future directions in role-based access control models ravi sandhu co-founder and chief scientist...

Post on 26-Mar-2015

213 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Future Directions inRole-Based Access Control Models

Ravi Sandhu

Co-Founder and Chief Scientist

SingleSignOn.Net

&

Professor of Information Technology and Engineering

George Mason University

2© Ravi Sandhu 2001

ACCESS CONTROL

Also called Authorization Entitlement

Different from Authentication

Typically requires authentication as a prerequisite

3© Ravi Sandhu 2001

AUTHORIZATION, TRUST AND RISK

Information security is fundamentally about managing authorization and trust

so as to manage risk We don’t know how to do this

4© Ravi Sandhu 2001

ACCESS CONTROL PRINCIPLES

Least privilege Separation of duties Abstract permissions Decentralized administration Keep it simple stupid (KISS)

5© Ravi Sandhu 2001

ACCESS CONTROL MODELS

RBACRole-based

access control

DACDiscretionary

access control

MACMandatory

access control

6© Ravi Sandhu 2001

ACCESS CONTROL MODELS

RBACRole-based

Policy configured

DACIdentity based

Owner controlled

MACLattice based

Policy controlled

7© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Separate the questions of What How

Provide a framework for managing complexity Complex authorization Simple authorization

Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints

8© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Separate the questions of What How

Provide a framework for managing complexity Complex authorization Simple authorization

Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints

9© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

10© Ravi Sandhu 2001

ADMINISTRATIVE RBAC

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

11© Ravi Sandhu 2001

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

12© Ravi Sandhu 2001

EXAMPLE ROLE HIERARCHY

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

13© Ravi Sandhu 2001

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

14© Ravi Sandhu 2001

EXAMPLE ROLE HIERARCHY

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

15© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

16© Ravi Sandhu 2001

ACCESS-CONTROL ARCHITECTURESERVER-PULL

Client Server

AuthorizationServer

AuthenticationServer

17© Ravi Sandhu 2001

ACCESS-CONTROL ARCHITECTUREUSER-PULL

Client Server

AuthorizationServer

AuthenticationServer

18© Ravi Sandhu 2001

ACCESS-CONTROL ARCHITECTUREPROXY-BASED

Client ServerProxy

AuthenticationServer

AuthorizationServer

19© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

20© Ravi Sandhu 2001

ACCESS-CONTROL MECHANISMSECURE COOKIES IN USER-PULL ARCHITECTURE

21© Ravi Sandhu 2001

ACCESS-CONTROL MECHANISMX.509 CERTIFICATES

X.509 certificates can be used in User-pull architecture Server-pull architecture

Secure cookies inherently user pull

22© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Separate the questions of What How

Provide a framework for managing complexity Complex authorization Simple authorization

Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints

23© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

24© Ravi Sandhu 2001

COMPLEX VERSUS SIMPLE AUTHORIZATION

Complex authorization Many roles: hundreds, thousands Dynamic policy and complex

administration Simple authorization

Few roles: tens Static policy and simple administration

25© Ravi Sandhu 2001

COMPLEX AUTHORIZATION

Employee (E)

Engineering Department (ED)

Project Lead 1(PL1)

Engineer 1(E1)

Production 1(P1)

Quality 1(Q1)

Director (DIR)

Project Lead 2(PL2)

Engineer 2(E2)

Production 2(P2)

Quality 2(Q2)

PROJECT 2PROJECT 1

26© Ravi Sandhu 2001

COMPLEX AUTHORIZATION

Senior Security Officer (SSO)

Department Security Officer (DSO)

Project SecurityOfficer 1 (PSO1)

Project SecurityOfficer 2 (PSO2)

27© Ravi Sandhu 2001

SIMPLE AUTHORIZATION

External User

Internal User Senior Administrator

Junior Administrator

28© Ravi Sandhu 2001

COMPLEX AUTHORIZATION VERSUS COMPLEX PERMISSIONS

A consumer has access to only his own account and to no other account

A branch manager has access to accounts of customers at his branch but no accounts at any other branch

29© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Separate the questions of What How

Provide a framework for managing complexity Complex authorization Simple authorization

Allow us to guarantee and understand policy Prove safety theorems Capture policy in constraints

30© Ravi Sandhu 2001

WHY DO WE NEED MODELS

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

31© Ravi Sandhu 2001

RBAC POLICY

Policy in RBAC is determined by Hierarchies Constraints

MAC and DAC can be configured in RBAC by suitable design of hierarchies and constraints

32© Ravi Sandhu 2001

ROLE-CENTRIC SEPARATION OF DUTIES

Static SOD: Conflicting roles cannot have common users

U = {u1,u2,…un} , R = {r1,r2,…rn},

CR = {cr1,cr2} : cr1 = {r1,r2,r3} , cr2 = {ra,rb,rc}

|roles(OE(U)) OE(CR)| 1

33© Ravi Sandhu 2001

PERMISSION-CENTRIC SEPARATION OF DUTIES

SSOD-CP |permissions(roles(OE(U))) OE(CP)|

1

Variations of SSOD-CP SSOD-CP |permissions(OE(R)) OE(CP)| 1

34© Ravi Sandhu 2001

CONSTRAINTS CHARACTERIZATION

CONSTRAINTS

PROHIBITION OBLIGATION

35© Ravi Sandhu 2001

SIMPLE PROHIBITION CONSTRAINTS

Type 1 expr 1

Type 2 expr or expr 0

Type 3 expr1expr2

36© Ravi Sandhu 2001

SIMPLE OBLIGATION CONSTRAINTS

Type 1 expr 0 or expr 0

Type 2 Set X Set Y

Type 3 obligation constraints obligation constraints

Type 4 expr 1

expr 1 expr 1 expr 0

37© Ravi Sandhu 2001

LOOKING AHEAD

Do we need more models or should we focus on understanding how to make better use of existing models?

How do we know we have a good model?

38© Ravi Sandhu 2001

LOOKING AHEAD

Engineering systems with complex authorizations

Deeper understanding of simple constraints and policy that can serve as building blocks

How to implement a model with different trust and performance tradeoffs

top related