Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University.

Published byPriscilla Osborne Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University."— Presentation transcript:

1 Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University St. Vincent Hospital Fox News SAIC, (San Diego, CA) Western Union Fidelity National Information Services

2 Computer Science and Engineering 2 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University St. Vincent Hospital Fox News SAIC, (San Diego, CA) Western Union Fidelity National Information Services Security Breaches July 2007 http://www.privacyrights.org/ ar/ChronDataBreaches.htm#2 007

3 Computer Science and Engineering 3

4 4

5 5 Csilla Farkas Associate Professor Dept. of Computer Science and Engineering University of South Carolina farkas@cse.sc.edu http://www.cse.sc.edu/~farkas

6 Computer Science and Engineering 6 Security Objectives Secrecy Prevent/detect/deter improper Disclosure of information Availability Prevent/detect/deter improper Denial of access to services Integrity Prevent/detect/deter Improper modification of information

7 Computer Science and Engineering 7 Security Tradeoffs COST Security Functionality Ease of Use

8 Computer Science and Engineering 8 Achieving Security  Policy  What to protect?  Mechanism  How to protect?  Assurance  How good is the protection?

9 Computer Science and Engineering 9 Policy Organizational policy Information systems policy

10 Computer Science and Engineering 10 Security by Obscurity  Hide inner working of the system  Bad idea! –Vendor independent open standard –Widespread computer knowledge

11 Computer Science and Engineering 11 Security by Legislation  Instruct users how to behave  Not good enough! –Important –Only enhance security –Targets only some of the security problems

12 Computer Science and Engineering 12 Security Mechanism  Prevention  Detection  Tolerance and Recovery

13 Computer Science and Engineering 13 Prevention: Access Control  Ensures that all direct accesses are authorized  Protects against accidental and malicious threats

14 Computer Science and Engineering 14 Access Control  Subject: active entity that requests access to an object - e.g., user or program  Object: passive entity accessed by a subject - e.g., record, relation, file  Access right (privileges): how a subject is allowed to access an object - e.g., subject s can read object o

15 Computer Science and Engineering 15 Access Control Models  Discretionary Access Control (DAC)  Mandatory Access Control (MAC)  Role-Based Access Control (RBAC)

16 Computer Science and Engineering 16 Discretionary Access Control (DAC)  For each subject access right to the objects are defined.  User based  Grant and Revoke  Problems: - Propagation of access rights - Revocation of propagated access rights

17 Computer Science and Engineering 17 DAC by Grant and Revoke Brown (owner) Black Red White GRANT SELECT ON Employee TO Red GRANT SELECT ON Employee TO Black WITH GRANT OPTION ? Brown revokes grant given to Black ? Brown does not want Red to access the Employee relation GRANT UPDATE(Salary) ON Employee TO White

18 Computer Science and Engineering 18 Mandatory Access Control (MAC)  Security label  Dominance (  ), e.g., Top-Secret  Secret  Public  Objects: security classification - File 1 is Secret, File 2 is Public  Subjects: security clearances - Brown is cleared to Secret, Black is cleared to Public  Access rights: defined by comparing the security classification of the requested objects with the security clearance of the subject

19 Computer Science and Engineering 19 MAC – Bell-LaPadula (BLP) Model  Single security property: a subject S is allowed a read access to an object O only if label(S) dominates label(O)  Star-property: a subject S is allowed a write access to an object O only if label(O) dominates label(S) No direct flow of information from high security objects to low security objects!

20 Computer Science and Engineering 20 Role-Based Access Control (RBAC)  Express organizational policies - Separation of duties - Delegation of authority  Flexible: easy to modify to meet new security requirements  Supports - Least-privilege - Separation of duties - Data abstraction

21 Computer Science and Engineering 21 RBAC 0.... U Users R Roles P Permissions. S Sessions User assignment Permission assignment

22 Computer Science and Engineering 22 Research Secure Semantic Web

23 Computer Science and Engineering 23 Web Evolution Web Evolution Past: Human usage –HTTP –Static Web pages (HTML) Current: Human and some automated usage –Interactive Web pages –Web Services (WSDL, SOAP, SAML) –Semantic Web (RDF, OWL, RuleML, Web databases) –XML technology (data exchange, data representation) Future: Semantic Web Services

24 Computer Science and Engineering 24 Research Areas  Access Control for  Data  Metadata  Application

25 Computer Science and Engineering 25 Secure XML Views UC S John Smith UC 111-2222 S Jim Dale UC TS S Harry Green UC 333-4444 S Joe White UC MT78 TS medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green milTag MT78 patient phone 111-2222 phone 333-4444 View over UC data

