1 / 18

World-Leading Research with Real-World Impact!

Institute for Cyber Security. A Framework for Risk-Aware Role Based Access Control. Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 16, 2013 SafeConfig 2013: IEEE 6th Symposium on Security Analytics and Automation.

rance
Download Presentation

World-Leading Research with Real-World Impact!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 16, 2013 SafeConfig 2013: IEEE 6th Symposium on Security Analytics and Automation World-Leading Research with Real-World Impact! 1

  2. Traditional Organizations Access Control Mechanism 2 World-Leading Research with Real-World Impact!

  3. General Access Control Systems S1 Reference Monitor ……… Sn Mediates all access requests User Subject/ Session Object Implemented Access Control models, e.g., RBAC, DAC, MAC. Process (e.g., pid), session (e.g., sip), etc. Alice, Bob, etc. Resources to protect, e.g., mp3, doc, txt, directory. World-Leading Research with Real-World Impact!

  4. Modern Organizations ACM 4 World-Leading Research with Real-World Impact!

  5. Authenticate and grant same access everywhere Is not sufficient How do we know that the person in the other side is true employee Secure every place/situation by antivirus/firewalls Not scalable/feasible Impractical More dynamism in access control systems Accept/Deny accesses based on security threats/risks involve in every situations/places instead of always giving same outcome for a user Intro. & Motivation Possible Solutions? 5 World-Leading Research with Real-World Impact!

  6. Risk-Awareness in Access Control Systems Quantified Approach (Risk is represented as a metric) Calculate risk value, involved in every situation Grant access accordingly based on the estimated risk value Intro. & Motivation Overall Strategy 6 World-Leading Research with Real-World Impact!

  7. MITRE Corporation Jason Program Office. Horizontal integration: Broader access models for realizing information dominance (2004) Pioneer work in quantified risk-aware access control systems Risk-awareness in Access Control Systems: E. Celikel et al (2009), F.Salim et al (2011), L. Chen et al (2011), N. Baracaldo et al (2012), K. Bijon et al (2012), S. Chari et al (2012) and others: Risk-awareness in Role Based Access Control (RBAC) system (mainly focused on developing technique on risk-estimation and utilization) P. Cheng (2007), Q Ni (2010): Risk-awareness in Lattice Based Access Control (LBAC) R. McGraw (2009), Kandala et al(2011): Identify risk-factors for a risk-aware access control system H. Khambhammettu et al (2013):a framework for various risk-assessment approaches in access control Intro. & Motivation (cont.) Conducted Research in this Arena 7 World-Leading Research with Real-World Impact!

  8. A Framework for Risk-Aware RBAC • The Framework • Identify the Risk-Aware RBAC Components • Faces different types of security risk while performing their operations • Need to develop additional functionalities to support a risk-awareness • Different Types of Risk-Awareness • Traditional Approaches • Quantified Approaches • Non-adaptive approach • Adaptive approach 8 World-Leading Research with Real-World Impact!

  9. Risk-Aware RBAC Components User-Role Assignment (URA) Permission-Role Assignment (PRA) Constraints 9 World-Leading Research with Real-World Impact!

  10. Risk-Awareness Types • Traditional Approaches • Constraints driven risk mitigation • No explicit notion of risk value • Quantified Approaches • Risk is explicitly represented as a metric • Risk is mitigated based on the estimated value 10 World-Leading Research with Real-World Impact!

  11. Traditional Risk-Awareness RH • Administrative user needs to identify risky operations and generate constraints accordingly. (For example, a constraints can restrict two risky roles from assigning to same user (SSOD). • Static in nature (a constraint always gives same outcome, unless modified) 1. Static Separation of Duty (SSOD) 2. Dynamic Separation of Duty (DSOD) 11 World-Leading Research with Real-World Impact!

  12. Quantified Risk-Awareness (Non-Adaptive) 1. Risk-threshold should vary across sessions (e.g. a session from office vs. session from home pc) 2. Risk-threshold limits user activities by restricting role-activation 12 World-Leading Research with Real-World Impact!

  13. Quantified Risk-Awareness (Adaptive) 1. Continuous user-activities monitoring and anomaly detection 2. Response mechanism by automatic revocation of privileges (e.g. system automated role deactivation) 13 World-Leading Research with Real-World Impact!

  14. Formal Specification • Formally enhance NIST Core RBAC model • To support a session with adaptive risk-threshold • Functions of the adaptive quantified risk-aware sessions • AssignRisk: assigns a risk value to a permission • RoleRisk: returns estimated risk of a role • CreateSession: user creates a session and system calculate risk-threshold for the session • AddActiveRole: called by users, tries to activate a particular • Deactivation: called by AddActiveRole to deactivate some already activated roles in order to activate that role • SActivityMonitor: This function monitors user sessions, if something is wrong it calls system automated deactivation (SADeactivation) function. • SADeactivation: This function automatically identifies which roles need to deactivate and asks user to deactivate them. World-Leading Research with Real-World Impact! 14

  15. Conclusion • To Summarize the framework: • The Risk-Aware RBAC Components are identified • Sessions, User-Role assignments, Permission-Role assignments, Role Hierarchy, Constraints • Each components should have different functionalities (need to be developed to support a Risk-Awareness) • Different Types of Risk-Awareness Approaches • Traditional Approaches • Constraints specific (implicit risk and static in nature) • Quantified Approaches • Non-adaptive approach (explicit notion of risk that varies across different situations) • Adaptive approach ( need run-time monitoring capabilities and additional system functions for automatic response) 15 World-Leading Research with Real-World Impact!

  16. Future Work User-Role Assignment (URA) Permission-Role Assignment (PRA) Constraints 16 World-Leading Research with Real-World Impact!

  17. Questions? The End 17 World-Leading Research with Real-World Impact!

  18. Backup http://www.forbes.com/sites/danschawbel/2013/03/29/david-heinemeier-hansson-every-employee-should-work-from-home/

More Related