540 likes | 648 Views
RiMBAC. Michael Frangos Supervised by: Dr William Scott and Dr Paul Montague. Risk Management Based Access Control. Overview. Background & Motivation Risk Risk Management Access Control Multi Level Security Research questions & strategy Research Achievements The RiMBAC Model
E N D
RiMBAC Michael FrangosSupervised by: Dr William Scott and Dr Paul Montague Risk Management Based Access Control
Overview • Background & Motivation • Risk • Risk Management • Access Control • Multi Level Security • Research questions & strategy • Research Achievements • The RiMBAC Model • Comparison of RiMBAC and MLS
Risk • What is Risk? • “The expected impact on objectives due to one or more future events” • Likelihood X Consequence • Can be associated with negative or positive outcomes.
Risk Management • A key business process. • Standardized in AS/NZS 4360:2004.
Access Control • What is Access Control? • The process of mediating requests to resources and data maintained by a system and determining whether the request should be granted or denied. • Access Control Models • Discretionary • Mandatory • Role-based
Multi Level Security (MLS) • What is MLS? • A form of mandatory access control. • MLS Classifications
What’s wrong with MLS? • Risk involved in each access is determined statically. • Clearances and classifications rarely reviewed. • Sensitivity of information will vary with time and context. • Trustworthiness of individuals varies with time and context. • Risk estimates are binary entities. • Risk is either zero or worst case consequence. • Total organizational risk for information sharing is unknown. • Risk can’t be capped. • No provision to deal with emergencies.
Research Questions • How can an access control model based on risk management be developed for organizations that currently employ MLS? • How effective would such an access control model be when compared to traditional MLS?
Research Strategy • Phase 1 – Access Control Model Design • Phase 2 – Agent-based Modelling
The RiMBAC Model • Design Principles
The RiMBAC Model Organizational Context:
The RiMBAC Model Key Concepts and definitions: Subject – An individual or computer process acting on behalf of an individual Object – An information resource. Compromise – Any event in which a subject who is not authorized by the access control system gains access to an object. Harm – Negative impact on organizational goals (due compromise of an object). Benefit – Positive impact on organizational goals (due to completion of a task). RiM – a unit of harm or benefit.
Establish the Context Identify Risk Analyze Risk Evaluate Risk Treat Risk RiMBAC Overview Organizational Goals established Risk Tolerance Levels established Goals Goals Information Sharing Risks defined Information Sharing Benefits defined Risk Thresholds Risks Benefits Transactional Risk Calculated Maximum Transactional Benefit Calculated Monitor and Review RiMBAC Monitor and Review Level of Benefit Level of Risk Access Control Decision Made AC Policy AC Decision Access Control Decision Enforced RiMBAC AC Result Organization
The RiMBAC Model • Establish the context: • Establish organizational goals. • i.e. “to make profit”, “to preserve national security” • Set Risk Tolerance Levels for information sharing. • i.e. $5M per annum. (specified in RiMs) Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model 2. Identify Risk: • Identify information sharing risks: • Transactional risk – the risk involved each time a subject accesses an object. • Identify information sharing benefits: • Transactional benefit – the benefit involved each time a subject accesses an object. Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model • Analyze Risk: • Calculate Transactional Risk. • Calculate Transactional Benefit Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model Calculate Transactional Risk: Object Risk (ROBJ) - Expected harm associated with an object. Likelihood of harm x Consequence of harm Consequence of harm: RiMBAC Object i.e. Potential Harm Function Information Categories
The RiMBAC Model Likelihood of Harm: Assume that harm will always result from compromise of an object. i.e. PC = PHARM Object TTI1 HTIm TTI2 HTI2 TTIn HTI1
The RiMBAC Model Object PTC= 1-TTI PHC= 1-HTI TTI1 HTIm TTI2 HTI2 TTIn HTI1 PC = PTC1 U PTC2 … U PTCn U PHC1 U PHC2 … U PHCm
The RiMBAC Model • Calculate Transactional Risk: • Object Risk (ROBJ) • Expected harm associated with an object. • Organizational Risk (RORG) • Sum of object risk for all objects in the organization.
