11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
© McGraw-Hill/Irwin 2004 Information Systems Project ManagementDavid Olson 11-1.
Cyber-Identity, Authority and Trust in an Uncertain World
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
Cyber-Identity, Authority and Trust in an Uncertain World
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
ROWLBAC – Representing Role Based Access Control in OWL
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
FRAMEWORK FOR AGENT-BASED ROLE DELEGATION Presentation by: Ezedin S. Barka UAE University.
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Institute for Cyber Security
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Institute for Cyber Security
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
Gail-Joon Ahn and Ravi Sandhu George Mason University Myong Kang and Joon Park Naval Research Laboratory Injecting RBAC to Secure a Web-based Workflow.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
© 2005 Ravi Sandhu Role Usage and Activation Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
0 - 0.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Role-Based Access Control CS461/ECE422 Fall 2011.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Internal Control–Integrated Framework
Highlights From the Survey on the Use of Funds Under Title II, Part A
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Access Control RBAC Database Activity Monitoring.
1 Risk-Aware Role and Attribute Based Access Control Models Khalid Zaman Bijon World-Leading Research with Real-World Impact! Institute for Cyber Security.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
Li Xiong CS573 Data Privacy and Security Access Control.
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!
11 World-Leading Research with Real-World Impact! A Group-Centric Model for Collaboration with Expedient Insiders in Multilevel Systems Khalid Zaman Bijon,
11 World-Leading Research with Real-World Impact! Towards Provenance and Risk-Awareness in Social Computing Yuan Cheng, Dang Nguyen, Khalid Bijon, Ram.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
11 World-Leading Research with Real-World Impact! Risk-Aware RBAC Sessions Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security.
Li Xiong CS573 Data Privacy and Security Access Control.
1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,
ROLE BASED ACCESS CONTROL 1 Group 4 : Lê Qu ố c Thanh Tr ầ n Vi ệ t Tu ấ n Anh.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Computer Security: Principles and Practice
CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang.
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
Role-Based Access Control (RBAC)
Institute for Cyber Security
Role-Based Access Control (RBAC)
Role-Based Access Control Richard Newman (c) 2012 R. Newman
ASCAA Principles for Next-Generation Role-Based Access Control
Assured Information Sharing
Presentation transcript:

11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 16, 2013 SafeConfig 2013: IEEE 6th Symposium on Security Analytics and Automation Institute for Cyber Security

2 World-Leading Research with Real-World Impact! Traditional Organizations Access Control Mechanism

3 World-Leading Research with Real-World Impact! General Access Control Systems ……… SnSn S1S1 Alice, Bob, etc. Mediates all access requests Process (e.g., pid), session (e.g., sip), etc. Resources to protect, e.g., mp3, doc, txt, directory. Implemented Access Control models, e.g., RBAC, DAC, MAC. User Reference Monitor Subject/ Session Object

4 Modern Organizations ACM World-Leading Research with Real-World Impact!

Authenticate and grant same access everywhere Is not sufficient How do we know that the person in the other side is true employee Secure every place/situation by antivirus/firewalls Not scalable/feasible Impractical More dynamism in access control systems Accept/Deny accesses based on security threats/risks involve in every situations/places instead of always giving same outcome for a user 5 World-Leading Research with Real-World Impact! Possible Solutions? Intro. & Motivation

Risk-Awareness in Access Control Systems Quantified Approach (Risk is represented as a metric) Calculate risk value, involved in every situation Grant access accordingly based on the estimated risk value 6 World-Leading Research with Real-World Impact! Intro. & Motivation Overall Strategy

MITRE Corporation Jason Program Office. Horizontal integration: Broader access models for realizing information dominance (2004) Pioneer work in quantified risk-aware access control systems Risk-awareness in Access Control Systems: E. Celikel et al (2009), F.Salim et al (2011), L. Chen et al (2011), N. Baracaldo et al (2012), K. Bijon et al (2012), S. Chari et al (2012) and others: Risk-awareness in Role Based Access Control (RBAC) system (mainly focused on developing technique on risk- estimation and utilization) P. Cheng (2007), Q Ni (2010): Risk-awareness in Lattice Based Access Control (LBAC) R. McGraw (2009), Kandala et al(2011): Identify risk-factors for a risk-aware access control system H. Khambhammettu et al (2013): a framework for various risk-assessment approaches in access control 7 World-Leading Research with Real-World Impact! Intro. & Motivation (cont.) Conducted Research in this Arena

8 World-Leading Research with Real-World Impact! A Framework for Risk-Aware RBAC The Framework Identify the Risk-Aware RBAC Components Faces different types of security risk while performing their operations Need to develop additional functionalities to support a risk-awareness Different Types of Risk-Awareness Traditional Approaches Quantified Approaches Non-adaptive approach Adaptive approach

9 World-Leading Research with Real-World Impact! Constraints Risk-Aware RBAC Components User-Role Assignment (URA) Permission- Role Assignment (PRA)

10 World-Leading Research with Real-World Impact! Risk-Awareness Types Traditional Approaches Constraints driven risk mitigation No explicit notion of risk value Quantified Approaches Risk is explicitly represented as a metric Risk is mitigated based on the estimated value

11 World-Leading Research with Real-World Impact! Traditional Risk-Awareness 1. Static Separation of Duty (SSOD) 2. Dynamic Separation of Duty (DSOD) 1. Administrative user needs to identify risky operations and generate constraints accordingly. (For example, a constraints can restrict two risky roles from assigning to same user (SSOD). 2. Static in nature (a constraint always gives same outcome, unless modified) RH

12 World-Leading Research with Real-World Impact! Quantified Risk-Awareness (Non-Adaptive) 1. Risk-threshold should vary across sessions (e.g. a session from office vs. session from home pc) 2. Risk-threshold limits user activities by restricting role- activation

13 World-Leading Research with Real-World Impact! Quantified Risk-Awareness (Adaptive) 1. Continuous user-activities monitoring and anomaly detection 2. Response mechanism by automatic revocation of privileges (e.g. system automated role deactivation)

Formal Specification World-Leading Research with Real-World Impact! 14 Formally enhance NIST Core RBAC model To support a session with adaptive risk-threshold Functions of the adaptive quantified risk-aware sessions AssignRisk: assigns a risk value to a permission RoleRisk: returns estimated risk of a role CreateSession: user creates a session and system calculate risk-threshold for the session AddActiveRole: called by users, tries to activate a particular Deactivation: called by AddActiveRole to deactivate some already activated roles in order to activate that role SActivityMonitor: This function monitors user sessions, if something is wrong it calls system automated deactivation (SADeactivation) function. SADeactivation: This function automatically identifies which roles need to deactivate and asks user to deactivate them.

15 World-Leading Research with Real-World Impact! Conclusion To Summarize the framework: The Risk-Aware RBAC Components are identified Sessions, User-Role assignments, Permission-Role assignments, Role Hierarchy, Constraints Each components should have different functionalities (need to be developed to support a Risk-Awareness) Different Types of Risk-Awareness Approaches Traditional Approaches Constraints specific (implicit risk and static in nature) Quantified Approaches Non-adaptive approach (explicit notion of risk that varies across different situations) Adaptive approach ( need run-time monitoring capabilities and additional system functions for automatic response)

16 World-Leading Research with Real-World Impact! Constraints Future Work User-Role Assignment (URA) Permission- Role Assignment (PRA)

Questions? 17 World-Leading Research with Real-World Impact! The End

Backup vid-heinemeier-hansson-every-employee-should-work- from-home/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.