Context Aware RBAC Model For Wearable Devices And NoSQL Databases Amit Bansal Siddharth Pathak Vijendra Rana Vishal Shah Guided By: Dr. Csilla Farkas Associate Professor

Roadmap: ■Relational Database Management System ■NoSQL Databases ■Access Control Models ■Wearable Devices ■Proposed Solution ■Wrap-up

RDBMS (Relational Database Management System) What it is ? Stores Data In The Form Of Related Tables Using Keys Like Primary Keys, Foreign Keys. Relational operators to manipulate the data. For Data Manipulation Mostly SQL(Standard Query Language) used Other vendors are MySQL server, db2, oracle and MySQL.

Persistent data storage efficient storage Simple to delete or modify Complex queries Better security certain tables can be made confidential ScalabilityComplexity Hardware performance Response time powerful servers more storage space RDBMS

NoSQL (Not Only SQL) A non-relational and largely distributed database system A fast, portable, open-source RDBMS Support horizontal scaling Run on clusters of machines NoSQL does not prohibit structured query language. Example : Apache Cassandra, Google Big table Why ? CAP theorem –  Confidentiality : data is written only once all other manipulation is stored  Availability : Data is available and responsive  Partition Tolerance : whole database not get affected due to some part Big data applications - store massive volumes of data

Types of NoSQL : idea of key-value stores document is assigned a unique key MongoDB and Couch DB store data tables as sections of columns of data HBase, Cassandra, Big Table and HyperTable represented as a graph elements are interconnected Neo4j and Titan indexed key and a value schema-less least complex NoSQL options Riak, Redis, BerkeleyDB Key-Value store Graph database Document database Column store

RDBMSNoSQL schema flexibility Support partitioning Linear scalabilityHigh Performance Relational Schema Storage at one node Complex joins Why NoSQL over RDBMS ?

Access Control Characteristics: Cannot be bypassed Enforce least-privilege Need-to-know restrictions Enforce organizational policy User identification and authentication Information specifying the access rights is protected form modification Mechanism that provides selective restriction of access to specific user.

Existing Solutions for Access Control Access Control DAC MAC RBAC

Mandatory Access Control Classification Label Clearance Label Compare Object and User Clearance Granularity of access. Only Administrator can grant access Advantages Difficult to implement Not Agile Disadvantages

Discretionary Access Control Considerations Every Object has Owner Object owner has total control over access granted Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification Advantages Easy to use Easy to administer Aligns to the principle of least privileges.

Role Based Access Control Motivation Multi-user systemsMulti-application systemsMultiple Roles for a UserMultiple Permissions for User Components UsersRolesPermissionsSessions

RBAC Workflow UsersRolesPermissions Sessions User Assignment Role Hierarchy Permission Assignment

RBAC in NoSQL Challenges Schema-less 4 Database Models No implicit User Authentication Vendor Specific RBAC Implemented Basic No Multiple Role Assignment Implemented NA

Internet of Things (IoT):

Increase in the no of IoT devices globally:

Internet of Amazing Things:

Few Wearable Devices:

Data Flow Through IoT:

Security Concern Wearable Devices Roles UserIOT ProviderDBA Medical Professional 3 rd Party Vendors Fitness Trainer

How Can I provide Security?

Proposed Solution: Context Aware RBAC Model for Wearable Devices on NoSQL Databases

Work Flow: UsersRolesPermissions SessionsContext User Assignment Role Hierarchy Permission Assignment

Challenges: Conflicting Roles Occurs when users have multiple roles. Check from the XACML configuration files to see if access is allowed. Separation of Duties Separate User Groups should be created that have permission.

Sample Illustration: IDPurposeTimePulse RateBlood Pressure DistanceCaloriesLocationStepsDeviceID Potential Roles and Access: All Data Fields User ID, Purpose, Time, Location Provider All Fields (Cannot View Raw Data) Administrator ID, Name, Pulse Rate, Calories Blood Pressure, Time Medical Professional DeviceID, ID, Other Columns (Depending upon User Authorization) 3 rd Party Calories, ID, Pulse Rate, Time Trainer

Context in XACML :

Protection Object : User U, Permission P, Session S, Role R, Tuple T, Column C, Operation O; When user has access to all columns: Object = { U, R, S, T,,O, P} When user has access to some columns: Object = { U, R, S, T{ C i, C j, ….}, O, P}

What is covered: RDBMS Vs NoSQL RBAC and its workflow The Internet of things Context aware RBAC for wearable device Can be a solution Protection Object for proposal Challenges Worth Noticing: Scaling People Awareness