We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMorgan Steele
Modified over 6 years ago
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security (ICS) University of Texas at San Antonio September 2009 email@example.com www.profsandhu.com © Ravi Sandhu NSF/Microsoft Workshop on Confidential Data Collection for Innovation Analysis
INSTITUTE FOR CYBER SECURITY Security Objectives 2 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure © Ravi Sandhu
INSTITUTE FOR CYBER SECURITY Security Objectives 3 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose © Ravi Sandhu
INSTITUTE FOR CYBER SECURITY Security Objectives 4 INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE © Ravi Sandhu
INSTITUTE FOR CYBER SECURITY Security Trends and Change Drivers © Ravi Sandhu5 Stand-alone computersInternet Enterprise security Mutually suspicious yet mutually dependent security VandalsCriminals, Nation states, Terrorists Few standard services Many and new innovative services We are at an inflection point
INSTITUTE FOR CYBER SECURITY Application-Centric Security Models So how do we customize an application-centric security model? Meaningfully combine the essential insights of Discretionary Access Control (DAC) Mandatory Access Control (MAC) Aka LBAC (Lattice-Based Access Control), BLP (Bell-LaPadula), MLS (Multi-level Security) Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC) Usage Control (UCON) Many others Directly address the application-specific trade-offs Within the security objectives of confidentiality, integrity, availability and usage Across security, performance, cost and usability objectives Divide and conquer by separating Real-world concerns of practical distributed systems and ensuing staleness and approximations (enforcement layer) Policy concerns in a idealized environment (policy layer) © Ravi Sandhu6
INSTITUTE FOR CYBER SECURITY Usage Control Model (UCON) © Ravi Sandhu8 unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes UCON is Attribute-Based Access Control on Steroids
INSTITUTE FOR CYBER SECURITY Usage Control Model (UCON) Inspired by DAC LBAC RBAC ABAC … and many, many others UCON ABAC on steroids Simple, familiar, usable and effective use cases demonstrate the need for UCON Automatic Teller Machines CAPTCHAs at Public web sites End User Licencse Agreements Terms of Usage for WiFi in Hotels, Airports Rate limits on call center workers © Ravi Sandhu9
INSTITUTE FOR CYBER SECURITY Butler Lampson Paraphrased (I think) Computer scientists could never have designed the web because they would have tried to make it work. But the Web does work. What does it mean for the Web to work? Security geeks could never have designed the ATM network because they would have tried to make it secure. But the ATM network is secure. What does it mean for the ATM network to be secure? © Ravi Sandhu10
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY April Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Institute for Cyber Security
Usage Control: UCON Ravi Sandhu. © Ravi Sandhu2 Problem Statement Traditional access control models are not adequate for todays distributed, network-
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
OM-AM and RBAC Ravi Sandhu * Laboratory for Information Security Technology (LIST) George Mason University.
© 2020 SlidePlayer.com Inc. All rights reserved.