagged context Context-based Policies (QoC) Subject-based Policies (Attributes) Kamran Sheikh, Univ of Twente, Netherlands

12. Current Status • Novel modeling approach for context-aware access control policies • Requirement of QoC parameters for policies. • Technique that models subject-centric and context-centric policies simultaneously. • Concrete example using a policy standard (e.g. REI, Ponder, XACML). • Future: Find ways for prototyping/integrating this work with AWARENESS WP5. Kamran Sheikh, Univ of Twente, Netherlands

13. Thank you!