Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control RBAC Database Activity Monitoring.

Published byDonna Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control RBAC Database Activity Monitoring."— Presentation transcript:

1 Access Control RBAC Database Activity Monitoring

2 CSCE 824 - Farkas 2 Reading assignments Required for access control classes:  Ravi Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE Communications, Volume 32, Number 9, September 1994 http://www.list.gmu.edu/journals/commun/i94ac(org).pdfhttp://www.list.gmu.edu/journals/commun/i94ac(org).pdf  Ravi Sandhu, Lattice-Based Access Control Models, IEEE Computer, Volume 26, Number 11 (Cover Article), November 1993 http://www.list.gmu.edu/journals/computer/i93lbacm(org).pdf http://www.list.gmu.edu/journals/computer/i93lbacm(org).pdf  Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, Role-Based Access Control Models, IEEE Computer, Volume 29, Number 2, February 1996 http://www.list.gmu.edu/journals/computer/i94rbac(org).pdf http://www.list.gmu.edu/journals/computer/i94rbac(org).pdf

3 3 RBAC Motivation Multi-user systems Multi-application systems Permissions are associated with roles Role-permission assignments are persistent v.s. user-permission assignments Intuitive: competency, authority and responsibility CSCE 824 - Farkas

4 4 Motivation Express organizational policies  Separation of duties  Delegation of authority Flexible: easy to modify to meet new security requirements Supports  Least-privilege  Separation of duties  Data abstraction CSCE 824 - Farkas

5 5 RBAC Allows to express security requirements but CANNOT ENFORCE THESE PRINCIPLES e.g., RBAC can be configured to enforce BLP rules but its correctness depend on the configuration done by the system security officer. CSCE 824 - Farkas

6 6 Roles User group: collection of user with possibly different permissions Role: mediator between collection of users and collection of permissions RBAC independent from DAC and MAC (they may coexist) RBAC is policy neutral: configuration of RBAC determines the policy to be enforced CSCE 824 - Farkas

7 7 RBAC RBAC 3 consolidated model RBAC 1 role hierarchy RBAC 2 constraints RBAC 0 base model CSCE 824 - Farkas

8 8 RBAC 0.... U Users R Roles P Permissions. S Sessions User assignment Permission assignment CSCE 824 - Farkas

9 9 RBAC0 User: human beings Role: job function (title) Permission: approval of a mode of access  Always positive  Abstract representation  Can apply to single object or to many CSCE 824 - Farkas

10 10 RBAC 0 UA: user assignments  Many-to-many PA: Permission assignment  Many-to-many Session: mapping of a user to possibly may roles  Multiple roles can be activated simultaneously  Permissions: union of permissions from all roles  Each session is associated with a single user  User may have multiple sessions at the same time CSCE 824 - Farkas

11 11 RBAC 0 Components Users, Roles, Permissions, Sessions PA  P x R (many-to-many) UA  U x R (many-to-many) user: S  U, mapping each session s i to a single user user(s i ) roles: S  2 R, mapping each session s i to a set of roles roles(s i )  {r | (user(s i ),r)  UA} and s i has permissions  r  roles(si) {p | (p,r)  PA} CSCE 824 - Farkas

12 12 RBAC 0 Permissions apply to data and resource objects only Permissions do NOT apply to RBAC components Administrative permissions: modify U,R,S,P Session: under the control of user to  Activate any subset of permitted roles  Change roles within a session CSCE 824 - Farkas

13 13 RBAC 1.... U Users R Roles P Permissions. S Sessions User assignment Permission assignment Role Hierarchy CSCE 824 - Farkas

14 14 RBAC 1 Structuring roles Inheritance of permission from junior role (bottom) to senior role (top) Partial order  Reflexive  Transitive  Anti-symmetric CSCE 824 - Farkas

