Access Control RBAC Database Activity Monitoring
CSCE Farkas 2 Reading assignments Required for access control classes: Ravi Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE Communications, Volume 32, Number 9, September Ravi Sandhu, Lattice-Based Access Control Models, IEEE Computer, Volume 26, Number 11 (Cover Article), November Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, Role-Based Access Control Models, IEEE Computer, Volume 29, Number 2, February
3 RBAC Motivation Multi-user systems Multi-application systems Permissions are associated with roles Role-permission assignments are persistent v.s. user-permission assignments Intuitive: competency, authority and responsibility CSCE Farkas
4 Motivation Express organizational policies Separation of duties Delegation of authority Flexible: easy to modify to meet new security requirements Supports Least-privilege Separation of duties Data abstraction CSCE Farkas
5 RBAC Allows to express security requirements but CANNOT ENFORCE THESE PRINCIPLES e.g., RBAC can be configured to enforce BLP rules but its correctness depend on the configuration done by the system security officer. CSCE Farkas
6 Roles User group: collection of user with possibly different permissions Role: mediator between collection of users and collection of permissions RBAC independent from DAC and MAC (they may coexist) RBAC is policy neutral: configuration of RBAC determines the policy to be enforced CSCE Farkas
7 RBAC RBAC 3 consolidated model RBAC 1 role hierarchy RBAC 2 constraints RBAC 0 base model CSCE Farkas
8 RBAC U Users R Roles P Permissions. S Sessions User assignment Permission assignment CSCE Farkas
9 RBAC0 User: human beings Role: job function (title) Permission: approval of a mode of access Always positive Abstract representation Can apply to single object or to many CSCE Farkas
10 RBAC 0 UA: user assignments Many-to-many PA: Permission assignment Many-to-many Session: mapping of a user to possibly may roles Multiple roles can be activated simultaneously Permissions: union of permissions from all roles Each session is associated with a single user User may have multiple sessions at the same time CSCE Farkas
11 RBAC 0 Components Users, Roles, Permissions, Sessions PA P x R (many-to-many) UA U x R (many-to-many) user: S U, mapping each session s i to a single user user(s i ) roles: S 2 R, mapping each session s i to a set of roles roles(s i ) {r | (user(s i ),r) UA} and s i has permissions r roles(si) {p | (p,r) PA} CSCE Farkas
12 RBAC 0 Permissions apply to data and resource objects only Permissions do NOT apply to RBAC components Administrative permissions: modify U,R,S,P Session: under the control of user to Activate any subset of permitted roles Change roles within a session CSCE Farkas
13 RBAC U Users R Roles P Permissions. S Sessions User assignment Permission assignment Role Hierarchy CSCE Farkas
14 RBAC 1 Structuring roles Inheritance of permission from junior role (bottom) to senior role (top) Partial order Reflexive Transitive Anti-symmetric CSCE Farkas
15 RBAC 1 Components Same as RBAC 0 : Users, Roles, Permissions, Sessions, PA P x R, UA U x R, user: S U, mapping each session s i to a single user user(s i ) RH R x R, partial order ( dominance) roles: S 2 R, mapping each session s i to a set of roles roles(s i ) {r | ( r’ r) [(user(s i ),r’) UA]} and s i has permissions r roles(si) {p | ( r” r) [(p,r”) PA]} CSCE Farkas
16 RBAC 1 Role Hierarchy Primary-care Physician Specialist Physician Health-care provider Inheritance of privileges CSCE Farkas
17 RBAC 1 Limit scope of inheritance Project Supervisor Test Engineer Programmer Project Member Test Engineer’ Test Engineer Programmer Programmer’ Project Member Project Supervisor Private Roles CSCE Farkas
18 RBAC 2 – Constraints Enforces high-level organizational policies Management of decentralized security Constraints define “acceptable” and “not acceptable” accesses CSCE Farkas
19 RBAC 2 – Components Same as RBAC 0 + Constraints CSCE Farkas
20 RBAC U Users R Roles P Permissions. S Sessions User assignment Permission assignment Constraints CSCE Farkas
21 RBAC 2 Mutually exclusive roles Dual constraint of permission assignments (permission assigned to at most one mutually exclusive role) Cardinality constraints (e.g., # of roles an individual can belong) Prerequisite roles CSCE Farkas
22 RBAC 2 Constraints can apply to sessions, user and roles functions CSCE Farkas
23 RBAC U Users R Roles P Permissions. S Sessions User assignment Permission assignment Constraints CSCE Farkas
Database Monitoring DBMS supported, e.g., Oracle auditing, transaction logs, etc. Non-DBMS monitoring, e.g., IBM InfoSphere Guardium Database Activity Monitoring (DAM) Database Activity Monitoring and Prevention (DAMP) 24 CSCE Farkas
DAMP Regulatory compliance support Protects data from external attacks Monitors privileged users and application (beyond DBMS support) Oracle User Group Survey: most organizations do not have mechanisms to control or monitor privileged user activities 25 CSCE Farkas
Privileged user monitoring System administrators, database administrators, developers, help desk personnel, etc. Monitoring: auditing usage and transactions, identify anomalous activities, verify authorization of changes Data privacy Data governance 26 CSCE Farkas
Application Activity Monitoring End user accountability and fraud detection Means of misuse is via application (not direct database access) Address multi-tier applications that hide the identity of the end user 27 CSCE Farkas
Cyber Attack Protection Vulnerable code Database related attacks, e.g., SQL injection Monitor application characteristics, build profile, warn about anomalous behavior 28 CSCE Farkas
DAM Features Data collection and aggregation (heterogeneous data sources!) Profiling and anomaly detection Advanced features: Real-time monitoring Agnostic solutions Automated response Automatic data classification and security adjustment CSCE Farkas 29
30 Next Class: Midterm exam