Cyber-Identity, Authority and Trust in an Uncertain World

Prof. Ravi SandhuLaboratory for Information Security

TechnologyGeorge Mason University

www.list.gmu.edusandhu@gmu.edu

2© 2004 Ravi Sandhu

Outline

Perspective on security Role Based Access Control (RBAC) Objective Model-Architecture

Mechanism (OM-AM) Framework Usage Control (UCON)

3© 2004 Ravi Sandhu

Security Conundrum

Nobody knows WHAT security is Some of us do know HOW to

implement pieces of it

Result: hammers in search of nails

4© 2004 Ravi Sandhu

Security Confusion

INTEGRITYmodification

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGEpurpose

• electronic commerce, electronic business• DRM, client-side controls

5© 2004 Ravi Sandhu

Security Successes

On-line banking On-line trading Automatic teller machines (ATMs) GSM phones Set-top boxes …………………….

Success is largely unrecognizedby the security community

6© 2004 Ravi Sandhu

Good enough security

EASY SECURE

COST

Security geeksReal-world users

System owner

• whose security• perception or reality of security

• end users• operations staff• help desk

• system solution• operational cost• opportunity cost• cost of fraud

Business models dominatesecurity models

7© 2004 Ravi Sandhu

Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

Entrepreneurialmindset

Academicmindset

8© 2004 Ravi Sandhu

RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

9© 2004 Ravi Sandhu

Fundamental Theorem of RBAC

RBAC can be configured to do MAC MAC is Mandatory Access Control as

defined in the Orange Book RBAC can be configured to do DAC

DAC is Discretionary Access Control as defined in the Orange Book

RBAC is policy neutral

10© 2004 Ravi Sandhu

THE OM-AM WAY

ObjectivesModelArchitectureMechanism

What?

How?

Assurance

11© 2004 Ravi Sandhu

OM-AM AND MANDATORY ACCESS CONTROL (MAC)

What?

How?

No information leakageLattices (Bell-LaPadula)

Security kernelSecurity labels

Assurance

12© 2004 Ravi Sandhu

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)

What?

How?

Owner-based discretionnumerousnumerous

ACLs, Capabilities, etc

Assurance

13© 2004 Ravi Sandhu

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)

What?

How?

Objective neutralRBAC96, ARBAC97, etc.

user-pull, server-pull, etc.certificates, tickets, PACs, etc.

Assurance

14© 2004 Ravi Sandhu

RBAC96 Model

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

15© 2004 Ravi Sandhu

Server-Pull Architecture

Client Server

User-roleAuthorizationServer

16© 2004 Ravi Sandhu

User-Pull Architecture

Client Server

User-roleAuthorizationServer

17© 2004 Ravi Sandhu

Proxy-Based Architecture

Client ServerProxyServer

User-roleAuthorizationServer

18© 2004 Ravi Sandhu

Usage Control (UCON) Coverage

Protection Objectives

Sensitive information protection

IPR protection Privacy protection

Protection Architectures

Server-side reference monitor

Client-side reference monitor

SRM & CRMServer-side

Reference Monitor(SRM)

Client-sideReference Monitor

(CRM)

TraditionalAccessControl

TrustManagement

Usage ControlSensitive

InformationProtection

IntellectualProperty Rights

Protection

PrivacyProtection

DRM

SRM & CRM

19© 2004 Ravi Sandhu

Core UCON (Usage Control) Models

Rights(R)

UsageDecision

Authoriza-tions (A)

Subjects(S)

Objects(O)

Subject Attributes(ATT(S))

Object Attributes(ATT(O))

Obligations(B)

Conditions(C)

Continuity Decision can be made during usage for continuous enforcement

MutabilityAttributes can be updated as side-effects of subjects’ actions

Usage

Continuity ofDecisions

pre

Before After

pre ongoing postMutability of

Attributes

ongoing N/A

20© 2004 Ravi Sandhu

Examples Long-distance phone (pre-authorization

with post-update) Pre-paid phone card (ongoing-

authorization with ongoing-update) Pay-per-view (pre-authorization with

pre-updates) Click Ad within every 30 minutes

(ongoing-obligation with ongoing-updates)

Business Hour (pre-/ongoing-condition)

21© 2004 Ravi Sandhu

Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

EntrepreneurialMindset• 80% problem• soft, informal• ordinary consumers

AcademicMindset• 120% problem• hard, informal• techno-geeks