access control models: controlling resource authorization
Post on 22-Jan-2018
2.836 Views
Preview:
TRANSCRIPT
Access Control
Models: Controlling
Resource
Authorization
Access Control Models:
Controlling Resource
Authorization
Mark Niebergall
@mbniebergall
About Mark Niebergall
▪ PHP since 2005
▪ MS degree in MIS
▪ Senior Software Engineer
▪ UPHPU President
▪ SSCP, CSSLP Certified and SME
▪ Drones, fishing, skiing, father,
husband
Overview
Overview
Access request flow
Define applicable terminology
Cover primary Access Control Models
Discuss pros and cons of each model
Access Request
Flow
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Authentication
Authentication
Know Own Are
Authentication
You are who you say you are
Verify identity
Subject
Subject
Also known as requestor
Human or non-person entity (NPE)
Subject
Making request to access resource
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Resource
Resource
Also known as object
Protected from unauthorized use
Resource
Something the system has or does
▪ Data
▪ Functionality
▪ Hardware
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Authorization
Authorization
Allow an authenticated subject
access to a resource
Authorization
Allow or deny
Subject action on object (CRUD)
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Access Control Model
Definitions
Questions?
Authentication
Authorization
Subject
Resource
Access Control
Model
Access Control Model
Dictates who gets to do what
Access Control Model
Framework for making authorization
decisions
Access Control Model
Deciding subject access to
resources
Access Control Model
#4 on 2017 OWASP Top 10: Broken
Access Control
Access Control Model
Primary Access Control Models
▪ DAC: Discretionary
▪ MAC: Mandatory
▪ RBAC: Role Based
▪ ABAC: Attribute Based
1Discretionary (DAC)
DAC
House keys
DAC
DAC
Files on system
DAC
Clans in gaming
DAC
Subject Resource
DAC
Object owner grants permission
based on subject identity
Access Control List (ACL)
Deny by default
DAC
Subject Resource Authorization
Alice Report Allow
Alice Finance Deny
Alice Customer Allow
Bob Report Allow
Bob Finance Deny
Bob Customer Deny
DAC
SELECT is_allow
FROM acl
WHERE subject = ‘Alice’
AND resource = ‘Customer’
LIMIT 1;
DAC
$acl = new Acl;
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$customer = new Resource(‘Customer’);
$acl->allow($alice, $customer);
$acl->deny($bob, $customer);
$acl->isAllowed($alice, $customer);
$acl->isAllowed($bob, $customer);
DAC
Simple implementation
High operational overhead
Access at discretion of resource
owner
DAC
Questions?
2Mandatory (MAC)
MAC
Classified documents
MAC
Military intelligence
MAC
Blog
MAC
Leveled-up character in game
MAC
Search engine rules
MAC
Top Secret
Secret
Confidential
Subject Classification Resource
MAC
Object sensitivity
Subject security level or clearance
Write up, read down
MAC
Owner sets object label
System sets subject security level
MAC
Subject Security
LevelObject Label
Top Secret Secret Confidential
Top Secret Allow Allow Allow
Secret Deny Allow Allow
Confidential Deny Deny Allow
Subject Security Level
Alice Top Secret
Bob Secret
Clara Confidential
Object Label
Report Top Secret
Finance Secret
Customer Confidential
MAC
Level Name
1 Top Secret
2 Secret
MAC
Subject: Security
LevelObject: Label
Report: Top
SecretFinance: Secret
Customer:
Confidential
Alice: Top Secret Allow Allow Allow
Bob: Secret Deny Allow Allow
Clara: Confidential Deny Deny Allow
MAC
SELECT s.security_level
FROM subject s
JOIN security_level sl_s
ON sl_s.name = s.name
JOIN resource r
ON r.resource = ‘Report’
JOIN security_level sl_r
ON sl_r.name = r.name
AND sl_r.level <= sl_s.level
WHERE s.subject = ‘Alice’
LIMIT 1;
MAC
$accessControl = new Mac;
$topSecret = new Level(‘Top Secret’);
$secret = new Level(‘Secret’);
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$finances = new Resource(‘Finances’);
$accessControl->addLevel($topSecret, 1)
->addLevel($secret, 2);
$accessControl->addUser($alice, $topSecret)
->addUser($bob, $secret);
$accessControl->addResource($finances, $secret);
$accessControl->isAllowed($alice, $finances);
MAC
Multilevel security
System and owner determine access
No flexibility
Moderate overhead
MAC
Questions?
