Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

Slides:

Advertisements

Similar presentations

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Advertisements

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

GT 4 Security Goals & Plans Sam Meder

Access Control Chapter 3 Part 3 Pages 209 to 227.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Access Control RBAC Database Activity Monitoring.

Access Control Methodologies

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

Lecture 23 Internet Authentication Applications

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Office of Inspector General (OIG) Internal Audit

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

1 Data Strategy Overview Keith Wilson Session 15.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.

Working with Workgroups and Domains

SecureAware Building an Information Security Management System.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Designing Active Directory for Security

Role-Based Access Control Richard Newman (c) 2012 R. Newman.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Security Planning and Administrative Delegation Lesson 6.

NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

© 2008 IBM Corporation ® IBM Cognos Business Viewpoint Miguel Garcia - Solutions Architect.

Delivering business value through Context Driven Content Management Karsten Fogh Ho-Lanng, CTO.

CSCE 201 Introduction to Information Security Fall 2010 Access Control.

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Identity Standard Proposal Identity and Access Management Subcommittee December 12, 2013.

Li Xiong CS573 Data Privacy and Security Access Control.

Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco.

Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Windows Role-Based Access Control Longhorn Update

Master Data Management & Microsoft Master Data Services Presented By: Jeff Prom Data Architect MCTS - Business Intelligence (2008), Admin (2008), Developer.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

ROLE BASED ACCESS CONTROL 1 Group 4 : Lê Qu ố c Thanh Tr ầ n Vi ệ t Tu ấ n Anh.

Privilege Management Chapter 22.

Computer Security: Principles and Practice

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Identity and Access Management

Access Control Model SAM-5.

ACTIVE DIRECTORY ADMINISTRATION

CompTIA Security+ Study Guide (SY0-401)

Role-Based Access Control Richard Newman (c) 2012 R. Newman

PASSHE InCommon & Federated Identity Workshop

Implementing Database Roles in the Enterprise Geodatababse

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Presentation transcript:

Advanced CAMP: BoF Summaries

2 Role-based Access Control (RBAC)

3 RBAC: What and Why? What? NIST RBAC model introduced: Role is an abstraction of a job function. Role is not a job title. Role privileges flow toward root while restrictions tend to flow toward leaf Why? Opportunity to leverage existing metadirectory or data warehouse to automatically provision roles, at least to a good degree. Potential benefits typical of integrative approach –Less overhead, faster response, uniformity, degree of automation Automates management of services provisioning for a dynamic set of users

4 RBAC: Design Implementation requirements model, data elements, components vocabulary for communities and “roles” Need flexible management of roles Number of roles necessary is dependent on department Need to manage the number carefully The closer you are to the root of the tree… –the more privileges you have Stanford has about 200 roles and the ability to delegate access privileges if user is closer to root of tree

5 RBAC: Issues Separation of Duties Can apply for travel, but cannot approve my own travel Static vs. Dynamic Roles vs. … Limitations on role assignment Limitations on session-based privileges Possible mappings of some RBAC data elements to directories Natural mappings to users, groups of users, permissions??, roles, some role hierarchies Less natural: Sessions, operation, object, permissions??

6 RBAC: Issues Department differences Physician has high access and is a leaf node in healthcare. Financial staff in leaf nodes have few permissions. Potential application of separation of duty principle to enable physicians with multiple roles to adhere to principle of need to know with regard to patient data. Short-term needs Can we “Break the Glass” and provide permissions for special functions to be verified or audited later? Permissions can be allowed while flagging it for examination later.

7 RBAC: Issues Design considerations How much should be automated and how much should be left in its current state? What is good enough? Maybe ignore exceptions and consider an 80 or 90% solution as a start.

8 Management of Identity

9 Management of Identity: Key Issues Liability Giving accounts w/out verified identity create risk. Issuing entity could be liable for misuse of account. How do you accurately identify any entity accessing your services? How do you verify that identity and who is responsible? Face to face Through documentation Sponsorship Where is the reconciliation of Identity? It varies. –In the registry –In data management How do you get correct information, how do you verify it’s correct, how do you keep it correct? Use SSN’s as temporary password to verify correctly entered Send Birthday mail soliciting updated info Set mandatory renewals on accounts

10 Directories are bracketed on both ends by identity Key underpinning of directory services Layers on top of directory services Surprise! Often IT departments are managing identity Results from complexity of coordination between data owners. Need Rules and definitions in common between different parts of the organization Buy-in from key parties supplying identity data. Sharing identities (with multiple roles) among multiple domains is a multiple campus issue Management of Identity: Insights

11 Affiliated Directories

12 Affiliated Directories: Potential Problem Space Directories joining data across more than one administrative domain Super-set or intersection of identities; "identity math" Asserting attributes on behalf of another entity; three-tier Updating and refreshing data in affiliated directories automatically

13 Affiliated Directories: Necessary Functionality Common language for exchanging information Identity management Authorization (Interrealm RBAC?) Attribute metadata underlying trust fabric

14 Affiliated Directories: Similarities to Current Systems Metadirectories Liberty Alliance 1.0 Identity Matching Generalized SHAR/AA Interaction Useful to many other applications once functional

15 Affiliated Directories: Possible Scenarios (yet to be adopted): Mapping There is a commObject URI in my enterprise directory that links me to a commObject in the ViDe environment. The video client wants to recognize that the two objects are linked in that direction. Authorization How do we represent and trust an attribute placed in Brown's directory that Steven Carmody is a member of MACE? How is this asserted, validated, and understood?

16 Affiliated Directories: Possible Scenarios (cont.) Pull I mirror an identity of Michael Gettes in my local directory with additional GRIDperson information. How can I know how volatile this information is, or how likely it is to have been changed? Push If I change my name to Bob, how can I ensure that anyone else maintaining a version of my identity learns this?