Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.

Published byEthan Kilgore Modified over 10 years ago

Similar presentations

Presentation on theme: "11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina."— Presentation transcript:

1 11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina Ahmed, Ravi Sandhu, Ram Krishnan Institute for Cyber Security University of Texas at San Antonio Institute for Cyber Security

2 Who are expedient insiders? Any outside Collaborators, i.e. Domain specialists, cyber- security experts, etc. Difference with respect to true insiders Transient rather than persistent Information sharing is based on need-to-consult basis Less commitment than long time employees Expedient Insiders What are the Challenges? 1.Information selection for collaboration 2.Restrict unnecessary access 3.Import Results World-Leading Research with Real-World Impact! 2

3 3 Collaboration with Expedient Insiders in Traditional LBAC World-Leading Research with Real-World Impact! Unclassified Classified Top Secret Secret Outside Collaborators Sharing more information than necessary Open to more true-insiders than necessary

4 44 1.K. Bijon, R. Sandhu, and R. Krishnan. A group-centric model for collaboration with expedient insiders in multilevel systems. In Secots, 2012. Group Centric Collaboration with Expedient Insiders (GEI) 1 Collaboration Group with Expedient Insider Outside Collaborators Organization Just Right Sharing

5 Organizations and groups maintain separate piece of lattice Information flow and security properties for the overall system are informally addressed No comparison with traditional LBAC Motivation & Goal: Construct a single lattice for group-centric organizational collaboration Achieve all requirements of GEI as well as well-known formal security properties of a LBAC system Proof of equivalence with GEI Group Centric Collaboration with Expedient Insiders (GEI)1 1.K. Bijon, R. Sandhu, and R. Krishnan. A group-centric model for collaboration with expedient insiders in multilevel systems. In Secots, 2012.

6 Traditional-LBAC Information objects are attached with security labels. Information flows on partial ordered of those security labels A security label is formed by combining a security level with a subset of security categories Security levels are ordered (e.g. TS>S>U>C) Security categories are unordered (e.g. ProjA, ProjB) A user is cleared to a particular security label Users can access objects with security classifications dominated by their security clearances. Traditional Lattice Based Access Control (Traditional-LBAC) World-Leading Research with Real-World Impact! 6 These security labels are not suitable for expedient insiders (i.e. too many sharing) Need to find a way to construct security labels (solely for a collaboration purpose)

7 Lattice with Collaborative Compartments (LCC) World-Leading Research with Real-World Impact! 7 Each collaboration group introduces a new collaboration category (cc). New security labels are formed for each cc in combination with the entire set of security labels of the organization (different than new traditional security categories) Existing lattice structure is modified accordingly (different than new traditional security categories) One single lattice structure is maintained for all collaboration groups and organization.

8 Lattice with Collaborative Compartments (LCC) World-Leading Research with Real-World Impact! 8 Adding new security category C Present Lattice Modified Lattice after new security category c Change of Lattice structure for adding new security category in Traditional LBAC SysHigh SysLow Adding new Collaboration category cc Present Organizational Lattice without collaboration category Change of Lattice structure for adding new collaboration category in LCC SysHigh SysLow Modified Lattice after adding collaboration category cc Security label Consists of security Level and categories and entities (org or Collaboration category) Security label Consists of security Level and categories Addition of a security category doubles the total security labels Addition of a collaboration category adds equal number of labels of the organization

9 Formal Definition of Lattices from components World-Leading Research with Real-World Impact! 9

10 True Insiders Vs Expedient Insiders In LCC World-Leading Research with Real-World Impact! 10 True InsidersExpedient Insiders 1. Unlike traditional LBAC, users might have multiple clearances in this system. However, hierarchical clearance is always same for each user. 2. True insiders might get the clearance to both organization or collaboration categories 2. Expedient insiders cannot get clearance to organization. 3. Can access all objects that - Satisfy dominance relation - in organization or joined collaboration categories 3. Can access all objects that - Satisfy dominance relation - in joined collaboration categories only

11 Object Version Model in LCC World-Leading Research with Real-World Impact! 11 Each object can have multiple version. (necessary for sharing information among different collaboration groups and org) Security classification of an object and its versions could be different based on which groups or org it is belongs to. (However, hierarchical classification of them are always same). Any update to an object version creates a new version of that object. Sharing an object to a group also creates a new object version

12 Read-Only Vs Read-Write Subject World-Leading Research with Real-World Impact! 12 Read OnlyRead Write 1. Can not write, read is restricted by BLP simple security property 1. Can read and write, however, write is restricted by BLP strict * property 2. User determines the security clearance (<= users clearance) 3. Unlike users, a subject can have only one clearance. 4. Can read objects from any compartments where the user has clearance 4. restricted within the same collaboration category it was created 5. Read operation does not create new object versions 5. Only a write operation always create a new version of the respective object, however, does not change the classification of the version

13 Attribute Specification World-Leading Research with Real-World Impact! 13

14 Developed operations for administrative and operational management for LCC Operation name, authorization queries and updates of attributes Show proof of equivalence of GEI and LCC using method in Tripunitara and Li 2 Proof of Equivalence of GEI 1 and LCC 2. M. V. Tripunitara and N. Li. Comparing the expressive power of access control models. In ACM CCS. ACM, 2004. GEI Scheme LCC Scheme state1 state0 state n state n+1 σ GEI (maps GEI to LCC) Prove both σ LCC and σ GEI are state matching reduction σ LCC (maps LCC to GEI) Both mappings preserve security properties, thus, GEI and LCC are equivalent

15 A new lattice construction process for group centric organizational collaboration with expedient insiders Introduces collaboration category separate compartments for organization and each collaboration groups. Easy to identify the position of an expedient insider within the lattice Proof of Equivalence formally shows GEI also preserves the well-known security properties of a LBAC system. Conclusion World-Leading Research with Real-World Impact! 15

16 Thank You

Download ppt "11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina."

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
George Mason University

George Mason University
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.

INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.

11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
Institute for Cyber Security

Institute for Cyber Security
Chapter 10: Designing Databases

Chapter 10: Designing Databases
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Rasool Jalili; 2 nd semester 1387-1388; Database Security, Sharif Uni. of Tech. The Jajodia & Sandhu model Jajodia & Sandhu (1991), a model for the application.

Rasool Jalili; 2 nd semester ; Database Security, Sharif Uni. of Tech. The Jajodia & Sandhu model Jajodia & Sandhu (1991), a model for the application.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013

1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Similar presentations

Ads by Google