I woke up this morning with an email showing that the password and the recovery email of one of my email accounts were changed overnight by a user whose IP address routes to Belgium. I knew for sure that at 3 am (time of the incident), I had not requested a password change and I was definitely not in Belgium. So, What do I do?
Like stories are quite common. While some of the victims will take immediate action to regain access to the compromised account and secure the others that may have been exposed as well, others will carelessly delete the alert email and move on with their lives. What are the risks involved and how can businesses take proactive action to secure their processes and data?
In the month of February alone, over one thousand major cyber-attacks were reported on us ground. According to Juniper research, it is about to get worst. From a $100 Billion annual cost to businesses only 3 years ago, cybercrime is predicted to cost over $2.1 Trillion between 2015 and 2019. So, the question that most businesses are left to answer is: “How do we avoid becoming a statistic?”
A resource is not secure until its guaranteed to be accessible and usable only by the subjects that it’s intend for within the perimeters allowed as defined by access control. Unfortunately, in system security as it is in other domains of technology, one size does not always fit all. The role of any access control is to regulate who or what can view or use resources in a computing environment. Mandatory access control (MAC), Discretionary access control (DAC), Role-based access control (RBAC) are the most common paradigms used to control the access to logical and even physical resources.
Unlike the DAC where the subjects can transfer access privileges from one to the other, with MAC, the access privileges are allocated from the system administrator and are none transferable. In the RBAC design, a set of access are granted to a specific role which in turn is assigned to a subject as needed. Despite the functional differences, these access controls are static. The permission granted to a user remains active until it is revoked. That permission is independent of the subject context. Up until now, these have been the traditional access controls that most systems and organizations through this era of personal computers have grown to depend on. But can the emergence of IoT build on the same security paradigm?
With pervasive computing, any object can be turned into a device with the ability to communicate with myriads of other inter connected devices. Using the current network technologies with wireless computing, sensors and artificial intelligence, pervasive computing aims at defining environments where the things around us do not only have the ability to create, store and transmit data. They will also have the intelligence to understand and take contextual action.
One of the major limitations of RBAC and the other traditional access control protocol is the fact that they are all static and non-context oriented. Knowing that a change of context can impact a change of access, it’s absolutely impossible to utilize any of these paradigms in pervasive computing environments. The access control of choice in such environment should have the ability to dynamically grant or revoke access to a subject based on contextual information generated and received about him. In organizations where the same agent practices different roles, a pervasive computing system should be able to dynamically grant the access required for the role actively practiced for as long as needed. Once the agent leaves that role to another, the system should be able to switch the access privileges accordingly. The fact that RBAC is not the option of choice for such system does not however mean that it cannot be modified to suit their needs.
The rule based access control (RB-RBAC), less common than the once mentioned above is built on an algorithm that allows the system to grant or revoke role privileges based on conditions that are predetermined by the system administrator. In essence, this is a system that reads a static algorithm for a Boolean value to change the status of the RBAC that it’s built on. While it’s undeniable that even such system may appear to be weak for pervasive environments, it shows that the RBAC is still highly valuable in authenticating, granting/denying access to resources regardless of their environment.
The Context Aware role based access control (CA-RBAC) basically splits the protocol in 2 distinct yet interconnected layers. The context management layer and the access control layer. The context management receives all the context information captured then processes them through its AI engine which outputs the desired role and status. That information is then sent to the access control layer. The access control layer will evaluate the business rules and privileges on the requested access to either grant or decline the request. The CA-RBAC is nothing more than an AI engine built on markup languages such as XACML or AIML (Artificial Intelligence Markup Language) running an RBAC.
Data security has grown to be a major concern for organizations and consumers a like. Beyond the financial and miss-reputation impact that it may cause to companies of all sizes, as data professionals, our vow to protect the data that we are entrusted with shall remain one of the most important item in our code of ethics.