26 Computer Science and Engineering 26 Secure XML Views (cont.) John Smith Jim Dale Harry Green Joe White medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

27 Computer Science and Engineering 27 Secure XML Views (cont.) medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data John Smith Jim Dale Harry Green Joe White

28 Computer Science and Engineering 28 Secure XML Views (cont.) UC S John Smith UC Jim Dale UC TS S Harry Green UC Joe White UC medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

29 Computer Science and Engineering 29 Secure XML Views (cont.) medicalFiles name John Smith physician Jim Dale physician Joe White name Harry Green View over UC data John Smith Jim Dale Harry Green Joe White

30 Computer Science and Engineering 30 TopSecret Secret Unclassified Multi-Plane DTD Graph D,medicalFiles D, countyRecD, milBaseRec D, patientD, milTag D, nameD, phone UC S S S TS D, physician MPG = DTD graph over multiple security planes

31 Computer Science and Engineering 31 Transformation namephone physician MSCG MPG TS UC S Security Space Secret

32 Computer Science and Engineering 32 Transformation MPG TS S UC SP name physician MSCG

33 Computer Science and Engineering 33 Transformation MPG TS S UC  SP MSCG

34 Computer Science and Engineering 34 Transformation MPG TS S UC SP medicalFiles emergencyRec name physician Data Structure

35 Computer Science and Engineering 35 Metadata Security No security model exists for metadata Can we use existing security models to protect metadata? RDF/S is the Basic Framework for SW RDF/S supports simple inferences This is not true of XML: XML Access control cannot be used to protect RDF /S data

36 Computer Science and Engineering 36 Example Graph Format RDF Triples: (Student, rdfs:subClassOf, Person) (University, rdfs:subClassOf, GovAgency) (studiesAt, rdfs:domain, Student) (studiesAt, rdfs:range,University) (studiesAt, rdfs:subPropertyOf, memberAt) (John, studiesAt, USC)

37 Computer Science and Engineering 37 Example Graph Format

38 Computer Science and Engineering 38 Example Graph Format

39 Computer Science and Engineering 39 Example Graph Format

40 Computer Science and Engineering 40 Secure RDF Entailed Data in RDF can cause illegal inferences: (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S]  (USC, rdf:type, University) [S] (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S]  (USC, rdf:type, GovAgency) [TS] Secret User can infer TS information

41 Computer Science and Engineering 41 RDF Access Control Security Policy –Subject –Object – Object pattern –Access Mode Default policy Conflict Resolution Classification of entailed data Flexible granularity

42 Computer Science and Engineering 42 Application Security Security Policy: –Application semantics (from syntax to semantics) –External requirements –Privacy –Trust management –Compliance checking

43 Computer Science and Engineering 43 How to become information security professional?

44 Computer Science and Engineering 44 EDUCATION: Graduate Certificate Program in Information Assurance and Security (IA&S)

45 Computer Science and Engineering 45 CNSS Certifications National Training Standard for Information Systems Security Professionals, CNSSI No. 4011 National Training Standard for System Administrators in Information Systems Security, CNSSI No. 4013 National Training Standard for Information Systems Security Officers, CNSSI No. 4014

46 Computer Science and Engineering 46 Core Courses CSCE 522 – Information Systems Security Principles –offered every Fall semester CSCE 715– Network Security –offered every Fall semester CSCE 727 – Information Warfare –offered every 3 rd semester

47 Computer Science and Engineering 47 Elective Courses CSCE 517 – Computer Crime and Forensics CSCE 557 – Introduction to Cryptography CSCE 548 – Secure Software Construction CSCE 716 – Design for Reliability CSCE 717 – Comp. Systems Performance CSCE 813 – Internet Security CSCE 814 – Distributed Systems Security CSCE 824 – Secure Databases CSCE 853 – Formal Models of Information Security

48 Computer Science and Engineering 48 Undergraduate Education New undergraduate courses: –CSCE 201: Introduction to Information Security

49 Computer Science and Engineering 49 Questions?

Download ppt "Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University."

Similar presentations

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Operating System Security

Operating System Security
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
Some slides were taken from 463.5.1 Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.

Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Security and Integrity

Security and Integrity
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.

Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Summary For Chapter 8 Student: Zhibo Wang Professor: Yanqing Zhang.

Summary For Chapter 8 Student: Zhibo Wang Professor: Yanqing Zhang.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.
Computer Science and Engineering 1 XML, RDF, Workflow Security.

Computer Science and Engineering 1 XML, RDF, Workflow Security.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
Lecture 1 Introduction Basic Security Concepts

Lecture 1 Introduction Basic Security Concepts
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Similar presentations

Ads by Google