Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Published byBernadette Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer."— Presentation transcript:

1 Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer

2 Objective of the Research Issues on Designing and building a secure data warehouse. Find the issues in Existing (RBAC) Role based access control policy used in Data warehouse. Design an Extended RBAC (Combines RBAC and UCON (Usage Control)) enforced Secure Data Warehouse.

3 Outline of the Presentation Introduction Security for Data Warehouses Existing Role Based Access Control for Data Warehouse. Issues in RBAC UCON Advantages Need for Extended Role Based Access Control ERBAC enforced Data Warehouse Experiments and challenges Conclusion

4 Introduction Data warehousing is one of the key data management technologies to support data mining and other decision support functions. data warehouse will bring together the essential data from the heterogeneous databases in an Enterprise

5 Data warehouse must enforce the security policies enforced by the back-end data sources in addition to possibly enforcing additional security properties. Security Component-Most of the existing Data Management systems use RBAC for Data Security. Introduction

6 Security Issues -Data Warehouses sensitive information cannot be displayed to unintended users. critical functions only be performed by the right people in the organization. Data Warehouse should give users access to all the relevant information, to make the optimum decisions. E-Commerce requirements should have a security plan developed. Should have appropriate security and control over your data. Should eliminate the disclosure of confidential information.

7 Security Issues -Data Warehouses There are many ways in building a secure warehouse Method 1 - simply replicate the secure databases and enforce an integrated security policy. Disadvantages of above - Redundancy and inconsistency. Method 2 - A subset from the databases, place it in the warehouse and security is maintained by the warehouse. Issues- Which subset? Method 3 - Determine the types of queries that users would pose, and then analyze the data, examine security policies to be enforced and store only the data that is required by the user.

8 Data Warehouse – Security Approach

9 Design Steps – Secure Warehouse There are three phases to developing a secure warehouse. Phase 1 – Integrate Secure data Sources Phase 2 – Integrate Policy Phase 3 - Build secure data model, schemas, access methods, and index strategies for the secure warehouse.

10 Developing Stages in Data Warehouse

11 Role Based Access Control for Warehouse Traditional Access Control Technology

12 Develop a detailed security plan. The RBAC security component should not be added at the end of the system implementation. The setup should be done along with the implementation of the actual Data Management systems.

13 Setup hardware and software requirements The hardware and software requirements like network router, firewall should be set respectively. Ensure identification and listing of all sources, databases and applications Above process allows business units and management determine the level of security required for each application and data source.

14 Following Steps for RBAC in ERP Define Users/Groups Define Permissions Define Sessions Policy, Roles and corresponding Access Control Define Administration Security Integrate RBAC across all applications

15 Issues in RBAC how the access controls is different based on the data? Duties are not a part of RBAC RBAC does not mind about the permission that is required to be given or denied for the access of objects based on the operations made by the entities (users) in the system.

16 Issues in RBAC single user can take multiple roles in the same session. Single user can be a part of multiple sessions. change in role should not allow him to hinder the work that has already been done. Temporal dependencies arise in organizations where order of causality should be maintained.

17 Issue in RBAC decision factors depend on the access control at the time of requests rather than the on-going control which needs relatively long access.

18 UCON Overview Usage Control is one of the modern approaches to provide security and access control model to data and its entities. Usage Control integrates Authorizations A, Obligation B and Conditions C.

19 UCON Architecture

20 UCON Components A subject is an entity associated with certain attributes which has certain rights on objects. Authorization, Obligation, Conditions. Traditional models use only authorization for decision process. Authorization in UCON checks for on-going transactions.

21 UCON Obligations are a functional predicate that has to be verified before a subject exercises usage on a specific attribute. The Pre-decision process needs Pre Obligation (Pre B) Approvals. The decision process which is on going needs to be revoked or continued needs On- going Obligation (On B) approval.

22 UCON Conditions are system oriented or environmental decision factors. They are not similar to authorization or obligations. They do not have direct relation with either subject or object and their attributes, they depends on environment.

23 Need for Extended RBAC RBAC has more limitation in resource management RBAC issues regarding decision process, multiple roles, multiple session and many other temporal dependencies. UCON covers most of the traditional access model functionalities and has more new functions.

24 Need for Extended RBAC UCON cannot exist alone in an enterprise and manage all resource. It is not one for all complete solution. UCON has a strong Decision Process Framework but weak Administrative Security RBAC has a weak Decision process and Strong Administration and Role Delegations.

