Traditional security authorization decisions are black and white: a user either satisfies a particular access policy or does not. This rigidity is a handicap in our complex and unpredictable world. As a result, even security-conscious organizations typically grossly overprovision principals with access rights and/or underconstrain access policies to ensure that principals can always carry out the organization's mission effectively and respond to unexpected opportunities and challenges. This project focuses on developing dynamic and risk-aware approaches to access control that allow organizations to make security-critical decisions in the face of incomplete information and unexpected circumstances. This is accomplished by combining proof-theoretic access controls with economic models of risk. In the event that the expected proof of authorization for an action cannot be generated, the systems developed in this project carry out an efficient search for similar proofs of authorization that minimize the overall risk incurred by deviating from the expected. This approach allows policies to adapt dynamically to the changing context of the systems in which they are deployed. This research will have several benefits, including increased system availability during disasters or other uncommon cases not explicitly modeled by policies; reduced instances of permission creep, as overprovisioning users is no longer required to ensure that an organization's business needs are met; a quantifiable means of assessing how policies are actually used and how they might be changed to better reflect the evolution of organizations; and the development of metrics for assessing access control risks.
TC: Medium: Collaborative Research: Towards Formal, Risk-Aware Authorization