XACML and Risk-Aware Access Control

Over the last few years there has been a rapid development of technologies such as ubiquitous computing and distributed multi-agent systems. As a consequence an increasing need to share information securely in a distributed dynamic environment has arisen. Risk-aware access control (RAAC) has recently shown promise as an approach to addressing this need of flexible and dynamical access control requirements. Additionally, OASIS proposed XACML as a new standard XML-based language for writing access control policies, requests and responses. The standard specification also defines reference architecture for implementing an XACML based system. Despite the fact that XACML is designed to support various access control models, we believe it doesn’t provide a natural way for defining RAAC policies. In this paper we propose an approach that uses standard XACML features to implement RAAC. In particular, we abstract core components of RAAC relevant to risk assessment and risk mitigation, and illustrate how to define XACML policies to implement these components. We also propose a modular architecture for the XACML obligations service to handle both system and user obligations, which are typically used as risk mitigation methods in RAAC.