25 ERBAC Extended RBAC Combination of RBAC and UCON The Administrative Security, Role delegations are part of RBAC component and the rights of objects and decision process is a combination of UCON. Component will take into account the obligation approvals for pre and on-going transactions

26 ERBAC Architecture

27 ERBAC Components The Administrator component provides the extension of role based access and usage control. The architecture also shows the imaginary division between the RBAC and UCON components.

28 Five Manager Components User Manager Role Manager Decision Manager Session Manager Data Manager administrator is the configuration controller which manages all the security components.

29 Functions of the Components User manager takes care of the list of users in the database using the system. role manager gets the corresponding role of the user for the respective session. session manager helps in maintaining multiple sessions and maps the history of the user in each session.

30 Functions User requests for a data Decision Manager comes into Effect. Checks for System Conditions. Obligations are checked and the rights for the corresponding data are checked for pre approval and on-going approval. After Predicates depending on the role of the user the authorization is done.

31 Advantages of ERBAC Supports Different Roles in same session and Multiple session for single user. Supports Temporal Dependencies Provides Identity management Provides good Decision Factors for ongoing Transactions Strong administrative and Usage controls

32 ERBAC in Data Warehousing Data Management system is by itself very complex because it needs to integrate all the data, process and business operations into single system application is spread across the enterprise which spreads over many geographical locations.

33 ERBAC in Data management Architecture

34 Functions of Security Component in Data Warehousing The security is based on both the access control and usage control. Session manager interacts with network manager. The network manager with the help of the underlying network protocol ensures that the session created is secured

35 Functions (contd..) The process manager maintains the list of sessions that can exist simultaneously without disturbing the consistency of the system. The Administrator is responsible for the user, role and session relation and the authorization of the corresponding roles and the data are employed in the object database.

36 Functions The decision process entirely depends on the role and the usage of the data by any user The decision of any data to be granted, revoked or continue depends on the condition and obligations and the authorization.

37 Experiments The security component designed above has been implemented in a simulated Data warehouse. The front end of the system is designed using Java, back end is designed using oracle 10G Application simulated will generate scenarios where in it can show case the list of pre-approvals needed for the execution of a process and incase it needs an on-going approval it request for the approval to the administrator or the data owner.

38 Experiments There is a data policy manager encoded in xml format which acts as a data layer. It interacts between the application and the database and manages the rights of the data. The rights manager gives a list of pre- approvals needed for executing the process. The process continues until the ongoing approvals are granted, there are some mutable attributes which can be loaded while the process is executed.

39 Challenges Conflicts between the Role of the person and the Rights Exercised by the data. The management of mutable attributes increases the process time. The on-going approval increases the cost of the query. The process is slowed when there are some objects loaded during the course of the process

40 Conclusion We thank Profs. Latifur Khan,Murat Kantarcioglu, Elisa Bertino, Ravi Sandhu and Tim Finin as well as Dr. Mamoun Awad and Dr. Ebru Celikel We also thank the students Sai Chaitanya, Abinandhan Chandrasekaran, Ryan Layfield, Nathalie Tsybulnik, Li Liu, Alam Ashraful, Ganesh Subbiah, Gal Lavee, Kim Jungin and Pavan Chitumalla

Download ppt "Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer."

Similar presentations

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),

Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Institute for Cyber Security

Institute for Cyber Security
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
Secure Dependable Stream Data Management Vana Kalogeraki (UC Riverside) Dimitrios Gunopulos (UC Riverside) Ravi Sandhu (UT San Antonio) Bhavani Thuraisingham.

Secure Dependable Stream Data Management Vana Kalogeraki (UC Riverside) Dimitrios Gunopulos (UC Riverside) Ravi Sandhu (UT San Antonio) Bhavani Thuraisingham.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.

Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
© 2006 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,

© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Managing Data Resources

Managing Data Resources
Chapter 3 Database Management

Chapter 3 Database Management
Introduction to Databases Transparencies

Introduction to Databases Transparencies
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Distributed Databases

Distributed Databases
© 2003, Prentice-Hall Chapter 2 - 1 Chapter 2: The Data Warehouse Modern Data Warehousing, Mining, and Visualization: Core Concepts by George M. Marakas.

© 2003, Prentice-Hall Chapter Chapter 2: The Data Warehouse Modern Data Warehousing, Mining, and Visualization: Core Concepts by George M. Marakas.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
By N.Gopinath AP/CSE. Why a Data Warehouse Application – Business Perspectives  There are several reasons why organizations consider Data Warehousing.

By N.Gopinath AP/CSE. Why a Data Warehouse Application – Business Perspectives  There are several reasons why organizations consider Data Warehousing.

Similar presentations

Ads by Google