SoTRAACE — Socio-technical risk-adaptable access control model

Abstract

Within the necessary security requirements, access control measures are essential to provide adequate means to protect data from unauthorized accesses. However, current and traditional solutions are commonly based on predefined access policies and roles and are therefore inflexible by assuming uniform access control decisions through people's different type of devices, environments and situational conditions, and across enterprises, location and time. We live in an age of the mobile paradigm of anytime/anywhere access as the smartphone is the most ubiquitous device that people now hold. In this new age, access control models need to determine adaptable access decisions based on multiple factors aggregated at the moment of request and not just perform a predefined comparison of attributes. This paper presents a new access control model: SoTRAACE — Socio-Technical Risk-Adaptable Access Control Model. This model aggregates attributes from various domains to help performing a risk assessment that is balanced against the operational needs at the moment of each request, so to provide the most accurate and secure access decision. As a proof of concept, SoTRAACE is used to model and compare two different use case scenarios in the healthcare sector.