access control. insider threats. abac. rbac. self-adaptive sytems. suap.

Historically the institutions invest in security mechanisms in order to protect against external threats, however, the threat much of the time may be within the organizations, acting as employee/former employee, business partner, and so on. Damage caused by insider threats is real and substantial because these users, like institutions, know details of how systems work, and tend to be allowed to perform operations with elevated privileges. At some point, intentionally or unintentionally, such users may abuse their privileges to compromise the confidentiality, integrity, and availability of information assets, causing financial loss and reputation to those organizations. The traditional access control mecha- nisms are incapable of dealing with these threats because they are static and do not address anomalous behaviours like downloading thousands of documents in a short period, for ex- ample. Self-adaptive systems, because your ability to analyze yourself and the environment in which they are inserted, and to reconfigure on varied and unpredictable conditions, have been shown to be a possible response to these events. In this context, self-adaptive be used to detect insider threats and mitigate them through dynamic changes to access control policies However, for this to be possible, you must provide a set of well-defined operations allowing carrying out manipulations under these policies. These operations are then used by a self-adaptive controller for the definition of adaptation plans to change the system, which in our case consists of access control policies. In this sense, this work proposes the SecAuthAPI, an approach to supporting the self-adaptation of authorization infrastructures, which provides a set of functional operations for manipulating access control policies ABAC (Attribute-Based Access Control) on authorization servers. The SecAuthAPI was implemented in a prototype that exposes a REST API with the policy modification operations. As a case study, this approach will be evaluated by simulating real business processes on SUAP system developed by IFRN. Finally, will be proposed an architecture for SUAP considering externalization of access control mechanisms, autho- rization servers, self-adaptive controllers and SecAuthAPI. Prototypes of this architecture will be implemented to check the feasibility of the proposed approach.