The ES - LoA Project WP 1 Deliverable Using LoA to Achieve Risk - Based Access Control : A Study Report

Robust electronic authentication capable of reliably identifying remote entities (human users or software components) with a certain level of assurance in authentication strength is an important prerequisite to facilitate effective user authorisation and fine-grained access control in distributed systems. In a Federated Access Management environment, users are referred back to their home or affiliated institutions (playing the role of identity providers) for authentication, and subsequently gain access to resources provided by other federation members (i.e. service providers) through the use of attributes asserted by their respective IdPs. The separation of duties between identity providers (IdPs) and service providers (SPs) means that SPs no longer have control over the identity vetting procedures and authentication processes used to establish a user's identity. IdPs may employ dissimilar identity management policies, cross-checking procedures and authentication mechanisms, resulting in a spectrum of levels among which users are identified. More and more diverse resources are expected to join the federated environment, and they may have varying levels of sensitivity depending on their values and severity of consequences in an event of a security breach. SPs managing more sensitive resources may require a stronger form of user identification, while others having less valuable resources may not wish to subject their users to unnecessarily burdensome procedures. Increasing the level of confidence in identifying users may, on the one hand, enable more security conscious services to join a federation, but, on the other hand, inflate running costs and create a less user-friendly environment resulting in a reluctance of some providers of lower value resources to join the federation. Thus, there is a need for a more fine-grained approach to access control to replace the existing binary (grant-or-deny) solution where access control is achieved using the 'one-method-fits-all' approach regardless of the resource sensitivity and risk levels. One way to achieve the vision of fine-grained access control is to quantify the quality or strength of an authentication process in terms of an authentication Level of Assurance (LoA), and use the LoA value as a parameter for authorisation decision making. With this approach, assurance levels and costs in identity vetting and entity authentication can be linked to the values of the assets or risk levels in the accessed environment. The higher the value or sensitivity of the assets, the more formal and stricter the identity vetting process and, thus, a higher level of assurance in the underlying authentication service will be needed. …