Access Control Models: Controlling Resource Authorization

Access Control

Models: Controlling

Resource

Authorization

Access Control Models:

Controlling Resource

Authorization

Mark Niebergall

@mbniebergall

About Mark Niebergall

▪ PHP since 2005

▪ MS degree in MIS

▪ Senior Software Engineer

▪ UPHPU President

▪ SSCP, CSSLP Certified and SME

▪ Drones, fishing, skiing, father,

husband

Overview

Access request flow

Define applicable terminology

Cover primary Access Control Models

Discuss pros and cons of each model

Access Request

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Authentication

Know Own Are

Authentication

You are who you say you are

Verify identity

Subject

Also known as requestor

Human or non-person entity (NPE)

Subject

Making request to access resource

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Resource

Also known as object

Protected from unauthorized use

Resource

Something the system has or does

▪ Data

▪ Functionality

▪ Hardware

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Authorization

Allow an authenticated subject

access to a resource

Authorization

Allow or deny

Subject action on object (CRUD)

Request Resource

Access

Authorize Request

Authenticate

Subject

Request Resource

Access

Authorize Request

Authenticate

Subject

Access Control Model

Definitions

Questions?

Authentication

Authorization

Subject

Resource

Access Control

Dictates who gets to do what

Framework for making authorization

decisions

Deciding subject access to

resources

#4 on 2017 OWASP Top 10: Broken

Access Control

Primary Access Control Models

▪ DAC: Discretionary

▪ MAC: Mandatory

▪ RBAC: Role Based

▪ ABAC: Attribute Based

1Discretionary (DAC)

House keys

Files on system

Clans in gaming

Subject Resource

Object owner grants permission

based on subject identity

Access Control List (ACL)

Deny by default

Subject Resource Authorization

Alice Report Allow

Alice Finance Deny

Alice Customer Allow

Bob Report Allow

Bob Finance Deny

Bob Customer Deny

SELECT is_allow

FROM acl

WHERE subject = ‘Alice’

AND resource = ‘Customer’

LIMIT 1;

$acl = new Acl;

$alice = new User(‘Alice’);

$bob = new User(‘Bob’);

$customer = new Resource(‘Customer’);

$acl->allow($alice, $customer);

$acl->deny($bob, $customer);

$acl->isAllowed($alice, $customer);

$acl->isAllowed($bob, $customer);

Simple implementation

High operational overhead

Access at discretion of resource

Questions?

2Mandatory (MAC)

Classified documents

Military intelligence

Leveled-up character in game

Search engine rules

Top Secret

Secret

Confidential

Subject Classification Resource

Object sensitivity

Subject security level or clearance

Write up, read down

Owner sets object label

System sets subject security level

Subject Security

LevelObject Label

Top Secret Secret Confidential

Top Secret Allow Allow Allow

Secret Deny Allow Allow

Confidential Deny Deny Allow

Subject Security Level

Alice Top Secret

Bob Secret

Clara Confidential

Object Label

Report Top Secret

Finance Secret

Customer Confidential

Level Name

1 Top Secret

2 Secret

Subject: Security

LevelObject: Label

Report: Top

SecretFinance: Secret

Customer:

Confidential

Alice: Top Secret Allow Allow Allow

Bob: Secret Deny Allow Allow

Clara: Confidential Deny Deny Allow

SELECT s.security_level

FROM subject s

JOIN security_level sl_s

ON sl_s.name = s.name

JOIN resource r

ON r.resource = ‘Report’

JOIN security_level sl_r

ON sl_r.name = r.name

AND sl_r.level <= sl_s.level

WHERE s.subject = ‘Alice’

LIMIT 1;

$accessControl = new Mac;

$topSecret = new Level(‘Top Secret’);

$secret = new Level(‘Secret’);

$finances = new Resource(‘Finances’);

$accessControl->addLevel($topSecret, 1)

->addLevel($secret, 2);

$accessControl->addUser($alice, $topSecret)

->addUser($bob, $secret);

$accessControl->addResource($finances, $secret);

$accessControl->isAllowed($alice, $finances);

Multilevel security

System and owner determine access

No flexibility

Moderate overhead

Questions?

3Role Based (RBAC)

Amazon Prime

User roles on a computer

Medical care staff

LARPing

Multiplayer Games

Role A

Role B

Role C

Role D

Subject Role Resource

Subject assigned to role

Role granted access to resource

Subject Role

Alice Accounting

Alice Orders

Bob Payroll

Clara Orders

Clara Reporting

Role Resource

Accounting Finance

Accounting Reports

Orders Inventory

Orders Shipments

Payroll Finance

SELECT sr.subject, rr.resource

FROM subject_role sr

JOIN role_resource rr

ON rr.subject = sr.subject

AND rr.role = sr.role

WHERE sr.subject = ‘Alice’

AND rr.resource = ‘Report’

LIMIT 1;

$accessControl = new Rbac;

$accounting = new Role(‘Accounting’);

$ordering = new Role(‘Ordering’);

$inventory = new Resource(‘Inventory’);

$accessControl->addRole($accounting)

->addRole($ordering);

$accessControl->addUser($alice)

->addUser($bob);

$accessControl->addResource($inventory);

$accessControl->addUserToRole($alice, $accounting);

$accessControl->addResourceToRole($inventory, $ordering);

$accessControl->isAllowed($alice, $ordering);

$accessControl->isAllowed($bob, $inventory);

Role explosion

Toxic combinations

Very common

Lower overhead

More scalable

Questions?