15 15 RBAC 1 Components Same as RBAC 0 : Users, Roles, Permissions, Sessions, PA  P x R, UA  U x R, user: S  U, mapping each session s i to a single user user(s i ) RH  R x R, partial order (  dominance) roles: S  2 R, mapping each session s i to a set of roles roles(s i )  {r | (  r’  r) [(user(s i ),r’)  UA]} and s i has permissions  r  roles(si) {p | (  r”  r) [(p,r”)  PA]} CSCE 824 - Farkas

16 16 RBAC 1 Role Hierarchy Primary-care Physician Specialist Physician Health-care provider Inheritance of privileges CSCE 824 - Farkas

17 17 RBAC 1 Limit scope of inheritance Project Supervisor Test Engineer Programmer Project Member Test Engineer’ Test Engineer Programmer Programmer’ Project Member Project Supervisor Private Roles CSCE 824 - Farkas

18 18 RBAC 2 – Constraints Enforces high-level organizational policies Management of decentralized security Constraints define “acceptable” and “not acceptable” accesses CSCE 824 - Farkas

19 19 RBAC 2 – Components Same as RBAC 0 + Constraints CSCE 824 - Farkas

20 20 RBAC 2.... U Users R Roles P Permissions. S Sessions User assignment Permission assignment Constraints CSCE 824 - Farkas

21 21 RBAC 2 Mutually exclusive roles Dual constraint of permission assignments (permission assigned to at most one mutually exclusive role) Cardinality constraints (e.g., # of roles an individual can belong) Prerequisite roles CSCE 824 - Farkas

22 22 RBAC 2 Constraints can apply to sessions, user and roles functions CSCE 824 - Farkas

23 23 RBAC 3.... U Users R Roles P Permissions. S Sessions User assignment Permission assignment Constraints CSCE 824 - Farkas

24 Database Monitoring DBMS supported, e.g., Oracle auditing, transaction logs, etc. Non-DBMS monitoring, e.g., IBM InfoSphere Guardium  Database Activity Monitoring (DAM)  Database Activity Monitoring and Prevention (DAMP) 24 CSCE 824 - Farkas

25 DAMP Regulatory compliance support Protects data from external attacks Monitors privileged users and application (beyond DBMS support)  Oracle User Group Survey: most organizations do not have mechanisms to control or monitor privileged user activities 25 CSCE 824 - Farkas

26 Privileged user monitoring System administrators, database administrators, developers, help desk personnel, etc. Monitoring: auditing usage and transactions, identify anomalous activities, verify authorization of changes Data privacy Data governance 26 CSCE 824 - Farkas

27 Application Activity Monitoring End user accountability and fraud detection Means of misuse is via application (not direct database access) Address multi-tier applications that hide the identity of the end user 27 CSCE 824 - Farkas

28 Cyber Attack Protection Vulnerable code Database related attacks, e.g., SQL injection Monitor application characteristics, build profile, warn about anomalous behavior 28 CSCE 824 - Farkas

29 DAM Features Data collection and aggregation (heterogeneous data sources!) Profiling and anomaly detection Advanced features:  Real-time monitoring  Agnostic solutions  Automated response  Automatic data classification and security adjustment CSCE 824 - Farkas 29

30 30 Next Class: Midterm exam

Download ppt "Access Control RBAC Database Activity Monitoring."

Similar presentations

RBAC Role-Based Access Control

RBAC Role-Based Access Control
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.

ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.

A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Role-Based Access Control CS461/ECE422 Fall 2011.

Role-Based Access Control CS461/ECE422 Fall 2011.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies (2000) Author: Sylvia Osborn, Ravi Sandhu,Qamar Munawer.

Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies (2000) Author: Sylvia Osborn, Ravi Sandhu,Qamar Munawer.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Fall 2010/Lecture 301 CS 426 (Fall 2010) Role Based Access Control.

Fall 2010/Lecture 301 CS 426 (Fall 2010) Role Based Access Control.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Similar presentations

Ads by Google