Upload File

1 an attribute based framework for risk-adaptive access control models ravi sandhu executive...

  • Home
  • Documents
  • 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 [email protected]
20
1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 [email protected] www.profsandhu.com www.ics.utsa.edu Joint work with Savith Kandala and Venkata Bhamidipati © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security

Upload: thomas-ashby

Post on 27-Mar-2015

222 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

1

An Attribute Based Framework forRisk-Adaptive Access Control Models

Ravi SandhuExecutive Director and Endowed Professor

August 2011

[email protected]

www.ics.utsa.edu

Joint work with Savith Kandala and Venkata Bhamidipati

© Ravi Sandhu World-Leading Research with Real-World Impact!

Institute for Cyber Security

Page 2: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Access to resources are automatically (or semi-automatically) granted based on:Purpose for the access request,Security risk, andSituational Factors

Motivating Example: Displaying a classified document…

© Ravi Sandhu 2World-Leading Research with Real-World Impact!

RAdAC Concepts

Page 3: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Benefits of Abstract Models

Core Characteristics of RAdAC

Components of RAdAC Model

Mapping RAdAC to UCON

Extending UCON Principles to RAdAC and Modified UCON Model

© Ravi Sandhu 3World-Leading Research with Real-World Impact!

Outline

Page 4: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Proposed at the Policy Layer

Do not lay out enforcement and implementation details

Successful practice – DAC, MAC and RBAC

Provides a formal and structural foundation

© Ravi Sandhu 4World-Leading Research with Real-World Impact!

Benefits of Abstract Models

Page 5: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Reference – Robert McGraw, NIST Privilege Management Workshop, 2009

Operational Need

Security Risk

Situational Factors

Heuristics

Adaptable Access Control Policies© Ravi Sandhu 5World-Leading Research with Real-World Impact!

Core Characteristics of RAdAC

Page 6: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 6World-Leading Research with Real-World Impact!

RAdAC Model

Page 7: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 7World-Leading Research with Real-World Impact!

Operational Need / Purpose

Page 8: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Purpose (Operational Need)The reason for the user’s access request

Can manifest as:A user’s membership in a roleAn authority is attesting to a user’s need to access the object

Examples: Health Care – Emergency treatment Energy – Impending power

emergency Banking – Consent to access acct info.

© Ravi Sandhu 8World-Leading Research with Real-World Impact!

Operational Need / Purpose

Page 9: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 9World-Leading Research with Real-World Impact!

Security Risk

Page 10: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

UsersDevicesObjectsOperationsConnectionsAttribute Providers and Level of Assurance

Security risk evaluation be based on risk associated with each of these components, as well as a composite risk.

© Ravi Sandhu 10World-Leading Research with Real-World Impact!

Security Risk

Page 11: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 11World-Leading Research with Real-World Impact!

Situational Factors

Page 12: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Environmental or system oriented decision factors

Global Situational Factors Example : National terrorist threat level, Enterprise under

cyber attack

Local Situational Factors Example: location, current local time for accessible time

period (e.g., business hours), current location for accessible location checking (e.g., area code, connection origination point)

© Ravi Sandhu 12World-Leading Research with Real-World Impact!

Situational Factors

Page 13: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 13World-Leading Research with Real-World Impact!

Access History

Page 14: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Access HistoryProvides two functions

updates the object access history repository with the attributes in the access request and the access control decision

provides input for future access decisions

Heuristics can be used to Fine-tune access control policies Improve future access decisions Inputs the access decisions

© Ravi Sandhu 14World-Leading Research with Real-World Impact!

Access History

Page 15: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 15World-Leading Research with Real-World Impact!

Adaptable Access Control Policies

Page 16: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Adaptable access control policies can be defined based on all the components

OverridesAutomaticSemi-AutomaticManual

© Ravi Sandhu 16World-Leading Research with Real-World Impact!

Adaptable Access Control Policies

Page 17: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 17World-Leading Research with Real-World Impact!

UCON Model

Page 18: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Key missing featuresSubject definitionAccess HistoryRisk Evaluation

Extending UCON Principles to RAdAC

© Ravi Sandhu 18World-Leading Research with Real-World Impact!

Mapping RAdAC to UCON

Page 19: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

© Ravi Sandhu 19World-Leading Research with Real-World Impact!

Modified UCON Model

Page 20: 1 An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 ravi.sandhu@utsa.edu

Purely focused on the abstract models

The modified UCON model with the decomposed subject definition and the added functions of access history and risk evaluation is most suitable for modeling and implementing the RAdAC concept.

Future Work: Enforcement and implementation

Defining architecture, protocols and mechanisms for the proposed RAdAC model

© Ravi Sandhu 20World-Leading Research with Real-World Impact!

Conclusion and Future Work


Solar System Finished Harjit Sandhu

© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University [email protected]

Ruhani sandhu

1 Rethinking Password Strategies Ravi Sandhu Chief Scientist [email protected] 703 283 3484 [email protected]

1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010 [email protected], ,

1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director February 2010 [email protected] © Ravi Sandhu

b Presentation Kamran Sandhu

S SANDHU ET EEEEEEEEEEEEEE

1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair [email protected] © Ravi Sandhu

Service Tax_Shivpreet Singh Sandhu

1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010 [email protected]

1 Challenges of Cyber Security Education at the Graduate Level Ravi Sandhu Executive Director and Endowed Professor Nov. 9, 2012 [email protected]

Dr. Sandhu Career Investigation

JASDEV SINGH SANDHU - Jssgoi · JASDEV SINGH SANDHU Foundation Jasdev Singh Sandhu Group of Institutes promoted and run under the JASDEV SINGH SANDHU FOUNDATION promoted/established

1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, 2013 [email protected] © Ravi

1 Institute for Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair February 4, 2015 [email protected]

1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, 2013 [email protected] © Ravi Sandhu World-Leading

MEMORANDUM - utsa.edu

Portfolio: Amanjot Kaur Sandhu

1 The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi Sandhu Executive Director and Endowed Chair 11/11/11 [email protected]

Scada Hack sandhu

1 Laws of Cyber Security Ravi Sandhu Executive Director and Endowed Professor September 2010 [email protected], ,

Computer Programming (UTA003) (Jasonpreet Sandhu)

gagan sandhu

1 Towards a Discipline of Mission-Aware Cloud Computing (A Position Paper) Ravi Sandhu Executive Director and Endowed Professor October 2010 [email protected],

1 Privacy and Access Control: How are These Two Concepts Related? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT Panel June 3, 2015 [email protected]

IS3513 Information Assurance and Security 5:30-6:45 PM Robert J. Kaufman Background Syllabus and Class Schedule Student Background Information Email [email protected]@utsa.edu

07 Raman Sandhu - Capital Buffers

Kim sandhu

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010 [email protected]

1 Cyber Security Research: A Personal Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair January 18, 2013 [email protected]

1 Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], ,

1 The Authorization Leap from Rights to Attributes: Maturation or Chaos? Prof. Ravi Sandhu Executive Director and Endowed Chair SACMAT June 21, 2012 [email protected]

E_12BSP0397_GAGANDEEP SANDHU VISUAL CV

1 Speculations on the Future of Cyber Security in 2025 Prof. Ravi Sandhu Executive Director January 2010 [email protected]