Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

Similar presentations


Presentation on theme: "© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,"— Presentation transcript:

1 © 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director, Laboratory for Information Security Technology George Mason University

2 © 2006 Ravi Sandhu 2 Three Megatrends Fundamental changes in Cyber-security goals Cyber-security threats Cyber-security technology

3 © 2006 Ravi Sandhu 3 Cyber-security goals have changedCyber-security goals electronic commerce information sharing etcetera multi-party security objectives fuzzy objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE

4 © 2006 Ravi Sandhu 4 Cyber-security attacks have changed The professionals have moved in Hacking for fun and fame Hacking for cash, espionage and sabotage

5 © 2006 Ravi Sandhu 5 Basic premise Software alone cannot provide an adequate foundation for trust Old style Trusted Computing (1970 – 1990s) Multics system Capability-based computers –Intel 432 Trust with security kernel based on military-style security labels –Orange Book, eliminate trust from applications Modern trusted computing (2000s) Hardware and cryptography-based root of trust –Ubiquitous availability Trust within a platform Trust across platforms Trust in applications –No Trojan Horses, ergo no covert channels Combination of cryptography and access control Cyber-security technology has changed Massive paradigm shift

6 © 2006 Ravi Sandhu 6 Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu, ACM Fellow, IEEE Fellow Identity AuthorityTrust Secure Easy Affordable Overall Goal (Functional View) Technical Means (Structural View) Layered Models RBAC (Role-Based Access Control) Info Sharing UCON (Usage Control) PKI (Public-Key Infrastructure) TM (Trust Management) TC (Trusted Computing) TONs (Trusted Overlay Networks) DPM (Distributed Policy Management) ETC (……………) DRM (Digital Rights Management) SA (Situational Awareness) Business Means (Process View) Business Models Legal Social Regulations Reputational Risk Liability Privacy Cost Recourse etc ETC (……………) PeopleMachines Organizations

7 © 2006 Ravi Sandhu 7 RBAC96 Model for Role-Based Access Control: evolved into the 2004 NIST/ANSI/ISO standard ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

8 © 2006 Ravi Sandhu 8 Usage Control: The UCON Model for Next-Generation Access Control, 2002 onwards unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes

9 © 2006 Ravi Sandhu 9 Security and system goals (objectives/policy) Trusted Computing Technology (mechanisms/implementation) How do we bridge this gap? Enforcement-oriented models Policy-oriented models Implementation-oriented models P-E-I Models


Download ppt "© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,"

Similar presentations


Ads by Google