© 2004-5 ravi sandhu cyber-identity, authority and trust in an uncertain world prof. ravi sandhu...

42
© 2004-5 Ravi Sandh www.list.gmu.edu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]

Upload: madison-romero

Post on 26-Mar-2015

219 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

Cyber-Identity, Authority and Trust in an Uncertain World

Prof. Ravi SandhuLaboratory for Information Security Technology

George Mason University

www.list.gmu.edu

[email protected]

Page 2: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

2

© 2004 Ravi Sandhuwww.list.gmu.edu

Outline

• Perspective on security

• Role Based Access Control (RBAC)

• Objective Model-Architecture Mechanism (OM-AM) Framework

• Usage Control (UCON)

• Discussion

Page 3: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

PERSPECTIVE

Page 4: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

4

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Conundrum

• Nobody knows WHAT security is

• Some of us do know HOW to implement pieces of it

Result: hammers in search of nails

Page 5: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

5

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Confusion

INTEGRITYmodification

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGEpurpose

• electronic commerce, electronic business• DRM, client-side controls

Page 6: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

6

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Successes

• On-line banking

• On-line trading

• Automatic teller machines (ATMs)

• GSM phones

• Set-top boxes

• …………………….

Success is largely unrecognizedby the security community

Page 7: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

7

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

• Exceeding good enough is not good• You will pay a price in user convenience, ease of

operation, cost, performance, availability, …• There is no such thing as free security

• Determining good enough is hard• Necessarily a moving target

Page 8: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

8

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

EASY SECURE

COST

Security geeksReal-world users

System owner

• whose security• perception or reality of security

• end users• operations staff• help desk

• system cost• operational cost• opportunity cost• cost of fraud

Business models dominatesecurity models

Page 9: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

9

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

• In many cases good enough is achievable at a pretty low threshold• The “entrepreneurial” mindset

• In extreme cases good enough will require a painfully high threshold• The “academic” mindset

Page 10: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

10

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

Entrepreneurialmindset

Academicmindset

Page 11: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

ROLE-BASED ACCESS CONTROL (RBAC)

Page 12: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

12

© 2004 Ravi Sandhuwww.list.gmu.edu

MAC, DAC and RBAC

• For 25 years (1971-96) access control was divided into• Mandatory Access Control (MAC)

• Discretionary Access Control (DAC)

• Since the early-mid 1990’s Role-Based Access Control (RBAC) has become a dominant force• RBAC subsumes MAC and DAC

• RBAC is not the “final” answer BUT is a critical piece of the “final” answer

Page 13: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

13

© 2004 Ravi Sandhuwww.list.gmu.edu

Mandatory Access Control (MAC)

TS

S

C

U

InformationFlow

Dominance

Lattice ofsecuritylabels

Rights are determined by security labels (Bell-LaPadula 1971)

Page 14: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

14

© 2004 Ravi Sandhuwww.list.gmu.edu

Discretionary Access Control (DAC)

• The owner of a resource determines access to that resource• The owner is often the creator of the resource

• Fails to distinguish read from copy• This distinction has re-emerged recently under the

name Dissemination Control (DCON)

Page 15: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

15

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Page 16: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

16

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC SECURITY PRINCIPLES

• least privilege

• separation of duties

• separation of administration and access

• abstract operations

Page 17: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

17

© 2004 Ravi Sandhuwww.list.gmu.edu

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

Page 18: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

18

© 2004 Ravi Sandhuwww.list.gmu.edu

Fundamental Theorem of RBAC

• RBAC can be configured to do MAC

• RBAC can be configured to do DAC

RBAC is policy neutral

Page 19: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

OM-AM (Objective/Model Architecture/Mechanism) Framework

Page 20: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

20

© 2004 Ravi Sandhuwww.list.gmu.edu

THE OM-AM WAY

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

Page 21: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

21

© 2004 Ravi Sandhuwww.list.gmu.edu

LAYERS AND LAYERS

• Multics rings• Layered abstractions• Waterfall model• Network protocol stacks• Napolean layers• RoFi layers• OM-AM• etcetera

Page 22: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

22

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND MANDATORY ACCESS CONTROL (MAC)

What?

How?

No information leakage

Lattices (Bell-LaPadula)

Security kernel

Security labels

Assurance

Page 23: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

23

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)

What?

How?

Owner-based discretion

numerous

numerous

ACLs, Capabilities, etc

Assurance

Page 24: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

24

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)

What?

How?

Objective neutral

RBAC96, ARBAC97, etc.

user-pull, server-pull, etc.

certificates, tickets, PACs, etc.

Assurance

Page 25: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

25

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Page 26: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

26

© 2004 Ravi Sandhuwww.list.gmu.edu

Server-Pull Architecture

Client Server

User-roleAuthorization

Server

Page 27: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

27

© 2004 Ravi Sandhuwww.list.gmu.edu

User-Pull Architecture

Client Server

User-roleAuthorization

Server

Page 28: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

28

© 2004 Ravi Sandhuwww.list.gmu.edu

Proxy-Based Architecture

Client ServerProxyServer

User-roleAuthorization

Server

Page 29: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

USAGE CONTROL (UCON)

Page 30: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

30

© 2004 Ravi Sandhuwww.list.gmu.edu

The UCON Vision: A unified model

• Traditional access control models are not adequate for today’s distributed, network-connected digital environment.• Authorization only – No obligation or condition

based control• Decision is made before access – No ongoing

control• No consumable rights - No mutable attributes • Rights are pre-defined and granted to subjects

Page 31: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

31

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM layered Approach

What ?

