process model for access control wael hassan university of ottawa luigi logrippo, université du...
TRANSCRIPT
![Page 1: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/1.jpg)
Process Model for Access Control
Wael HassanUniversity of Ottawa
Luigi Logrippo, Université du Québec en Outaouais
![Page 2: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/2.jpg)
2
Goal
Create a Privacy Model that reduces attacks by following privacy specifications while detecting conflict
Why?
![Page 3: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/3.jpg)
3
Security and Privacy Breaches
Process
• 60% of security attacks are internal• Attacks come from legitimate users
Reason
users bypass the process
![Page 4: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/4.jpg)
4
Plan
• Basics• Existing Models• Privacy
– Issues and requirements– Concept of process based privacy
• Evaluation– Support of existing concepts– Advantages over existing models
• Verification• Conclusion
![Page 5: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/5.jpg)
5
Back to Basics
Subject: wael Students
Verb: can access can access
Object: computer their office
What is the structure of a secure access control instruction?
Single Group
![Page 6: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/6.jpg)
6
Security
• Basic:- – Identity Access Right
• An identity justifies an access-right– Example: given I am a wael, I can access my lab
• Extended:-– Identity1, Identity2 Forwarding Right (object)
• A right is owned and can be forwarded (delegated)– Example: given I am an assistant in the admissions department,
» I own the right to access personal student file,» I can allow Jasmine access to my file
• Combined:-– Identity1, Identity2 Concurrent Access(object)
• Two subjects may be allowed to have concurrent access to an object
![Page 7: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/7.jpg)
7
Privacy
• Basic:-– Purpose Access-Right (Identity)
• A purpose justifies access-right • Example: To update student profile,
– Jo-Anne needs to have access to accepted student application data
• Extended:- – Step Forwarding Right (Identity1, Identity2)
• A step which can be owned by a person in a process suggests a right, and that right may be forwarded (delegated) iff the recipient has access to the process/step.
– Example: given that Jo-Anne participates in the admissions procedure, » She is assigned access to activity open personal student file,» She can allow Jasmine (another officer) access to the same file as long as
she has the authority and she is assigned to the process
• Combined:-– Process1, Process2 Concurrent Access(object)
• Two subjects participating in two processes may or not have concurrent access to certain objects.
![Page 8: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/8.jpg)
8
Existing Models
There are 3 existing security models that we inherit
![Page 9: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/9.jpg)
9
Bell-Lapadula
Intended for military applications,
Flow Based
1. Security Clearances
2. Security Requirement
A can access y iff – clearance of A > requirement of y
A can forward access to y for B iff – clearance of B > requirement of y
A
X
By Level
![Page 10: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/10.jpg)
10
Chinese Wall
Originally intended for banking applications• Creates separation of concerns groups• Group A & Group B cannot share access to an object
set {x,y,z}
A BX
Y
z
![Page 11: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/11.jpg)
11
RBAC
Role based Access Control• Principle
– Group people in order to reduce management overhead
• Application– Corporate
• Uses corporate hierarchy to suggest groups
• Example:• Director, Executive Assistant
• All Directors have access to client accounts
![Page 12: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/12.jpg)
12
Issues with current systems
When applied to privacy
• They only answer – Does a person A have access to object X
• They don’t – Capture context and purpose of an operation
• They grant– Access once and for all times, irrelevant of the job function
Therefore, they do not satisfy privacy principles of
collection, retention, distribution
![Page 13: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/13.jpg)
13
What is needed
• Privacy requires the ability to say– Does
• a person A have access to resource X for purpose P
– Is • a person A trying to gain access to a resource x
as a part of a process
– Is • a person A trying to gain access in the proper
sequence of operation
![Page 14: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/14.jpg)
14
Process Based Governance
Governance of organizations by
specifying control of access
(to information)
by applying policies
to processes
![Page 15: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/15.jpg)
15
Process Based Control
• A business process is a unit that can be composed of steps and/or processes.
• Steps in a process are sequenced
Process
![Page 16: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/16.jpg)
16
In a business process environment it should be • Easy to tie purposes to actions• Possible to apply invariants for a complete structure• Easy to trace policy modifications
Business Process
Loan Processing
Receive Loan Verify Credit Reject Loan
Verify Credit
Receive Card Application Call CreditCheck Process Answer
Provide FeedbackCreate
CardMail Response
![Page 17: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/17.jpg)
17
Process Approach Supports
• Flow of information (Bell Lapadula)
• Separation of concerns (Chinese Wall)
![Page 18: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/18.jpg)
18
Information flow
• A part of standard procedures is delegating work to others.– Example: delegate meeting announcement to
secretary
• Using process model– Action delegate meeting, allowed in a process – Action meeting cancellation cannot be
delegated
![Page 19: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/19.jpg)
19
Separation of Concerns
• In the banking industry, different groups may not share access to particular resources.
• Using process model we can set rules to separate groups– Example:
• No data that admission and scholarship share
![Page 20: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/20.jpg)
20
Advantages
• Captures context
• Simplifies management (privacy)
![Page 21: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/21.jpg)
21
Captures Context
• As a part of credit application process (x,y,z,t), an employee A receives access to credit information in step z.– A can download all credit information of all customers on file
• When using a process model, – access is granted or revoked based on the sequence of
operations. – Therefore, under the process model, an employee A will only
have access If steps x & y have been performed– Access will be revoked after operation t is completed
![Page 22: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/22.jpg)
22
Simplifies Management
• Privacy is dependent on the application and not on the identity
• An identity can have a role which is involved in several functions. Its privileges are dependent on process.
• Grouping policies per process reduces time and management policies that are based on roles.
• Example:– Old
• If rank is General, then grant access• If rank is secretary and name is Lise then grant access
– New:• Secretary allow-access step 3• General allow-access process change-direction
![Page 23: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/23.jpg)
23
Implementation and Validation
• A validation environment is provided by the language Alloy
• A formal language based on set theory and first order predicate calculus – Model analyser– Consistency checker– Being developed at MIT
![Page 24: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/24.jpg)
24
AlloySignatures or elements are the basic constructs of an Alloy model; they are a cluster of relationships grouped in a class like structure.
1. Sig [abstract] enterprise {2. root : CEO3. }{4. [lone] root5. }
1. abstract sig process {2. parent : lone process, 3. composedOf : set steps4. }
Process
abstract sig policy { attachedTo : lone process, permitted: role -> process, denied : role -> process
Policy
Enterprise
}no permitted & denied role.permitted in attachedTo role.denied in attachedTo }
Facts & Rules
![Page 25: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/25.jpg)
25
Alloy Separation of Concerns
![Page 26: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/26.jpg)
26
Architecture
UML Model
Verification
Alloy Meta Model
Alloy Policy Specification
TranslationManual Translation
Manual
ManualVerification
XACML
ebXML
ManualVerification
![Page 27: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/27.jpg)
27
Pragmatic Goals
• GUIs to formulate validated policies• Able to answer questions:
– Given an enterpise model and a set of policies• Who can/cannot and under what circumstances• Given circumstances, who can/cannot?• Is there inconsistency or incompleteness?
• Automatic translation between – GUI representation– XACML representation– Formal representation (Alloy or other)
![Page 28: Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais](https://reader030.vdocuments.us/reader030/viewer/2022032703/56649d165503460f949ebf87/html5/thumbnails/28.jpg)
28
Conclusion
Privacy requires a native model; The transposition of existing security models
does not address the right requirements.
We propose a process based model that attaches policies to processes which are
composed of activities,
We use Alloy as model analyzer to verify properties.