440 likes | 596 Views
Cyber-Identity, Authority and Trust in an Uncertain World. Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu. Outline. Perspective on security Role Based Access Control (RBAC)
E N D
Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu
Outline • Perspective on security • Role Based Access Control (RBAC) • Objective Model-Architecture Mechanism (OM-AM) Framework • Usage Control (UCON) • Discussion
Security Conundrum • Nobody knows WHAT security is • Some of us do know HOW to implement pieces of it Result: hammers in search of nails
USAGE purpose • electronic commerce, electronic business Security Confusion • DRM, client-side controls INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure
Security Successes • On-line banking • On-line trading • Automatic teller machines (ATMs) • GSM phones • Set-top boxes • ……………………. Success is largely unrecognized by the security community
Good enough security • Exceeding good enough is not good • You will pay a price in user convenience, ease of operation, cost, performance, availability, … • There is no such thing as free security • Determining good enough is hard • Necessarily a moving target
Good enough security Real-world users Security geeks SECURE EASY • end users • operations staff • help desk • whose security • perception or reality of security Business models dominate security models COST System owner • system cost • operational cost • opportunity cost • cost of fraud
Good enough security • In many cases good enough is achievable at a pretty low threshold • The “entrepreneurial” mindset • In extreme cases good enough will require a painfully high threshold • The “academic” mindset
Good enough security COST L M H Entrepreneurial mindset Academic mindset H 1 2 3 R I S K 2 3 4 M L 3 4 5
MAC, DAC and RBAC • For 25 years (1971-96) access control was divided into • Mandatory Access Control (MAC) • Discretionary Access Control (DAC) • Since the early-mid 1990’s Role-Based Access Control (RBAC) has become a dominant force • RBAC subsumes MAC and DAC • RBAC is not the “final” answer BUT is a critical piece of the “final” answer
Mandatory Access Control (MAC) TS S Lattice of security labels C Information Flow Dominance U Rights are determined by security labels (Bell-LaPadula 1971)
Discretionary Access Control (DAC) • The owner of a resource determines access to that resource • The owner is often the creator of the resource • Fails to distinguish read from copy • This distinction has re-emerged recently under the name Dissemination Control (DCON)
... RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS CONSTRAINTS SESSIONS
RBAC SECURITY PRINCIPLES • least privilege • separation of duties • separation of administration and access • abstract operations
HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Physician Health-Care Provider
Fundamental Theorem of RBAC • RBAC can be configured to do MAC • RBAC can be configured to do DAC RBAC is policy neutral
THE OM-AM WAY A s s u r a n c e • Objectives • Model • Architecture • Mechanism What? How?
LAYERS AND LAYERS • Multics rings • Layered abstractions • Waterfall model • Network protocol stacks • Napolean layers • RoFi layers • OM-AM • etcetera
What? How? OM-AM AND MANDATORY ACCESS CONTROL (MAC) A s s u r a n c e • No information leakage • Lattices (Bell-LaPadula) • Security kernel • Security labels
What? How? OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) A s s u r a n c e • Owner-based discretion • numerous • numerous • ACLs, Capabilities, etc
What? How? OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) A s s u r a n c e • Objective neutral • RBAC96, ARBAC97, etc. • user-pull, server-pull, etc. • certificates, tickets, PACs, etc.
... RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS CONSTRAINTS SESSIONS
Server-Pull Architecture Client Server User-role Authorization Server
User-Pull Architecture Client Server User-role Authorization Server
Proxy-Based Architecture Client Proxy Server Server User-role Authorization Server
The UCON Vision: A unified model • Traditional access control models are not adequatefor today’s distributed, network-connected digital environment. • Authorization only – No obligation or condition based control • Decision is made before access – No ongoing control • No consumable rights - No mutable attributes • Rights are pre-defined and granted to subjects
Prior Work • Problem-specific enhancement to traditional access control • Digital Rights Management (DRM) • mainly focus on intellectual property rights protection. • Architecture and Mechanism level studies, Functional specification languages – Lack of access control model • Trust Management • Authorization for strangers’ access based on credentials
Prior Work • Incrementally enhanced models • Provisional authorization [Kudo & Hada, 2000] • EACL [Ryutov & Neuman, 2001] • Task-based Access Control [Thomas & Sandhu, 1997] • Ponder [Damianou et al., 2001]
Usage Control (UCON) Coverage • Protection Objectives • Sensitive information protection • IPR protection • Privacy protection • Protection Architectures • Server-side reference monitor (SRM) • Client-side reference monitor (CRM) • Both SRM and CRM
Continuity of decisions ongoing pre post Mutability of attributes Core UCON (Usage Control) Models
Examples • Long-distance phone (pre-authorization with post-update) • Pre-paid phone card (ongoing-authorization with ongoing-update) • Pay-per-view (pre-authorization with pre-updates) • Click Ad within every 30 minutes (ongoing-obligation with ongoing-updates) • Business Hour (pre-/ongoing-condition)
UCON Architectures • We narrow down our focus so we can discuss in detail how UCON can be realized in architecture level • Sensitive information protection X CRM • First systematic study for generalized security architectures for digital information dissemination • Architectures can be extended to include payment function
Three Factors of Security Architectures • Virtual Machine (VM) • runs on top of vulnerable computing environment and has control functions • Additional assurance will come with emerging hardware support • Control Set (CS) • A list of access rights and usage rules • Fixed,embedded, and external control set • Distribution Style • Message Push (MP),External Repository (ER) style
Architecture Taxonomy • VM: Virtual Machine • CS: Control Set • MP: Message Push • ER: External Repository • NC1: No control architecture w/ MP • NC2: No control architecture w/ ER • FC1: Fixed control architecture w/ MP • FC2: Fixed control architecture w/ ER • EC1: Embedded control architecture w/ MP • EC2: Embedded control architecture w/ ER • XC1: External control architecture w/ MP • XC2: External control architecture w/ ER
THE OM-AM WAY A s s u r a n c e • Objectives • Model • Architecture • Mechanism What? How?
Good enough security COST L M H Entrepreneurial mindset Academic mindset H 1 2 3 R I S K 2 3 4 M L 3 4 5