Adaptation of authorization infrastructures enable the response to malicious behavior. Specifically, as malicious behavior is typically conducted via the user's assigned access rights, adapting such access rights enables us to cease or limit their activities. A quick technical response reduces potential loss, damage, and embarrassment to organizations, allowing for human led investigations and permanent response.
Adaptation is constricted to what can be controlled within the domain model. Note, adaptation strategies are confined to the parameters of an authorization infrastructure. The authorization infrastructure and its components should run as expected, however, its assets (parameters) are adapted to influence execution.
Considering the ABAC federated authorization infrastructure domain model as an example (figure 2), we can identify 3 main asset types to control:
Through adaptation of these assets, we are capable of 1) increasing or restricting an individual's access, 2) managing the access delegated to 3rd party identity providers (such as Facebook), and 3) managing the access of all users and groups, in conformance to the ABAC access control model.
Adaptation presents several risks. If the insider threat identified is a false positive, users could be impacted unnecessarily, and potentially damaging an organisation if access to critical resources are lost. In addition, multiple adaptation strategies are likely to be applicable to a single instance of identified insider threat, highlighting the risk that one solution may present greater consequences in comparison to others.
To safeguard against these risks, the selection of solutions rely on the generation of utility. A utility function is used to identify the ideal solution to identified anomalies, given a calculated risk and probability, whilst taking into account certain quality dimensions.