3Role Based (RBAC)
RBAC
Amazon Prime
RBAC
User roles on a computer
RBAC
Medical care staff
RBAC
LARPing
RBAC
Multiplayer Games
RBAC
Role A
Role B
Role C
Role D
Subject Role Resource
RBAC
Subject assigned to role
Role granted access to resource
RBAC
Subject Role
Alice Accounting
Alice Orders
Bob Payroll
Clara Orders
Clara Reporting
Role Resource
Accounting Finance
Accounting Reports
Orders Inventory
Orders Shipments
Payroll Finance
RBAC
SELECT sr.subject, rr.resource
FROM subject_role sr
JOIN role_resource rr
ON rr.subject = sr.subject
AND rr.role = sr.role
WHERE sr.subject = ‘Alice’
AND rr.resource = ‘Report’
LIMIT 1;
RBAC
$accessControl = new Rbac;
$accounting = new Role(‘Accounting’);
$ordering = new Role(‘Ordering’);
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$inventory = new Resource(‘Inventory’);
$accessControl->addRole($accounting)
->addRole($ordering);
$accessControl->addUser($alice)
->addUser($bob);
$accessControl->addResource($inventory);
$accessControl->addUserToRole($alice, $accounting);
$accessControl->addResourceToRole($inventory, $ordering);
$accessControl->isAllowed($alice, $ordering);
$accessControl->isAllowed($bob, $inventory);
RBAC
Role explosion
Toxic combinations
RBAC
Very common
Lower overhead
More scalable
RBAC
Questions?
4Attribute Based (ABAC)
ABAC
Electronic key card system
ABAC
Credit card with monitoring
ABAC
Airport security check
ABAC
Gaming activities
ABAC
Conditional authorization based on
attributes
ABAC
Policy driven
ABAC
Subject Action Resource Environment
Policy
ABAC
Subject Action Environment Resource Access
Manager Create Region A Customer Allow
Manager Update Region B Customer Deny
Data Entry CreateRegion A
Any HourCustomer Allow
Data Entry CreateRegion B
Day ShiftCustomer Allow
Data Entry Create
Region B
After
hours
Customer Deny
ABAC
Subject attributes
Action attributes
Resource attributes
Environment attributes
ABAC
Subject attributes
▪ Who
▪ Where
▪ Roles
▪ Affiliation
▪ Clearance
ABAC
Action attributes
▪ Create, POST
▪ Read, GET
▪ Update, PUT
▪ Delete, DELETE
▪ Execute
ABAC
Resource attributes
▪ Type
▪ Owner
▪ Classification
ABAC
Environment attributes
▪ Time
▪ Network
▪ Operating system
▪ Encryption method
ABAC
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
PEP sends authorization request to
PDP
ABAC
Gartner predicts 70% of all
businesses will use ABAC by 2020
Keeps eyes on ABAC
ABAC
Attempt to standardize ABAC
policies into XML format is mostly
dead, eXtensible Access Control
Markup Language (XACML)
ABAC
Refined access
Meets demand for more advanced
access control
API access control
ABAC
Typically start with RBAC
implementation and then build onto
it with policies
Custom implementation so no example
ABAC
Questions?
Implementation
Considerations
Considerations
Model Development Operational
DAC
MAC
RBAC
ABAC
Considerations
Model Scalability Granularity Sensitivity
DAC
MAC
RBAC
ABAC
Implementation Considerations
Use cases for application
Sensitivity of resources
Scalability of model
Granularity requirements
Implementation Considerations
Existing frameworks and projects
APIs, external interfaces
Implementation Considerations
Questions?
Review
Review
Review
DAC: simple, high overhead, ACL
MAC: user and resource
classification
RBAC: most common, role driven,
smaller overhead
ABAC: most advanced, policy driven
Review
Operational overhead vs
authorization needs
Consider current implementation
Consider future implementation
Credits
CREDITS
▪ NIST publication on ABAC
http://nvlpubs.nist.gov/nistpubs/specialpublications/NI
ST.sp.800-162.pdf
▪ ABAC for ZF2
https://github.com/Eye4web/Eye4webZf2Abac/blob/master/d
ocs/README.md
▪ Presentation template by SlidesCarnival
▪ Axiomatics webinar, May 2014
http://www.slideshare.net/Axiomatics/attribute-based-ac
cess-control-for-data-protection-webinar-may-8
▪ OWASP
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_
Project
Thanks!
Questions?
Mark Niebergall
@mbniebergall
top related