1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
1 The Future of Access Control: Attributes, Automation and Adaptation Prof. Ravi Sandhu Executive Director and Endowed Chair S&P Symposium IIT Kanpur March.
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
Future of Access Control: Attributes, Automation, Adaptation
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.
Attribute-Based Access Control Models and Beyond
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
INSTITUTE FOR CYBER SECURITY 1 Cyber Security: Past, Present and Future Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
1 Institute for Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair February 4, 2015
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 Big Data Applications in Cloud and Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Professor UTSA COB Symposium on Big Data, Big Challenges.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
1 The Authorization Leap from Rights to Attributes: Maturation or Chaos? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT June 21, 2012
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,
1 Cloud Computing and Security Prof. Ravi Sandhu Executive Director and Endowed Chair April 19, © Ravi Sandhu.
INSTITUTE FOR CYBER SECURITY A Hybrid Enforcement Model for Group-Centric Secure Information Sharing (g-SIS) Co-authored with Ram Krishnan, PhD Candidate,
1 Group-Centric Models for Secure Information Sharing Prof. Ravi Sandhu Executive Director and Endowed Chair March 30, 2012
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
1 Cyber Security A Personal Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair January 15, 2016
1 Security and Privacy in Human-Centric Computing and Big Data Management Prof. Ravi Sandhu Executive Director and Endowed Chair CODASPY 2013 February.
1 Open Discussion PSOSM 2012 Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
1 The Authorization Leap from Rights to Attributes: Maturation or Chaos? Prof. Ravi Sandhu Executive Director and Endowed Chair SecurIT 2012 August 17,
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Role-Based Access Control (RBAC)
Institute for Cyber Security
Past, Present and Future
An Access Control Perspective on the Science of Security
Institute for Cyber Security (ICS) & Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director Professor of.
Introduction to Cyber Security
Introduction and Basic Concepts
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control: Insights and Challenges
Role-Based Access Control (RBAC)
Executive Director and Endowed Chair
The Future of Access Control: Attributes, Automation and Adaptation
Cyber Security Research: Applied and Basic Combined*
On the Value of Access Control Models
Institute for Cyber Security
Institute for Cyber Security
ABAC Panel Prof. Ravi Sandhu Executive Director and Endowed Chair
Institute for Cyber Security
Discretionary Access Control (DAC)
Attribute-Based Access Control (ABAC)
Cyber Security Research: Applied and Basic Combined*
Security and Privacy in the Age of the Internet of Things:
Authentication and Authorization Federation
Attribute-Based Access Control: Insights and Challenges
Identity and Access Control in the
Application-Centric Security
ASCAA Principles for Next-Generation Role-Based Access Control
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control (ABAC)
Access Control Evolution and Prospects
Cyber Security R&D: A Personal Perspective
Access Control Evolution and Prospects
Presentation transcript:

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Cybersecurity and Privacy (CySeP) Winter School KTH Royal Institute of Technology, Stockholm, Sweden 29 October © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security

Cyber Security Technologies © Ravi Sandhu 2 World-Leading Research with Real-World Impact! AUTHENTICATION INTRUSION/MALWARE DETECTION AND AUDIT CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT

 Analog Hole  Inference  Covert Channels  Side Channels  Phishing  Social Engineering  Attack Asymmetry  Privacy  …. © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Security Limitations Can manage Cannot eliminate

© Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ????

© Ravi Sandhu 5 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Fixed policy Flexible policy

© Ravi Sandhu 6 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Administration Driven Automated Adaptive

© Ravi Sandhu 7 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Enterprise Oriented Beyond Enterprise

© Ravi Sandhu 8 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Messy or Chaotic?

 Discretionary Access Control (DAC), 1970  Owner controls access  But only to the original, not to copies  Grounded in pre-computer policies of researchers  Mandatory Access Control (MAC), 1970  Synonymous to Lattice-Based Access Control (LBAC)  Access based on security labels  Labels propagate to copies  Grounded in pre-computer military and national security policies  Role-Based Access Control (RBAC), 1995  Access based on roles  Can be configured to do DAC or MAC  Grounded in pre-computer enterprise policies © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Access Control Models Numerous other models but only 3 successes: SO FAR

10 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration MAC, DAC Main focus RBAC, ABAC Initial focus RBAC, ABAC Next step focus MAC, DAC Easy (relatively)

© Ravi Sandhu 11 World-Leading Research with Real-World Impact! The RBAC Story RBAC96 model NIST-ANSI Standard Proposed NIST-ANSI Standard Adopted Ludwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages

12 World-Leading Research with Real-World Impact! RBAC96 Model © Ravi Sandhu Constraints

13 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Security Architect Security Administrator User Security Architect Security Administrator Security Architect

Fundamental Theorem of RBAC © Ravi Sandhu 14 World-Leading Research with Real-World Impact!  RBAC can be configured to do MAC  RBAC can be configured to do DAC  RBAC is policy neutral RBAC is neither MAC nor DAC!

 Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 15 World-Leading Research with Real-World Impact! RBAC Shortcomings

16 World-Leading Research with Real-World Impact! RBAC Shortcomings © Ravi Sandhu Constraints Hard Enough Impossible

17 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets

18 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.500 Directory Pre Internet, early 1990s

19 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.509 Attribute Certificates Post Internet, late 1990s

20 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Post Internet, late 1990s SPKI Certificates

21 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Mature Internet, 2000s Anonymous Credentials

22 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes

23 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes Mature Internet, 2000s Usage Control XACML Attribute-Based Encryption

© Ravi Sandhu 24 World-Leading Research with Real-World Impact! ABAC Status RBAC96 paper Proposed Standard Adopted ABAC still in pre/early phase 1990? 2014

 Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  actions  users  subjects  objects  contexts  policies  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  but also possibly by users OR reputation and trust mechanisms  Inherently extensible © Ravi Sandhu 25 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)

 An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify simple forms of DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 26 World-Leading Research with Real-World Impact! ABACα Hypothesis (DBSEC 2012) A small but crucial first step

27 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points

28 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points Can be configured to do DAC, MAC, RBAC

29 World-Leading Research with Real-World Impact! ABAC β Scope 3. Subject attributes constrained by attributes of subjects created by the same user. 5. Meta-Attributes 2. Subject attribute constraints policy are different at creation and modification time. 1. Context Attributes 4. Policy Language 1, 2, 4, 5 1, 4, 5 4, 5 1,4 1, 4, 5 1, 2, 3, 4, 5 4 4

30 ABAC β Model

31 © Ravi Sandhu World-Leading Research with Real-World Impact! Beyond ABAC Security Access Control Trust Risk Attributes Relationships Provenance

 GURA model for user-attribute assignment  Safety analysis of ABAC α and ABAC β  Undecidable safety for ABAC models  Decidable safety for ABAC with finite fixed attributes  Constraints in ABAC  ABAC Cloud IaaS implementations (OpenStack)  Attribute Engineering  Attribute Mining  Unification of Attributes, Relationships and Provenance © Ravi Sandhu 32 World-Leading Research with Real-World Impact! ABAC Research at ICS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.