The RiMBAC Model • Calculate Transactional Risk: • Transactional Risk (RTRANS) • Expected harm involved in a subject accessing an object
The RiMBAC Model Cumulative Transactional Risk: TRB Object 1 Object 1 Object 1 Object 1 Object 1 Object 1 Object 1 Object 1 Time Object 1 Object 1 Object 1 Object 1 Object 1 Object Bob
The RiMBAC Model Cumulative Transactional Risk: Organization TRB Task A Task B Task C Time Bob Sue
The RiMBAC Model Cumulative Transactional Risk: TRA Organization TRB Task A Task B Task C Time Bob Sue
The RiMBAC Model • Analyze Risk: • Calculate Transactional Risk. • Calculate Transactional Benefit Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model Calculate Transactional Benefit: Maximum Transactional Benefit (MBTrans) The potential benefit involved each time a subject accesses an object. RiMBAC Object Potential Harm Function Information Categories
The RiMBAC Model Calculate Transactional Benefit: {1,2,3,4} {1,2,5,6} Task A Task B Task C {1,2,3,4,5,6} Bob
The RiMBAC Model Calculate Transactional Benefit: TBV=50 RiMs TBV=100 RiMs {1,2,3,4} {1,2,5,6} Task A Task B Task C TIF=0.5 TIF=0.2 Object Cat {1, 44, 32} {1,2,3,4,5,6} Bob
The RiMBAC Model Calculate Transactional Benefit: TBV=50 RiMs TBV=100 RiMs {1,2,3,4} {1,2,5,6} Task A Task B Task C TIF=0.5 TIF=0.2 Object Cat {1, 44, 32} {1,2,3,4,5,6} Bob MBTRANS = 50 x 0.2 + 100 x 0.5 = 60 RiMs
The RiMBAC Model Break Glass Provision What happens in an emergency? No time to create a task etc. Override Capability. Known benefit specified. Acceptance of risk signed by higher authority. Risk is accounted for. Risk tolerance thresholds can still apply Help!!! 30
The RiMBAC Model • Analyze Risk: • Calculate Transactional Risk. • Calculate Transactional Benefit Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model • Evaluate and Treat Risk: Apply Access Control Policy to make access control decision: Policy Examples Allow all transactions where MBTRANS > RTRANS and TRATASK not exceeded. Allow all transactions where MBTRANS > 5xRTRANS and TRASUBJ not exceeded. Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
The RiMBAC Model • Monitor and Review: • Monitor every access • Audit logs • Monitor information leakage • Update TTI and HTI parameters. • Regularly review: • organizational goals • risk tolerance thresholds • access control policy. • TBVs, TIFs Establish the Context Identify Risk Analyze Risk Monitor and Review Evaluate Risk Treat Risk
Technological Requirements • Direct Access: • HTI for subject, TTI for storage and transfer technology. • Tasks, TBVs and information category sets. • TIFs for each subject. • Indirect Access: • Portable credential exchange devices. • RiMBAC Objects: • Metadata containing information categories, potential harm function. • Ontology for describing contextual factors.
Technological Requirements • Information Leakage Monitoring • Mechanisms (i.e. object tracking, label management, audit logs) • Transition from MLS to RiMBAC • 3 phase transition plan: (Still being finalized)
Comparing RiMBAC with MLS Agent-based modelling • Model a system from the bottom up. • Agents are a collection of autonomous decision-making entities. • Shown to be effective at modeling human systems such as organizations. (Prietula et al. (1998)) • Provides a natural description of the system • Flexible • Captures emergent phenomena (i.e. Organizational behaviour) • Repast (Recursive Porous Agent Simulation Toolkit) • Open source, Java-based, good documentation.
Comparing RiMBAC with MLS Information Store ORGANIZATION REPAST SIMULATION External Agents
Comparing RiMBAC with MLS Measurands For each access control model: • How many resources are compromised? • How much harm is caused due to compromise? • How many beneficial resources do employees get hold of?
Comparing RiMBAC with MLS Employee Agents Attributes
Comparing RiMBAC with MLS Employee Agents Desire • When being trustworthy: • Obtain any information resources required to complete assigned tasks. • Share information resources with any employees approved by security policy. • When being untrustworthy: • Obtain any resources not required to complete assigned tasks. • Share information resources with anyone.
Comparing RiMBAC with MLS Employee Agents Decisions • Decide what type of resource to ask for next based on trustworthiness and required information categories. • Decide when to ask for information based on information appetite. • Decide who to ask for information: • When being trustworthy, ask an employee who is believed to have such information (based on the tasks they are working on). • When being untrustworthy, ask an employee who is known to thwart policy (based on prior dealings) • Decide whether to hand over a resource to another individual based on access control decision and trustworthiness.
Comparing RiMBAC with MLS External Agents Attributes
Comparing RiMBAC with MLS External Agents Desire • Obtain any possible information resources from within the organization.
Comparing RiMBAC with MLS External Agents Decisions • Decide what type (subject and classification of resource to ask for: • Choose a resource type at random. • Decide when to ask for information • based on information appetite. • Decide who to ask for information: • Initially target random employees. • Later target mostly those employees known to thwart policy (based on previous experience).
Comparing RiMBAC with MLS Simulation Parameters • 20 Employees • Even distribution of MLS clearances • RiMBAC HTI derived from MLS clearance. • 2 External Agents
Comparing RiMBAC with MLS Simulation Parameters • 10,000 Information Resources • RiMBAC Harm Value of Resources:
Comparing RiMBAC with MLS Sample Results: Beneficial Resources Obtained Initialization Period Real Simulation
Comparing RiMBAC with MLS Sample Results: Information Leakage
Comparing RiMBAC with MLS Sample Results: Estimated Harm
Comparing RiMBAC with MLS Sample Results: Information Leakage Organizational Risk Allowance applied (75 RiMs per annum)