Embed Size (px)
Citation preview
April 2008 1
INSTITUTE FOR CYBER SECURITY
Access Control andSemantic Web Technologies
Ravi SandhuExecutive Director and Endowed Chair
Institute for Cyber SecurityUniversity of Texas at San Antonio
April 2008
April 2008 2
INSTITUTE FOR CYBER SECURITY Theme
Access control has always had to adjust as new Information Technologies came into play Operating systems Relational DBMSs Object oriented systems XML: XACML, XRML
Therefore, semantic web technologies will also require a change in access control
But in the meantime access control itself has evolved DAC and MAC RBAC Trust Management, Obligations, Attribute-based access
control Policy languages Usage control
So semantic web technologies may also need to change to accommodate some of these developments
April 2008 3
INSTITUTE FOR CYBER SECURITY Theme
Security itself has fundamentally changed
Enterprise security Multi-party security
Black-and-white security Gray security
Limited points of access Access anytime anywhere
Engage with one serviceat a time
Engage with multiple servicesconcurrently
April 2008 4
INSTITUTE FOR CYBER SECURITY Models versus Policy Languages
Access control models Built on abstractions Incomplete Testable for conformance Guidance for security architects DAC, MAC, RBAC, UCON
Policy languages Specify what authorizations apply under various
circumstances Industry standard: XACML Academic implementation oriented: Ponder Several theoretical languages Semantic web: Kaos, Rei, Rein, KAoS
Need synergy between these two streams of research Models provide a framework but are necessarily incomplete Languages by themselves provide no guidance or framework
April 2008 5
INSTITUTE FOR CYBER SECURITY Partners in Crime
Proceedings ACM Symposium on Access Control Models and Technologies
(SACMAT), 2008, to appear
April 2008 6
INSTITUTE FOR CYBER SECURITY NIST RBAC Standard Model
April 2008 7
INSTITUTE FOR CYBER SECURITY NIST RBAC Standard Model
April 2008 8
INSTITUTE FOR CYBER SECURITY NIST RBAC Standard RBAC
April 2008 9
INSTITUTE FOR CYBER SECURITY US Persons Role Hierarchy
April 2008 10
INSTITUTE FOR CYBER SECURITY ROWLBAC: 2 Approaches
April 2008 11
INSTITUTE FOR CYBER SECURITY Common Elements
April 2008 12
INSTITUTE FOR CYBER SECURITY Roles as Classes: Role Hierarchies
April 2008 13
INSTITUTE FOR CYBER SECURITY Roles as Classes: SSD, DSD
April 2008 14
INSTITUTE FOR CYBER SECURITY Roles as Classes: Role-Permission
April 2008 15
INSTITUTE FOR CYBER SECURITY Roles as Classes: Enforcing DSD
April 2008 16
INSTITUTE FOR CYBER SECURITY Roles as Values
April 2008 17
INSTITUTE FOR CYBER SECURITY Roles as Values: Hierarchical Roles
April 2008 18
INSTITUTE FOR CYBER SECURITY Roles as Values: SSD, DSD
April 2008 19
INSTITUTE FOR CYBER SECURITY Roles as Values: Role Permissions
April 2008 20
INSTITUTE FOR CYBER SECURITY Roles as Values: Enforcing RBAC
April 2008 21
INSTITUTE FOR CYBER SECURITY ROWLBAC: 2 Approaches
April 2008 22
INSTITUTE FOR CYBER SECURITY The UCON Model
Rights(R)
Authorizations
(A)
Subjects(S)
Objects(O)
Subject Attributes (SA) Object Attributes (OA)
Obligations(B)
Conditions(C)
UsageDecisions
before-usage ongoing-Usage after-usage
Continuity ofDecisions
pre-decision ongoing-decision
pre-update ongoing-update post-update
Mutability ofAttributes
• unified model integrating• authorization• obligation• conditions
• and incorporating• continuity of decisions• mutability of attributes
April 2008 23
INSTITUTE FOR CYBER SECURITY UCON Extensions
UCON future obligations UCON system obligations
April 2008 24
INSTITUTE FOR CYBER SECURITY Unifying Policy Framework
April 2008 25
INSTITUTE FOR CYBER SECURITY Unifying Policy Framework