How ?

Assurance

Objective

Mechanism

Architecture

Model

Policy Neutral

ABC model

CRM/SRM, CDID architectures

DRM technologies, certificates, etc.

OM-AM Framework Usage Control System

Page 32: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

32

© 2004 Ravi Sandhuwww.list.gmu.edu

Prior Work

• Problem-specific enhancement to traditional access control• Digital Rights Management (DRM)

– mainly focus on intellectual property rights protection.

– Architecture and Mechanism level studies, Functional specification languages – Lack of access control model

• Trust Management– Authorization for strangers’ access based on credentials

Page 33: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

33

© 2004 Ravi Sandhuwww.list.gmu.edu

Prior Work

• Incrementally enhanced models• Provisional authorization [Kudo & Hada, 2000]• EACL [Ryutov & Neuman, 2001]• Task-based Access Control [Thomas & Sandhu,

1997]• Ponder [Damianou et al., 2001]

Page 34: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

34

© 2004 Ravi Sandhuwww.list.gmu.edu

Usage Control (UCON) Coverage

Protection Objectives• Sensitive information

protection• IPR protection• Privacy protection

Protection Architectures• Server-side reference

monitor (SRM)• Client-side reference

monitor (CRM)• Both SRM and CRMServer-side

Reference Monitor(SRM)

Client-sideReference Monitor

(CRM)

TraditionalAccessControl

TrustManagement

Usage ControlSensitive

InformationProtection

IntellectualProperty Rights

Protection

PrivacyProtection

DRM

SRM & CRM

Page 35: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

35

© 2004 Ravi Sandhuwww.list.gmu.edu

Core UCON (Usage Control) Models

Rights(R)

UsageDecision

Authoriza-tions (A)

Subjects(S)

Objects(O)

Subject Attributes(ATT(S))

Object Attributes(ATT(O))

Obligations(B)

Conditions(C)

ongoing postpre

Continuity of decisions

Mutability of attributes

Page 36: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

36

© 2004 Ravi Sandhuwww.list.gmu.edu

Examples

• Long-distance phone (pre-authorization with post-update)

• Pre-paid phone card (ongoing-authorization with ongoing-update)

• Pay-per-view (pre-authorization with pre-updates)• Click Ad within every 30 minutes (ongoing-

obligation with ongoing-updates)• Business Hour (pre-/ongoing-condition)

Page 37: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

37

© 2004 Ravi Sandhuwww.list.gmu.edu

Beyond the UCON Core Models

Objects(O)

ConsumerSubjects

(CS)

ProviderSubjects

(PS) SerialUsage Controls

Usage Control

IdentifieeSubjects

(IS)

ParallelUsage Controls

Page 38: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

38

© 2004 Ravi Sandhuwww.list.gmu.edu

UCON ArchitecturesWe narrow down our focus so

we can discuss in detail how UCON can be realized in architecture level• Sensitive information

protection X CRM

First systematic study for generalized security architectures for digital information dissemination

Architectures can be extended to include payment functionServer-side

Reference Monitor(SRM)

Client-sideReference Monitor

(CRM)

SensitiveInformationProtection

IntellectualProperty Rights

Protection

PrivacyProtection

SRM & CRM

UCONArchitectures

DRM

TrustManagement

TraditionalAccessControl

Page 39: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

39

© 2004 Ravi Sandhuwww.list.gmu.edu

Three Factors of Security Architectures

• Virtual Machine (VM)• runs on top of vulnerable computing environment and

has control functions• Additional assurance will come with emerging hardware

support

• Control Set (CS)• A list of access rights and usage rules• Fixed, embedded, and external control set

• Distribution Style• Message Push (MP), External Repository (ER) style

Page 40: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

40

© 2004 Ravi Sandhuwww.list.gmu.edu

Architecture Taxonomy

VM: Virtual Machine

CS: Control Set

MP: Message Push

ER: External Repository

 

NC1: No control architecture w/ MP

NC2: No control architecture w/ ER

FC1: Fixed control architecture w/ MP

FC2: Fixed control architecture w/ ER

EC1: Embedded control architecture w/ MP

EC2: Embedded control architecture w/ ER

XC1: External control architecture w/ MP

XC2: External control architecture w/ ER

w/o VM w/ VM

MP ER

MPMPMP ERERER

Fixed CS Embedded CS External CS

NC1 NC2

FC1 FC2 EC1 EC2 XC1 XC2

Page 41: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004-5 Ravi Sandhuwww.list.gmu.edu

RESEARCH TOPICS

Page 42: © 2004-5 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

42

© 2004 Ravi Sandhuwww.list.gmu.edu

RESEARCH TOPICS• OM-AM, RBAC, UCON

• Previously discussed• Trusted computing

• Hardware-based trust on the client side• Dissemination control

• Discretionary access control done correctly• Application-layer security

• Can’t escape it• Security as a tool for enterprise risk management

• Reconciling financial, reputational and regulatory risk with business models• Security in a world of pervasive computing

• A comfort zone for users in a brave new world• New security gizmos, widgets and protocols

• A never ending quest