Integration of Quantitative Methods for Risk Evaluation within Usage Control Policies

Usage Control (UCON) enhances traditional access control introducing mutable attributes and continuous policy enforcement. UCON addresses security requirements of dynamic computer environments like Grid and Cloud, but also raises new challenges. This paper considers two problems of usage control. The first problem arises when a value of a mutable attribute required for an access decision is uncertain. The second problem questions when to retrieve fresh values of mutable attributes and to trigger the access reevaluation during the continuous control. We propose quantitative risk-based methods to tackle these problems. The authorisation system grants the access if the security policy is satisfied and the risk level is acceptable. The authorisation system retrieves fresh attribute values following the strategy which minimises the risk of the usage sessions. We integrate the authorisation system based on the U-XACML language with quantitative methods for risk evaluation. We present the architecture, the implementation, and the evaluation of the overhead posed by the risk computation.