ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

Slides:



Advertisements
Similar presentations
Alabama Primary Health Care Association
Advertisements

Advanced Piloting Cruise Plot.
Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World
George Mason University
© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
ACCESS-CONTROL MODELS
Ravi Sandhu Venkata Bhamidipati
1 A Model of OASIS Role-Based Access Control and Its Support for Active Security Rick Murphy, IT 862, Spring 2005.
ARBAC 97 (ADMINISTRATIVE RBAC)
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ROLE HIERARCHIES AND CONSTRAINTS FOR LATTICE-BASED ACCESS CONTROLS
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
© 2005 Ravi Sandhu Role Usage and Activation Hierarchies (best viewed in slide show mode) Ravi Sandhu Laboratory for Information Security.
Flexible access control policy specification with constraint logic programming Steve Barker, Peter J. Stuckey Presenter: Vijayant Dhankhar.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
Chapter 1 The Study of Body Function Image PowerPoint
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 10 second questions
ABC Technology Project
1 Undirected Breadth First Search F A BCG DE H 2 F A BCG DE H Queue: A get Undiscovered Fringe Finished Active 0 distance from A visit(A)
VOORBLAD.
BIOLOGY AUGUST 2013 OPENING ASSIGNMENTS. AUGUST 7, 2013  Question goes here!
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
© 2012 National Heart Foundation of Australia. Slide 2.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
25 seconds left…...
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Januar MDMDFSSMDMDFSSS
REGISTRATION OF STUDENTS Master Settings STUDENT INFORMATION PRABANDHAK DEFINE FEE STRUCTURE FEE COLLECTION Attendance Management REPORTS Architecture.
Analyzing Genes and Genomes
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Intracellular Compartments and Transport
PSSA Preparation.
Essential Cell Biology
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Access Control RBAC Database Activity Monitoring.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
Access Control Model SAM-5.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
ASCAA Principles for Next-Generation Role-Based Access Control
Role-Based Access Control George Mason University and
Access Control Evolution and Prospects
Access Control Evolution and Prospects
Presentation transcript:

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University

2 © Ravi Sandhu SECURITY OBJECTIVES INTEGRITY less studied AVAILABILITY least studied CONFIDENTIALITY most studied USAGE newest

3 © Ravi Sandhu SECURITY TECHNOLOGIES u Access Control u Cryptography u Audit and Intrusion Detection u Authentication u Assurance u Risk Analysis u

4 © Ravi Sandhu CRYPTOGRAPHY LIMITATIONS u Cryptography cannot protect confidentiality and integrity of l data, keys, software in end systems u Prevent or detect use of covert channels

5 © Ravi Sandhu AUDIT AND INTRUSION DETECTION LIMITATIONS u Intrusion detection cannot by itself l protect audit data and audit collection and analysis software l prevent security breaches l protect against covert channels

6 © Ravi Sandhu ACCESS CONTROL LIMITATIONS u Access control cannot by itself l protect data in transit or storage on an insecure medium l safeguard against misuse by authorized users l protect against covert channels

7 © Ravi Sandhu AUTHENTICATION LIMITATIONS u By itself authentication does very little but what it does is critical u pre-requisite for effective l cryptography l access control l intrusion detection

8 © Ravi Sandhu A MIX OF MUTUALLY SUPPORTIVE TECHNOLOGIES AUTHENTICATION INTRUSION DETECTION CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT

9 © Ravi Sandhu CLASSICAL ACCESS CONTROL DOCTRINE u Lattice-based mandatory access control (MAC) l strong l too strong l not strong enough u Owner-based discretionary access control (DAC) l too weak l too confused

10 © Ravi Sandhu ISSUES IN LATTICE-BASED MAC u MAC enforces one-directional information flow in a lattice of security labels u can be used for aspects of l confidentiality l integrity l aggregation (Chinese Walls)

11 © Ravi Sandhu PROBLEMS WITH LATTICE- BASED MAC u does not protect against covert channels and inference l not strong enough u inappropriate l too strong

12 © Ravi Sandhu ISSUES IN OWNER-BASED DAC u negative rights u inheritance of rights l interaction between positive and negative rights u grant flag u delegation of identity u temporal and conditional authorization

13 © Ravi Sandhu PROBLEMS WITH OWNER- BASED DAC u does not control information flow l too weak u inappropriate in many situations l too weak l too confused

14 © Ravi Sandhu BEYOND OWNER-BASED DAC u separation between ability l to use a right l to grant a right u non-discretionary elements l user who can use a right should not be able to grant it and vice versa

15 © Ravi Sandhu NON-DISCRETIONARY (BEYOND LATTICE-BASED MAC) u control of administrative scope l rights that can be granted l to whom rights can be granted u rights that cannot be simultaneously granted to same user u rights that cannot be granted to too many users

16 © Ravi Sandhu WHAT IS THE POLICY IN NON- DISCRETIONARY ACCESS CONTROL? u Non-discretionary access control is a means to articulate policy u does not incorporate policy but does support security principles l least privilege l abstract operations l separation of duties

17 © Ravi Sandhu ISSUES IN NON-DISCRETIONARY ACCESS CONTROL u models for non-discretionary propagation of access rights u role-based access control (RBAC) u task-based authorization (TBA)

18 © Ravi Sandhu u HRU, 1976 u TAKE-GRANT, u SPM/ESPM, u TAM/ATAM, 1992 onwards NON-DISCRETIONARY PROPAGATION MODELS

19 © Ravi Sandhu NON-DISCRETIONARY PROPAGATION MODELS u type-based non-discretionary controls u rights that authorize propagation can be separate or closely related to right being propagated u testing for absence of rights is essential for dynamic separation policies

20 © Ravi Sandhu ROLE-BASED ACCESS CONTROL: RBAC 0 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS

21 © Ravi Sandhu ROLE-BASED ACCESS CONTROL: RBAC 1 ROLES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES

22 © Ravi Sandhu HIERARCHICAL ROLES Health-Care Provider Physician Primary-Care Physician Specialist Physician

23 © Ravi Sandhu HIERARCHICAL ROLES Engineer Hardware Engineer Software Engineer Supervising Engineer

24 © Ravi Sandhu ROLE-BASED ACCESS CONTROL: RBAC 3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

25 © Ravi Sandhu RBAC MANAGEMENT ROLES USERS PERMISSIONS... ADMIN ROLES ADMIN PERMISSIONS CAN- MANAGE

26 © Ravi Sandhu RBAC MANAGEMENT S T1 T2 S3 T4 T5 P3 P ADMINISTRATIVE ROLE HIERARCHY CSO SO1SO2SO3 ROLE HIERARCHY

27 © Ravi Sandhu ROLES AND LATTICES u RBAC can enforce classical lattice- based MAC H L HR LR LW HW LATTICE ROLES

28 © Ravi Sandhu ROLES AND LATTICES u RBAC can accommodate variations of classical lattice-based MAC H L HR LR LW HW LATTICE ROLES

29 © Ravi Sandhu TASK-BASED AUTHORIZATION (TBA) u beyond subjects and objects u authorization is in context of some task u transient use-once permissions instead of long-lived use-many-times permissions

30 © Ravi Sandhu TRANSACTION CONTROL EXPRESSIONS (TCEs) u TCEs are an example of TBA prepare clerk; approve supervisor; issue clerk;

31 © Ravi Sandhu CONCLUSION u access control is important u there are many open issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.