41
© 2004 Ravi Sandhu www.list.gmu.edu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu [email protected]

© 2004 Ravi Sandhu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

Embed Size (px)

Citation preview

Page 1: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

Cyber-Identity, Authority and Trust in an Uncertain World

Prof. Ravi SandhuLaboratory for Information Security Technology

George Mason University

www.list.gmu.edu

[email protected]

Page 2: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

2

© 2004 Ravi Sandhuwww.list.gmu.edu

Outline

• Perspective on security

• Role Based Access Control (RBAC)

• Objective Model-Architecture Mechanism (OM-AM) Framework

• Usage Control (UCON)

• Discussion

Page 3: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

PERSPECTIVE

Page 4: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

4

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Conundrum

• Nobody knows WHAT security is

• Some of us do know HOW to implement pieces of it

Result: hammers in search of nails

Page 5: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

5

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Confusion

INTEGRITYmodification

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGEpurpose

• electronic commerce, electronic business• DRM, client-side controls

Page 6: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

6

© 2004 Ravi Sandhuwww.list.gmu.edu

Security Successes

• On-line banking

• On-line trading

• Automatic teller machines (ATMs)

• GSM phones

• Set-top boxes

• …………………….

Success is largely unrecognizedby the security community

Page 7: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

7

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

• Exceeding good enough is not good• You will pay a price in user convenience, ease of

operation, cost, performance, availability, …• There is no such thing as free security

• Determining good enough is hard• Necessarily a moving target

Page 8: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

8

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

EASY SECURE

COST

Security geeksReal-world users

System owner

• whose security• perception or reality of security

• end users• operations staff• help desk

• system cost• operational cost• opportunity cost• cost of fraud

Business models dominatesecurity models

Page 9: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

9

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

• In many cases good enough is achievable at a pretty low threshold• The “entrepreneurial” mindset

• In extreme cases good enough will require a painfully high threshold• The “academic” mindset

Page 10: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

10

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

Entrepreneurialmindset

Academicmindset

Page 11: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

ROLE-BASED ACCESS CONTROL (RBAC)

Page 12: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

12

© 2004 Ravi Sandhuwww.list.gmu.edu

MAC and DAC

• For 25 years access control has been divided into• Mandatory Access Control (MAC)• Discretionary Access Control (DAC)

• In the past 10 years RBAC has become a dominant force• RBAC subsumes MAC and DAC

Page 13: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

13

© 2004 Ravi Sandhuwww.list.gmu.edu

Mandatory Access Control (MAC)

TS

S

C

U

InformationFlow

Dominance

Lattice ofsecuritylabels

Page 14: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

14

© 2004 Ravi Sandhuwww.list.gmu.edu

Mandatory Access Control (MAC)

InformationFlow

DominanceLattice ofsecuritylabels

S,{A,B}

S,{A] S,{B}

S,{}

Page 15: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

15

© 2004 Ravi Sandhuwww.list.gmu.edu

Discretionary Access Control (DAC)

• The owner of a resource determines access to that resource• The owner is often the creator of the resource

• Fails to distinguish read from copy

Page 16: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

16

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Page 17: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

17

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC SECURITY PRINCIPLES

• least privilege

• separation of duties

• separation of administration and access

• abstract operations

Page 18: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

18

© 2004 Ravi Sandhuwww.list.gmu.edu

HIERARCHICAL ROLES

Health-Care Provider

Physician

Primary-CarePhysician

SpecialistPhysician

Page 19: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

19

© 2004 Ravi Sandhuwww.list.gmu.edu

Fundamental Theorem of RBAC

• RBAC can be configured to do MAC

• RBAC can be configured to do DAC

RBAC is policy neutral

Page 20: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM (Objective/Model Architecture/Mechanism) Framework

Page 21: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

21

© 2004 Ravi Sandhuwww.list.gmu.edu

THE OM-AM WAY

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

Page 22: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

22

© 2004 Ravi Sandhuwww.list.gmu.edu

LAYERS AND LAYERS

• Multics rings• Layered abstractions• Waterfall model• Network protocol stacks• Napolean layers• RoFi layers• OM-AM• etcetera

Page 23: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

23

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND MANDATORY ACCESS CONTROL (MAC)

What?

How?

No information leakage

Lattices (Bell-LaPadula)

Security kernel

Security labels

Assurance

Page 24: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

24

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)

What?

How?

Owner-based discretion

numerous

numerous

ACLs, Capabilities, etc

Assurance

Page 25: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

25

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)

What?

How?

Objective neutral

RBAC96, ARBAC97, etc.

user-pull, server-pull, etc.

certificates, tickets, PACs, etc.