4Attribute Based (ABAC)

Electronic key card system

Credit card with monitoring

Airport security check

Gaming activities

Conditional authorization based on

attributes

Policy driven

Subject Action Resource Environment

Policy

Subject Action Environment Resource Access

Manager Create Region A Customer Allow

Manager Update Region B Customer Deny

Data Entry CreateRegion A

Any HourCustomer Allow

Data Entry CreateRegion B

Day ShiftCustomer Allow

Data Entry Create

Region B

Customer Deny

Subject attributes

Action attributes

Resource attributes

Environment attributes

Subject attributes

▪ Who

▪ Where

▪ Roles

▪ Affiliation

▪ Clearance

Action attributes

▪ Create, POST

▪ Read, GET

▪ Update, PUT

▪ Delete, DELETE

▪ Execute

Resource attributes

▪ Type

▪ Owner

▪ Classification

Environment attributes

▪ Time

▪ Network

▪ Operating system

▪ Encryption method

Policy Enforcement Point (PEP)

Policy Decision Point (PDP)

PEP sends authorization request to

Gartner predicts 70% of all

businesses will use ABAC by 2020

Keeps eyes on ABAC

Attempt to standardize ABAC

policies into XML format is mostly

dead, eXtensible Access Control

Markup Language (XACML)

Refined access

Meets demand for more advanced

access control

API access control

Typically start with RBAC

implementation and then build onto

it with policies

Custom implementation so no example

Questions?

Implementation

Considerations

Model Development Operational

Considerations

Model Scalability Granularity Sensitivity

Implementation Considerations

Use cases for application

Sensitivity of resources

Scalability of model

Granularity requirements

Existing frameworks and projects

APIs, external interfaces

Questions?

Review

DAC: simple, high overhead, ACL

MAC: user and resource

classification

RBAC: most common, role driven,

smaller overhead

ABAC: most advanced, policy driven

Review

Operational overhead vs

authorization needs

Consider current implementation

Consider future implementation

Credits

CREDITS

▪ NIST publication on ABAC

http://nvlpubs.nist.gov/nistpubs/specialpublications/NI

ST.sp.800-162.pdf

▪ ABAC for ZF2

https://github.com/Eye4web/Eye4webZf2Abac/blob/master/d

ocs/README.md

▪ Presentation template by SlidesCarnival

▪ Axiomatics webinar, May 2014

http://www.slideshare.net/Axiomatics/attribute-based-ac

cess-control-for-data-protection-webinar-may-8

▪ OWASP

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_

Project

Thanks!

Questions?

Mark Niebergall

@mbniebergall

Access Control Models: Controlling Resource Authorization

Software

How (Not) to Use OAuth - Daniel Fett...Authorization OAuth Authorization Server & Resource Server User Client Photo Editor Google Photos account authorizes to access Authentication

Providing Authorization with Apache Ranger · PCI/PHI – either as the resource enters the Hadoop ecosystem or at a later time. Once a resource is tagged, the authorization for the

Authorization to Complete I-9 Forms - Arizona State University · Slide 1 of 156 Human Resource Information System (HRIS) Authorization to Complete I-9 Forms

G-commerce: Market Formulations Controlling Resource

Using Graph Databases in Real-Time to Solve Resource Authorization at Telenor - GraphConnect San Francisco 2013

HUMAN RESOURCE MANAGEMENTAccording to Flippo “Personnel management, or say, human resource management is the planning, organising, directing and controlling of the procurement development

AC040 Cost Management and Controlling Enterprise Controlling Enterprise Controlling

Payroll Authorization Form - Payroll/Personnel Authorization

The OAuth 2.0 Authorization Protocol · The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource

Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R

SharePoint Authorization and Authentication-Controlling Access to Documents and Data

Authentication and Authorization · Authentication Authorization Resource Credentials " User registration process with CA " User has one credential to present to resources " authN

Human Resource Controlling 2016 - PwC

CONTROLLING USER ACCESS: AUTHENTICATION AND AUTHORIZATION DEFIANA ARNALDY, M.SI 0818 0296 4763 DEFF_ARNALDY@YAHOO.COM 1

Resource Management the process of controlling or organizing resources in order to achieve goals

Introduction · Web view2015/06/30 · Introduction Conceptual Overview Authorization is the process of controlling access to resources. Once authentication has been accomplished,

A novel resource efficient dmms approach for network monitoring and controlling functions

Survivable Grids: Resource Management through …gsw2c/research/sc07_wasson.pdfSurvivable Grids: Resource Management through Dynamic Authorization Control ... public medicine, response

Capability-Based Authorization for HEP · • In the Google example, Google runs both the authorization and resource servers. Resource Owner Authorization Server Client. SciTokens

CHANGING FINANCIAL REPORTING-- · controlling or controlled by the issuer, or any person under direct or indirect common control with the issuer; ••• "From this general authorization