tall order.
pilot investigations, detailed in a 25-page white paper [2].
The YouTube clip, however short, presents the key ideas.
work.
[1] Novay Project
CEA: Context-Enhanced Authorization
SII Innovation Project
Project Principals: Bob Hulsebosch, Ruud Kosman,
Martijn Oostdijk, Jaap Reitsma, Maarten Wegdam,
Martin Wibbels
Project Overview: "Context information can make
authorization management more flexible and more
secure. Knowing when and where users are, and
what they are up to helps in determining which
access rules to apply. There is an increasing need
for organizations, especially organizations in
the banking sector, to be more flexible while
maintaining the same level of security. The new
found flexibility can be used, for instance, to
enable new forms of working in which employees of
a bank need to be able to perform high-risk
transactions from different locations (home,
office, at a customer location etc.), at different
times of the day and using different devices...
The promise of context-enhanced authorization is
that by making the context information explicit
in authorization rules the flexibility increases
without reducing security. The wide-spread
introduction of mobile devices makes more and more
context information available, and promising
technical authorization standards driven by factors
such as cloud computing are just about ready to
make context enhanced authorization possible...
Rabobank, IBM, and Novay are participating in a
SII innovation project in order to identify the
opportunities and challenges of context enhanced
authorization. Goal of the project is to assess
the feasibility of the use of context information
to enhance authorization policy with a focus on
employees in the banking sector.....
The project also builds a demonstrator to validate
whether context enhanced authorization is technically
feasible given today’s state-of-the-art technologies.
The current generation of Identity & Access
Management (IAM) suites enable individual
applications to externalize their authorization
decision logic. An upcoming standard making this
possible is XACML.This technology promises to be
an important component of the solution, though
technical challenges may need to be tackled first
before theses systems can process real-time context
information. The demonstrator will most likely be
built on top of an existing IAM product.
[2] White Paper
Feasibility of Context-Enhanced Authorization in the Banking Sector
By: Bob Hulsebosch, Martijn Oostdijk, and Maarten Wegdam
Final Version 2.0, January 30, 2012
25 pages
[3] YouTube
CEA: Context-Enhanced Authorization
A Novay Project, With Rabobank and IBM
April 23, 2012
"How context can be used to make authorization decisions
more dynamic, e.g., depending on whether an employee is
working from home or not. This video discusses the concept,
gives an overview of a demonstrator in the banking sector
and presents lessons learned of a feasibility study for
a large Dutch bank... Access at home, on the way to work,
at the office...
[4] SURFnet Presentation
XACML pilot at a large Dutch bank, Using XACML to implement
context-enhanced authorizations
By Maarten Wegdam
Presented April 26, 2012
As presented at the XACML seminar, 26 april 2012, at SURFnet
(Utrecht, NL) by PIMN, CSA and PvIB. Presented the
context-enhanced authorization project on usefullness and
feasibility of using context to improve authz for a
large Dutch bank.
[5] GOVCERT Symposium
Slide Presentation
Context-Enhanced Authorization
GOVCERT Symposium
16 november 2011
Martijn Oostdijk