Assurance

Page 26: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

26

© 2004 Ravi Sandhuwww.list.gmu.edu

RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)

ROLES

USER-ROLEASSIGNMENT

PERMISSIONS-ROLEASSIGNMENT

USERS PERMISSIONS

... SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Page 27: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

27

© 2004 Ravi Sandhuwww.list.gmu.edu

Server-Pull Architecture

Client Server

User-roleAuthorization

Server

Page 28: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

28

© 2004 Ravi Sandhuwww.list.gmu.edu

User-Pull Architecture

Client Server

User-roleAuthorization

Server

Page 29: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

29

© 2004 Ravi Sandhuwww.list.gmu.edu

Proxy-Based Architecture

Client ServerProxyServer

User-roleAuthorization

Server

Page 30: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

USAGE CONTROL (UCON)

Page 31: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

31

© 2004 Ravi Sandhuwww.list.gmu.edu

The UCON Vision: A unified model

• Traditional access control models are not adequate for today’s distributed, network-connected digital environment.• Authorization only – No obligation or condition

based control• Decision is made before access – No ongoing

control• No consumable rights - No mutable attributes • Rights are pre-defined and granted to subjects

Page 32: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

32

© 2004 Ravi Sandhuwww.list.gmu.edu

OM-AM layered Approach

What ?

How ?

Assurance

Objective

Mechanism

Architecture

Model

Policy Neutral

ABC model

CRM/SRM, CDID architectures

DRM technologies, certificates, etc.

OM-AM Framework Usage Control System

Page 33: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

33

© 2004 Ravi Sandhuwww.list.gmu.edu

Prior Work

• Problem-specific enhancement to traditional access control• Digital Rights Management (DRM)

– mainly focus on intellectual property rights protection.

– Architecture and Mechanism level studies, Functional specification languages – Lack of access control model

• Trust Management– Authorization for strangers’ access based on credentials

Page 34: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

34

© 2004 Ravi Sandhuwww.list.gmu.edu

Prior Work

• Incrementally enhanced models• Provisional authorization [Kudo & Hada, 2000]• EACL [Ryutov & Neuman, 2001]• Task-based Access Control [Thomas & Sandhu,

1997]• Ponder [Damianou et al., 2001]

Page 35: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

35

© 2004 Ravi Sandhuwww.list.gmu.edu

Usage Control (UCON) Coverage

Protection Objectives• Sensitive information

protection• IPR protection• Privacy protection

Protection Architectures• Server-side reference

monitor (SRM)• Client-side reference

monitor (CRM)• Both SRM and CRMServer-side

Reference Monitor(SRM)

Client-sideReference Monitor

(CRM)

TraditionalAccessControl

TrustManagement

Usage ControlSensitive

InformationProtection

IntellectualProperty Rights

Protection

PrivacyProtection

DRM

SRM & CRM

Page 36: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

36

© 2004 Ravi Sandhuwww.list.gmu.edu

Core UCON (Usage Control) Models

Rights(R)

UsageDecision

Authoriza-tions (A)

Subjects(S)

Objects(O)

Subject Attributes(ATT(S))

Object Attributes(ATT(O))

Obligations(B)

Conditions(C)

ongoing prepost

Continuity of decisions

Mutability of attributes

Page 37: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

37

© 2004 Ravi Sandhuwww.list.gmu.edu

Examples

• Long-distance phone (pre-authorization with post-update)

• Pre-paid phone card (ongoing-authorization with ongoing-update)

• Pay-per-view (pre-authorization with pre-updates)• Click Ad within every 30 minutes (ongoing-

obligation with ongoing-updates)• Business Hour (pre-/ongoing-condition)

Page 38: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

38

© 2004 Ravi Sandhuwww.list.gmu.edu

Beyond the UCON Core Models

Objects(O)

ConsumerSubjects

(CS)

ProviderSubjects

(PS) SerialUsage Controls

Usage Control

IdentifieeSubjects

(IS)

ParallelUsage Controls

Page 39: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

© 2004 Ravi Sandhuwww.list.gmu.edu

DISCUSSION

Page 40: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

40

© 2004 Ravi Sandhuwww.list.gmu.edu

THE OM-AM WAY

Objectives

Model

Architecture

Mechanism

What?

How?

Assurance

Page 41: © 2004 Ravi Sandhu  Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology

41

© 2004 Ravi Sandhuwww.list.gmu.edu

Good enough security

RISK

COST

H

M

L

L M H

1

2

3

2

3

4

3

4

5

Entrepreneurialmindset

Academicmindset