ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University

ACCESS CONTROL: THE NEGLECTED FRONTIER

Ravi Sandhu

George Mason University

2© Ravi Sandhu

SECURITY OBJECTIVES

INTEGRITYless studied

AVAILABILITYleast studied

CONFIDENTIALITYmost studied

USAGEnewest

3© Ravi Sandhu

SECURITY TECHNOLOGIES

Access Control Cryptography Audit and Intrusion Detection Authentication Assurance Risk Analysis .......................

4© Ravi Sandhu

CRYPTOGRAPHY LIMITATIONS

Cryptography cannot protect confidentiality and integrity of data, keys, software

in end systems Prevent or detect use of covert

channels

5© Ravi Sandhu

AUDIT AND INTRUSION DETECTION LIMITATIONS

Intrusion detection cannot by itself protect audit data and audit collection

and analysis software prevent security breaches protect against covert channels

6© Ravi Sandhu

ACCESS CONTROL LIMITATIONS

Access control cannot by itself protect data in transit or storage on an

insecure medium safeguard against misuse by authorized

users protect against covert channels

7© Ravi Sandhu

AUTHENTICATION LIMITATIONS

By itself authentication does very little but what it does is critical

pre-requisite for effective cryptography access control intrusion detection

8© Ravi Sandhu

A MIX OF MUTUALLY SUPPORTIVE TECHNOLOGIES

AUTHENTICATION

INTRUSIONDETECTION

CRYPTOGRAPHYACCESS

CONTROL

ASSURANCERISK

ANALYSIS

SECURITY ENGINEERING& MANAGEMENT

9© Ravi Sandhu

CLASSICAL ACCESS CONTROL DOCTRINE

Lattice-based mandatory access control (MAC) strong too strong not strong enough

Owner-based discretionary access control (DAC) too weak too confused

10© Ravi Sandhu

ISSUES IN LATTICE-BASED MAC

MAC enforces one-directional information flow in a lattice of security labels

can be used for aspects of confidentiality integrity aggregation (Chinese Walls)

11© Ravi Sandhu

PROBLEMS WITH LATTICE-BASED MAC

does not protect against covert channels and inference not strong enough

inappropriate too strong

12© Ravi Sandhu

ISSUES IN OWNER-BASED DAC

negative “rights” inheritance of rights

interaction between positive and negative rights

grant flag delegation of identity temporal and conditional

authorization

13© Ravi Sandhu

PROBLEMS WITH OWNER-BASED DAC

does not control information flow too weak

inappropriate in many situations too weak too confused

14© Ravi Sandhu

BEYOND OWNER-BASED DAC

separation between ability to use a right to grant a right

non-discretionary elements user who can use a right should not be

able to grant it and vice versa

15© Ravi Sandhu

NON-DISCRETIONARY (BEYOND LATTICE-BASED MAC)

control of administrative scope rights that can be granted to whom rights can be granted

rights that cannot be simultaneously granted to same user

rights that cannot be granted to too many users

16© Ravi Sandhu

WHAT IS THE POLICY IN NON-DISCRETIONARY ACCESS CONTROL?

Non-discretionary access control is a means to articulate policy

does not incorporate policy but does support security principles least privilege abstract operations separation of duties

17© Ravi Sandhu

ISSUES IN NON-DISCRETIONARY ACCESS CONTROL

models for non-discretionary propagation of access rights

role-based access control (RBAC) task-based authorization (TBA)

18© Ravi Sandhu

HRU, 1976 TAKE-GRANT, 1976-82 SPM/ESPM, 1985-92 TAM/ATAM, 1992 onwards

NON-DISCRETIONARY PROPAGATION MODELS

19© Ravi Sandhu

NON-DISCRETIONARY PROPAGATION MODELS

type-based non-discretionary controls

rights that authorize propagation can be separate or closely related to right being propagated

testing for absence of rights is essential for dynamic separation policies

20© Ravi Sandhu

ROLE-BASED ACCESS CONTROL: RBAC0

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

21© Ravi Sandhu

ROLE-BASED ACCESS CONTROL: RBAC1

ROLES

USER-ROLEASSIGNMENT

PERMISSION-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

22© Ravi Sandhu

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

23© Ravi Sandhu

HIERARCHICAL ROLES

Engineer

HardwareEngineer

SoftwareEngineer

SupervisingEngineer

24© Ravi Sandhu

ROLE-BASED ACCESS CONTROL: RBAC3

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

25© Ravi Sandhu

RBAC MANAGEMENT

ROLES

USERS

PERMISSIONS

...

ADMINROLES

ADMINPERMISSIONS

CAN-MANAGE

26© Ravi Sandhu

RBAC MANAGEMENT

S

T1 T2

S3

T4 T5

P3

P

ADMINISTRATIVEROLE HIERARCHY

CSO

SO1 SO2 SO3

ROLE HIERARCHY

27© Ravi Sandhu

ROLES AND LATTICES

RBAC can enforce classical lattice-based MAC

H

L

HR

LR

LW

HW

LATTICE ROLES

28© Ravi Sandhu

ROLES AND LATTICES

RBAC can accommodate variations of classical lattice-based MACH

L

HR

LR

LW HW

LATTICE ROLES

29© Ravi Sandhu

TASK-BASED AUTHORIZATION (TBA)

beyond subjects and objects authorization is in context of some

task transient use-once permissions

instead of long-lived use-many-times permissions

30© Ravi Sandhu

TRANSACTION CONTROL EXPRESSIONS (TCEs)

TCEs are an example of TBA prepare clerk;

approve supervisor;

issue clerk;

31© Ravi Sandhu

CONCLUSION

access control is important there are many open issues