150 likes | 397 Views
Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth Security Information Center Fermi National Accelerator Laboratory IBM Organization Grand Challenges Problems Requirements PRIMA – a privilege-based approach
E N D
Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth Security Information Center Fermi National Accelerator Laboratory IBM March 14-15, 2005
Organization • Grand Challenges • Problems • Requirements • PRIMA – a privilege-based approach • Models • Architecture/Mechanisms • Research challenges • Policy • Obligations • Enforcement • Usability • Relationship to I3P and Workshop Themes March 14-15, 2004
Grand Challenge Problems • Societal infrastructures “Develop tools and principles that allow construction of large-scale systems for important societal applications that are highly trustworthy despite being attractive targets.” • Dynamic, pervasive computing environments “For the dynamic, pervasive computing environments of the future, give computing end-users security they can understand and privacy they can control. From: CRA Workshop on “Grand Research Challenges in Information Security and Assurance,” November 2003. March 14-15, 2004
Cyber Infrastructure Requirements March 14-15, 2004
PRIMA Models March 14-15, 2004
PRIMA Properties March 14-15, 2004
Privilege Structure • Privilege Properties • Fully associated • Directly applicable • Time limited • Externalized • Secure • Non-repudiation • Implementation • Container: X.509 Attribute Certificate • Privilege: XACML rule construct March 14-15, 2004
Enforcement Concepts • Policy Enforcement Point (PEP) checks privileges for: • Applicability (to resource and requestor) • Validity (of time frame and signature) • Authority (with respect to privilege management policy) • All permissible privilege constitute a dynamic policy for a request • Policy Decision Point (PDP): • Makes coarse decision • Adds obligations for PEP March 14-15, 2004
Dynamic Policy March 14-15, 2004
Obligations • Additional constraints to an authorization decision • If PEP cannot fulfill an obligation then it disallows access • Obligation address the mismatch in level of detail between request and policies • Obligations help in maintaining system state March 14-15, 2004
Research Challenges: Policy • What can be adapted from software engineering research for policy: • Testing • Debugging • Formal Analysis • Requirements engineering • Policy extensions • Threat/environment aware March 14-15, 2004
Research Challenges: Obligations • Granularity mismatch • Too many rights to be externalized • Partially addressed by dynamic policy • With respect to the request • Need to add restrictions finer-grained than request March 14-15, 2004
Research Challenges: Enforcement • Evaluation of mechanisms • Dynamic user accounts • Virtual machine/sandboxing • Service containers • Model • Distributing privileges to dynamically provision an execution environment, vs. • Pre-provisioning an execution environment and distributing a privilege for it March 14-15, 2004
Research Challenges: Usability • What are the right conceptual models? • Privileges • Roles • Others? Several? Combinations? • How can users manage their rights? • P3P • Shibboleth release policies • Least-privilege control March 14-15, 2004
Addressing I3P and Workshop Themes I3P Agenda Workshop Themes March 14-15, 2004