Cyber-Identity, Authority and Trust in an Uncertain World
Prof. Ravi SandhuLaboratory for Information Security
TechnologyGeorge Mason University
2© 2004 Ravi Sandhu
Outline
Perspective on security Role Based Access Control (RBAC) Objective Model-Architecture
Mechanism (OM-AM) Framework Usage Control (UCON)
3© 2004 Ravi Sandhu
Security Conundrum
Nobody knows WHAT security is Some of us do know HOW to
implement pieces of it
Result: hammers in search of nails
4© 2004 Ravi Sandhu
Security Confusion
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
• electronic commerce, electronic business• DRM, client-side controls
5© 2004 Ravi Sandhu
Security Successes
On-line banking On-line trading Automatic teller machines (ATMs) GSM phones Set-top boxes …………………….
Success is largely unrecognizedby the security community
6© 2004 Ravi Sandhu
Good enough security
EASY SECURE
COST
Security geeksReal-world users
System owner
• whose security• perception or reality of security
• end users• operations staff• help desk
• system solution• operational cost• opportunity cost• cost of fraud
Business models dominatesecurity models
7© 2004 Ravi Sandhu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
Entrepreneurialmindset
Academicmindset
8© 2004 Ravi Sandhu
RBAC96 model(Currently foundation of a NIST/ANSI/ISO standard)
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
9© 2004 Ravi Sandhu
Fundamental Theorem of RBAC
RBAC can be configured to do MAC MAC is Mandatory Access Control as
defined in the Orange Book RBAC can be configured to do DAC
DAC is Discretionary Access Control as defined in the Orange Book
RBAC is policy neutral
10© 2004 Ravi Sandhu
THE OM-AM WAY
ObjectivesModelArchitectureMechanism
What?
How?
Assurance
11© 2004 Ravi Sandhu
OM-AM AND MANDATORY ACCESS CONTROL (MAC)
What?
How?
No information leakageLattices (Bell-LaPadula)
Security kernelSecurity labels
Assurance
12© 2004 Ravi Sandhu
OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)
What?
How?
Owner-based discretionnumerousnumerous
ACLs, Capabilities, etc
Assurance
13© 2004 Ravi Sandhu
OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)
What?
How?
Objective neutralRBAC96, ARBAC97, etc.
user-pull, server-pull, etc.certificates, tickets, PACs, etc.
Assurance
14© 2004 Ravi Sandhu
RBAC96 Model
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
15© 2004 Ravi Sandhu
Server-Pull Architecture
Client Server
User-roleAuthorizationServer
16© 2004 Ravi Sandhu
User-Pull Architecture
Client Server
User-roleAuthorizationServer
17© 2004 Ravi Sandhu
Proxy-Based Architecture
Client ServerProxyServer
User-roleAuthorizationServer
18© 2004 Ravi Sandhu
Usage Control (UCON) Coverage
Protection Objectives
Sensitive information protection
IPR protection Privacy protection
Protection Architectures
Server-side reference monitor
Client-side reference monitor
SRM & CRMServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
TraditionalAccessControl
TrustManagement
Usage ControlSensitive
InformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
DRM
SRM & CRM
19© 2004 Ravi Sandhu
Core UCON (Usage Control) Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
Continuity Decision can be made during usage for continuous enforcement
MutabilityAttributes can be updated as side-effects of subjects’ actions
Usage
Continuity ofDecisions
pre
Before After
pre ongoing postMutability of
Attributes
ongoing N/A
20© 2004 Ravi Sandhu
Examples Long-distance phone (pre-authorization
with post-update) Pre-paid phone card (ongoing-
authorization with ongoing-update) Pay-per-view (pre-authorization with
pre-updates) Click Ad within every 30 minutes
(ongoing-obligation with ongoing-updates)
Business Hour (pre-/ongoing-condition)
21© 2004 Ravi Sandhu
Good enough security
RISK
COST
H
M
L
L M H
1
2
3
2
3
4
3
4
5
EntrepreneurialMindset• 80% problem• soft, informal• ordinary consumers
AcademicMindset• 120% problem• hard, informal• techno-geeks