Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard."— Presentation transcript:

1 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard Hammer August 2006

2 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth What is Role-Based Access Control (RBAC)? What are the advantages to implementing RBAC? What are the challenges to implementing RBAC? How can RBAC be used as a framework for defense in Depth? How will the RBAC implementation standard help?

3 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS What is RBAC? Role-Based Access Control Permission to perform an operation on an object is assigned to roles, not to users Users are assigned to roles Roles are assigned permissions Users acquire their permissions based on the roles they are assigned

4 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC is Many-to-Many Users may be assigned many roles Roles may have many users assigned to them Roles may be assigned to many other roles Roles may be assigned many permissions Permissions may be assigned to many roles Permissions may be granted to perform many different types of operations on an object

5 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC Flow Diagram

6 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS What are the Advantages of RBAC? Once implemented RBAC simplifies system administration Strong support for separation of duties Good auditing support Considered best practice by many

7 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC Simplifies System Administration When a user changes positions –Her roles are changed to reflect her new position –Her replacement is assigned her old roles –No need to remove user’s old access on each object If roles are well defined, the system administrator only needs to add a user to their assigned roles and the user has access to all the resources they require to complete their job

8 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Separation of Duties Manages conflict of interest policy Reduces chances of fraud Spreads critical duties across roles and in turn users RBAC has built-in support for: –Static Separation of duties (SSD) –Dynamic Separation of duties (DSD)

9 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC Improves Auditing User, role, and permission reviews are built into RBAC Much easier to determine if an object should be accessed from a role instead of a person –Should Jane access the payroll object? ??? –Should the hotdog vendors role access the payroll object? NO !

10 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Challenges Implementing RBAC Policy must be clearly defined or RBAC breaks down completely –Roles must be created that reflect business needs –Permissions for roles to access objects must be determined –Membership is each role must be determined Up-front work requires a lot of time and effort RBAC standards have not resulted in compatible vendor implementations

11 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC as a DiD Framework Extend the concept of a user to include: –Computers or networks –Agents (ex. Web front end accessing a database) Permission is approval to access or perform some action on an object Objects extended to include: –Data, databases or information container –Computers, networks or network resources –Programs or applications

12 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC for Network Design Use RBAC as the access mechanism for your entire network infrastructure –Routers –Firewalls –VPNs –VLANS –Servers Granular access controls can ensure all parameters are correct before access is granted –Joe might have access to financial data, but not from the wireless VLAN (Sensitive finance data should only be accessible from the office VLAN) –Sally might have access to all external Internet sites, but only from her assigned IP address (HR determines lewd content of website but not from out in the cubicles)

13 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Server Access Control RBAC allows granular access control to server resources based on roles Servers can use RBAC to control access –Documents or document containers –Resources (Printers, CDs, USB Ports, etc.) –Applications (Database, WWW, FTP, etc.) Applications can restrict what data or reports a role can access

14 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS RBAC Standards Proposed NIST Standard for Role-Based Access Control (2001) –Users, roles, permissions, operations, objects –Core and Hierarchical RBAC –Separation of duties –Administrative functions, supportive System functions, review functions ANSI/INCITS 359 - 2004 Draft NIST Role Based Access Control Implementation Standard - 2006

15 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS How the Standard Will Help It will give vendors a common model and language Will supply functional requirements that vendors must implement to become RBAC compliant Will help consumers choose products Will help products become interoperable

16 Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Conclusion RBAC is a great defense in depth model RBAC requires policy to be clearly defined before implementation RBAC does reduce system administration duties once implemented RBAC improves auditing and facilitates separation of duties An implementation standard is required before RBAC can fully realize its potential as a approach to defense-in-depth

Download ppt "Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Role-Based Access Control (RBAC) Approach for Defense-in-Depth Peter Leight and Richard."

Similar presentations

RBAC Role-Based Access Control

RBAC Role-Based Access Control
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.

RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.
We use EZProxy, a proxy server software recently bought by OCLC. Proxy server.

We use EZProxy, a proxy server software recently bought by OCLC. Proxy server.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?

Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Similar presentations

Ads by Google