An Evolutionary Risk-based Access Control Framework for Enterprise File Systems

Abstract

To enhance access control mechanisms, organizations need to monitor access requests issued from devices. There-fore, organizations can evaluate the trustworthiness or risks of the devices based on collected requests to adapt the access privileges. However, existing schemes usually do not address organizational authorization processes and may not be suitable for enterprise file systems. In light of this, this study proposes an Evolutionary Risk Adaptive Access Control (ERAAC) Framework for enterprise file systems. The proposed framework provides an extensible architecture for an organization to deploy different access control filters for different perspectives. An access control filter can filter out access requests based on access control policies. An organization can add a new access control filter without replacing its existing access control mechanism. In addition, the proposed framework enables organizations to define new risk labels for data entities, such as subjects and objects to be accessed, used in access control policies. The access control mechanism can adapt user privileges based on the risk labels. Even if organizations do not have enough data to generate risk labels, the organizations can set access control policies without risk labels. Therefore, the proposed framework enables organizations to progressively improve their access control mechanisms. To the best of our knowledge, the proposed framework is the first access control framework that can evolve with organizational maturity in risk management. This study also illustrates how the proposed framework satisfied the related tenets mentioned in NIST SP 800–207. Consequently, this study can hopefully contribute to helping an organization to implement zero trust architecture.