access control: the neglected frontier ravi sandhu george mason university
Post on 26-Mar-2015
217 Views
Preview:
TRANSCRIPT
ACCESS CONTROL: THE NEGLECTED FRONTIER
Ravi Sandhu
George Mason University
2© Ravi Sandhu
SECURITY OBJECTIVES
INTEGRITYless studied
AVAILABILITYleast studied
CONFIDENTIALITYmost studied
USAGEnewest
3© Ravi Sandhu
SECURITY TECHNOLOGIES
Access Control Cryptography Audit and Intrusion Detection Authentication Assurance Risk Analysis .......................
4© Ravi Sandhu
CRYPTOGRAPHY LIMITATIONS
Cryptography cannot protect confidentiality and integrity of data, keys, software
in end systems Prevent or detect use of covert
channels
5© Ravi Sandhu
AUDIT AND INTRUSION DETECTION LIMITATIONS
Intrusion detection cannot by itself protect audit data and audit collection
and analysis software prevent security breaches protect against covert channels
6© Ravi Sandhu
ACCESS CONTROL LIMITATIONS
Access control cannot by itself protect data in transit or storage on an
insecure medium safeguard against misuse by authorized
users protect against covert channels
7© Ravi Sandhu
AUTHENTICATION LIMITATIONS
By itself authentication does very little but what it does is critical
pre-requisite for effective cryptography access control intrusion detection
8© Ravi Sandhu
A MIX OF MUTUALLY SUPPORTIVE TECHNOLOGIES
AUTHENTICATION
INTRUSIONDETECTION
CRYPTOGRAPHYACCESS
CONTROL
ASSURANCERISK
ANALYSIS
SECURITY ENGINEERING& MANAGEMENT
9© Ravi Sandhu
CLASSICAL ACCESS CONTROL DOCTRINE
Lattice-based mandatory access control (MAC) strong too strong not strong enough
Owner-based discretionary access control (DAC) too weak too confused
10© Ravi Sandhu
ISSUES IN LATTICE-BASED MAC
MAC enforces one-directional information flow in a lattice of security labels
can be used for aspects of confidentiality integrity aggregation (Chinese Walls)
11© Ravi Sandhu
PROBLEMS WITH LATTICE-BASED MAC
does not protect against covert channels and inference not strong enough
inappropriate too strong
12© Ravi Sandhu
ISSUES IN OWNER-BASED DAC
negative “rights” inheritance of rights
interaction between positive and negative rights
grant flag delegation of identity temporal and conditional
authorization
13© Ravi Sandhu
PROBLEMS WITH OWNER-BASED DAC
does not control information flow too weak
inappropriate in many situations too weak too confused
14© Ravi Sandhu
BEYOND OWNER-BASED DAC
separation between ability to use a right to grant a right
non-discretionary elements user who can use a right should not be
able to grant it and vice versa
15© Ravi Sandhu
NON-DISCRETIONARY (BEYOND LATTICE-BASED MAC)
control of administrative scope rights that can be granted to whom rights can be granted
rights that cannot be simultaneously granted to same user
rights that cannot be granted to too many users
16© Ravi Sandhu
WHAT IS THE POLICY IN NON-DISCRETIONARY ACCESS CONTROL?
Non-discretionary access control is a means to articulate policy
does not incorporate policy but does support security principles least privilege abstract operations separation of duties
17© Ravi Sandhu
ISSUES IN NON-DISCRETIONARY ACCESS CONTROL
models for non-discretionary propagation of access rights
role-based access control (RBAC) task-based authorization (TBA)
18© Ravi Sandhu
HRU, 1976 TAKE-GRANT, 1976-82 SPM/ESPM, 1985-92 TAM/ATAM, 1992 onwards
NON-DISCRETIONARY PROPAGATION MODELS
19© Ravi Sandhu
NON-DISCRETIONARY PROPAGATION MODELS
type-based non-discretionary controls
rights that authorize propagation can be separate or closely related to right being propagated
testing for absence of rights is essential for dynamic separation policies
20© Ravi Sandhu
ROLE-BASED ACCESS CONTROL: RBAC0
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
21© Ravi Sandhu
ROLE-BASED ACCESS CONTROL: RBAC1
ROLES
USER-ROLEASSIGNMENT
PERMISSION-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
22© Ravi Sandhu
HIERARCHICAL ROLES
Health-Care Provider
Physician
Primary-CarePhysician
SpecialistPhysician
23© Ravi Sandhu
HIERARCHICAL ROLES
Engineer
HardwareEngineer
SoftwareEngineer
SupervisingEngineer
24© Ravi Sandhu
ROLE-BASED ACCESS CONTROL: RBAC3
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
25© Ravi Sandhu
RBAC MANAGEMENT
ROLES
USERS
PERMISSIONS
...
ADMINROLES
ADMINPERMISSIONS
CAN-MANAGE
26© Ravi Sandhu
RBAC MANAGEMENT
S
T1 T2
S3
T4 T5
P3
P
ADMINISTRATIVEROLE HIERARCHY
CSO
SO1 SO2 SO3
ROLE HIERARCHY
27© Ravi Sandhu
ROLES AND LATTICES
RBAC can enforce classical lattice-based MAC
H
L
HR
LR
LW
HW
LATTICE ROLES
28© Ravi Sandhu
ROLES AND LATTICES
RBAC can accommodate variations of classical lattice-based MACH
L
HR
LR
LW HW
LATTICE ROLES
29© Ravi Sandhu
TASK-BASED AUTHORIZATION (TBA)
beyond subjects and objects authorization is in context of some
task transient use-once permissions
instead of long-lived use-many-times permissions
30© Ravi Sandhu
TRANSACTION CONTROL EXPRESSIONS (TCEs)
TCEs are an example of TBA prepare clerk;
approve supervisor;
issue clerk;
31© Ravi Sandhu
CONCLUSION
access control is important there are many open issues
top related