You are here

Proximity-Based Access Control


OBJECTIVE: Develop a standards-based access control mechanism that will dynamically adjust data access for individuals based on their proximity to others/organizations in terms of attributes (e.g. location, mission, assignment) derived from existing sources. DESCRIPTION: Warfighters need access to a wide range of data from sources throughout the battlespace, and data requirements are only growing as our forces become more distributed, the tempo of operations increase, and units join in more ad hoc relationships. Nevertheless, warfighters have finite time and attention to find, access and consume data. Although the DoD has embraced Attribute/Role Based Access Control (ABAC/RBAC) approaches [1] through Unified Authorization and Attribute Services (UAAS) [2,3], many questions and specific details remain and programs/commands are hesitant to share on an ad hoc basis for both security (e.g., insider threat) and resourcing (e.g., limited system capacity, limited administrative capability) reasons. As a result, warfighter needs for agile information are not well balanced with their limited time and attention, and the enterprise"s need for security. This topic is for the development of a Proximity-Based Access Control mechanism that will dynamically adjust data access for individuals based on proximity profiles. Generally, the closer something/someone is in proximity to a warfighter, the more important it is to that person and the more details the warfighter will need about it. This is true whether we are talking about spatial proximity (i.e., physical location), organizational proximity (e.g., relationships in the chain of command), or operational proximity (e.g., supported/supporting units, common missions). This observation allows us to begin to infer the"need-to-know"states of individuals that benefit both data providers and consumers. For instance, it is easy to imagine that a squadron commander may want to gain insight into data from other units at a shared airfield (spatial proximity) in order to increase logistical efficiencies, better understand what sister squadrons (organizational proximity) are doing in order to coordinate better, or delve into the details of an intelligence assessment developed by a supported ground unit (operational proximity) in order to plan more effectively. Today, however, these three simple examples are difficult to accomplish without a high degree of personal attention, and time both of which are in very short supply on today"s battlefields. By utilizing proximity-based data profiles, we can anticipate and serve many warfighter data needs dynamically while taking a risk management approach to providing access. Moreover, we expect that types of proximity can be inferred by looking at existing data and approaches (e.g., The DoD"13+2"attributes used for Attribute Based Access Control"s, physical location, command relationships, organization for combat, missions). The impact of this capability could potentially be very large as it could automatically increase access for those with a valid need-to-know, while decreasing the"all or nothing"system-wide access that has caused insider threat issues in the past (e.g., the case of Pvt Bradley Manning releasing classified information in 2010). It would also be more easy to monitor and audit access than is currently possible. Additionally, it has implications for aiding users in focusing their attention by inferring what might be useful based on the proximity profile. That is, beyond inferring a need-to-know based on proximity, we might also be able to infer those things that will be of the greatest importance at any given time a useful side benefit in a highly dynamic environment. PHASE I: Investigate the state of the art for RBAC/ABAC. Explore data sources to calculate proximity profiles. Evaluate methods for calculating proximity profiles from available data and applicable standards for implementation. Test the efficacy and efficiency of providing proximity-based access control. Evaluate the ability to adhere to the UAAS approach and standards. PHASE II: Develop prototype software to demonstrate and test the feasibility and effects of proximity-based access control. Demonstrate and assess the ability to integrate (or make interoperable) proximity-based access control by creating a Service Oriented Architecture (SOA) service that may act as a new pluggable access control layer for legacy systems. PHASE III: Military Application: Direct application in an exercise environment to validate the concept and application. Commercial Application: Direct application in providing access dynamically. REFERENCES: 1. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman."Role-Based Access Control Models". IEEE Computer (IEEE Press) 29 (2): 3847. August 1996. 2. Authorization and Attribute Services Tiger Team."Department of Defense and Intelligence Community Unified Authorization and Attribute Service: Policy Recommendations". September 2008. 3. PEO-C2C."Joint Command and Control Objective Architecture: Information Assurance View". Draft 2.0, October 2010.
US Flag An Official Website of the United States Government