1 / 26

Baaz Finding Misconfigurations in Access Control

Baaz Finding Misconfigurations in Access Control. Tathagata Das , Ranjita Bhagwan, Prasad Naldurg. Access Control in the Enterprise. IT Support. Human Resources. File Shares. Facilities. Finance. Insider Threats: A motivating scenario.

monet
Download Presentation

Baaz Finding Misconfigurations in Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BaazFinding Misconfigurations in Access Control Tathagata Das, Ranjita Bhagwan, Prasad Naldurg

  2. Access Control in the Enterprise IT Support Human Resources File Shares Facilities Finance

  3. Insider Threats: A motivating scenario • For any security incident, 69% chance that the culprit was an insider The Global State of Information Security - PricewaterhouseCoopers survey in 2007 • In many organizations, up to 90% of the employees have permissions more than what they were entitled to Information Risk in the Professional - Dartmouth College and Tuck School of Business in Dartmouth • How do employees have so much extra permissions? Is managing access permissions so hard?

  4. Managing Access Permissions Ideally… In practice… Exists for every role Do not exist for every role Security Group (SG) Using SGs only May not be with SGs, exceptions present Shared Resource Permissions Security Policy Well documented Usually not well documented

  5. Access Control in the Enterprise Baaz IT Support Human Resources File Shares Facilities Finance

  6. Design Goals for Baaz • Prevention rather than forensics • Baaz is an auditing tool that periodically scans access control permissions for finding potential misconfigurations • No assumption of documented security policy • Rather than checking for “incorrect” access control, Baaz checks for “inconsistent” access permissions • High performance • Baaz uses fast algorithms that are scalable to thousands of users and millions of resources

  7. Outline • Motivation and Goals • Insider Threats: A motivating scenario • Managing Access Permissions • Design Goals • Design & Algorithms • Matrix Reduction • Group Mapping • Implementation & Results • Summary

  8. Misconfigurations Bob Bob has access to data he should not Bob does not have access to data he should B A Security Misconfiguration Accessibility Misconfiguration

  9. Baaz: Design Subject Reference Baaz Baaz Shared Files Matrix Reduction Misconfiguration Candidates in Subject Dataset Group Mapping Databases Object Clustering Organizational Groups • Subject & Reference Datasets • Subject Dataset: the dataset where we want to find misconfigs • Reference Dataset: the dataset that is used as proxy for security policy for checking consistency of the Subject Dataset • Relation Matrix • Binary matrix defining a relation between users and objects • Shared Files: Users X Files, relation = permissions • Org. Groups: Users X Groups, relation = group memberships • Subject & Reference Datasets • Any data source than can be represented as binary matrix can be used as a Subject/Reference Dataset

  10. Baaz: Algorithm Focus of this presentation • Matrix Reduction • Group Mapping Subject Relation Matrix Summary Statements Matrix Reduction Object Clustering Misconfig Candidates Group Mapping Reference Groups Reference Relation Matrix

  11. Sample Datasets • A – H: Users • 1 – 13: Resources (shared folders, databases, etc) • W – Z: Groups (org. hierarchy, security groups, etc) Subject Relation Matrix Reference Relation Matrix

  12. Matrix Reduction Reference Groups G1: {C,D,E,F,G,H}  {X} G2: {A,B,C}  {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H}  {1, 2, 3, 4, 5} S2: {C,D,E,F,G}  {6, 7} S3: {A,B,C,D} {9, 10, 11, 12} Subject Relation Matrix Reference Relation Matrix

  13. Group Mapping Mapped Groups S1:{C,D,E,F,G,H} =G1 Reference Groups G1: {C,D,E,F,G,H}  {X} G2: {A,B,C}  {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H}  {1, 2, 3, 4, 5} S2: {C,D,E,F,G}  {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}

  14. Group Mapping S2: {C,D,E,F,G} = G1 – {H} G2 – {A,B} + {D,E,F,G} G3 + {E,F,G} Mapped Groups S1:{C,D,E,F,G,H} =G1 • S2:{C,D,E,F,G} =G1 – {H} Reference Groups G1: {C,D,E,F,G,H}  {X} G2: {A,B,C}  {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H}  {1, 2, 3, 4, 5} S2: {C,D,E,F,G}  {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}

  15. Group Mapping S3: {A,B,C,D} = G1 – {E,F,G,H} + {A,B} G2 + {D} G3 + {A,B} Mapped Groups S1:{C,D,E,F,G,H} =G1 • S2:{C,D,E,F,G} =G1 – {H} S3: {A,B,C,D} = G2 + {D} Reference Groups G1: {C,D,E,F,G,H}  {X} G2: {A,B,C}  {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H}  {1, 2, 3, 4, 5} S2: {C,D,E,F,G}  {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}

  16. Group Mapping • Can be generalized to multiple groups being mapped to a set of users • ‘Set cover’ like algorithm to find the mapping • Allows for incomplete/approximate covers • Minimum Description Length for selecting best cover • Greedy version used for fast results • Details in the paper Team Y Team X

  17. Misconfigurations C S3: {A,B,C,D} = G2 + {D} S2: {C,D,E,F,G} =G1 – {H} A B D Group G2 Security Misconfiguration Candidate E G C D F H Group G1 Accessibility Misconfiguration Candidate

  18. Implementation • Baaz Stub • Converts raw data to relation matrix • Reports matrix and changes to server Stub Shared Files Shared Webpages • Baaz Server • Collects matrices from all the stubs • Runs the algorithms on a pair of matrices as soon any change is detected Stub Stub LDAP Server (Email Grps. +Org. Hierarchy) Baaz Server

  19. Evaluation • Some reasons why misconfigurations occur • Role change or new employee joining • Partial implementation of policy change • Misspellings of alias Ground-truth comparison: Missed 3 misconfigurations in file server

  20. Evaluation: Ground Truth Comparison • Manually examined the access permissions of directories on the file server (dataset 1) • After eliminating directories having similar permissions, 276 directories examined • Took two days! • Missed 3 misconfigurations (false negatives) • Relevant reference groups didn’t exist • Found 18 valid misconfigurations

  21. Evaluation: Event-based Monitoring • 19th August 2009: Monitoring on file server started • 20th September 2009: Employee adopts a new role • Email lists were updated • Permissions on files were not updated • Baaz found the accessibility misconfiguration within 1 second of the email list reflecting the change

  22. Evaluation: Runtime Performance • Most time-consuming step – Matrix Reduction • Scans each relation matrix once • O(size of the matrix)

  23. Related Work • Detecting and resolving policy misconfigurations in access-control systems: Bauer, Gariss and Reiter (2008) • Uses Associative Rule Mining on access logs to figure out whether a new user should be granted access to resources or not • Does not find security misconfigurations, no group mapping • Role Mining algorithms • Discover common patterns in access permissions across users and resources • Related to Matrix Reduction step, can be used as input to Group Mapping • Several RBAC systems in academia and industry • Hard to implement in practice • No audit tool to search for misconfigs, Baaz should be useful

  24. Summary • Baaz is a auditing tool that can find potential misconfigurations • Can be applied on many types of resources • Well documented security policy not required • Fast and scalable • We have deployed Baaz on 3 real systems and we have found the misconfigurations in high business value data • We were able to find misconfigurations in a near real-time manner

  25. Ongoing Work • Visualization of Access Control • Who has access to what? • How do you solve the problem with more complex access control models?

  26. Questions? Thank you!

More Related