privilege and policy management for cyber infrastructures
Download
Skip this Video
Download Presentation
Privilege and Policy Management for Cyber Infrastructures

Loading in 2 Seconds...

play fullscreen
1 / 15

KafuraTalk3 - PowerPoint PPT Presentation


  • 212 Views
  • Uploaded on

Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth Security Information Center Fermi National Accelerator Laboratory IBM Organization Grand Challenges Problems Requirements PRIMA – a privilege-based approach

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'KafuraTalk3' - andrew


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privilege and policy management for cyber infrastructures

Privilege and Policy Management for Cyber Infrastructures

Dennis Kafura

Markus Lorch

Support provided by: Commonwealth Security Information Center

Fermi National Accelerator Laboratory

IBM

March 14-15, 2005

organization
Organization
  • Grand Challenges
    • Problems
    • Requirements
  • PRIMA – a privilege-based approach
    • Models
    • Architecture/Mechanisms
  • Research challenges
    • Policy
    • Obligations
    • Enforcement
    • Usability
  • Relationship to I3P and Workshop Themes

March 14-15, 2004

grand challenge problems
Grand Challenge Problems
  • Societal infrastructures

“Develop tools and principles that allow construction of

large-scale systems for important societal applications that

are highly trustworthy despite being attractive targets.”

  • Dynamic, pervasive computing environments

“For the dynamic, pervasive computing environments of

the future, give computing end-users security they can

understand and privacy they can control.

From: CRA Workshop on “Grand Research Challenges in Information Security and Assurance,” November 2003.

March 14-15, 2004

prima models
PRIMA Models

March 14-15, 2004

prima properties
PRIMA Properties

March 14-15, 2004

privilege structure
Privilege Structure
  • Privilege Properties
  • Fully associated
  • Directly applicable
  • Time limited
  • Externalized
  • Secure
  • Non-repudiation
  • Implementation
  • Container: X.509 Attribute Certificate
  • Privilege: XACML rule construct

March 14-15, 2004

enforcement concepts
Enforcement Concepts
  • Policy Enforcement Point (PEP) checks privileges for:
    • Applicability (to resource and requestor)
    • Validity (of time frame and signature)
    • Authority (with respect to privilege management policy)
  • All permissible privilege constitute a dynamic policy for a request
  • Policy Decision Point (PDP):
    • Makes coarse decision
    • Adds obligations for PEP

March 14-15, 2004

dynamic policy
Dynamic Policy

March 14-15, 2004

obligations
Obligations
  • Additional constraints to an authorization decision
  • If PEP cannot fulfill an obligation then it disallows access
  • Obligation address the mismatch in level of detail between request and policies
  • Obligations help in maintaining system state

March 14-15, 2004

research challenges policy
Research Challenges: Policy
  • What can be adapted from software engineering research for policy:
    • Testing
    • Debugging
    • Formal Analysis
    • Requirements engineering
  • Policy extensions
    • Threat/environment aware

March 14-15, 2004

research challenges obligations
Research Challenges: Obligations
  • Granularity mismatch
    • Too many rights to be externalized
    • Partially addressed by dynamic policy
  • With respect to the request
    • Need to add restrictions finer-grained than request

March 14-15, 2004

research challenges enforcement
Research Challenges: Enforcement
  • Evaluation of mechanisms
    • Dynamic user accounts
    • Virtual machine/sandboxing
    • Service containers
  • Model
    • Distributing privileges to dynamically provision an execution environment, vs.
    • Pre-provisioning an execution environment and distributing a privilege for it

March 14-15, 2004

research challenges usability
Research Challenges: Usability
  • What are the right conceptual models?
    • Privileges
    • Roles
    • Others? Several? Combinations?
  • How can users manage their rights?
    • P3P
    • Shibboleth release policies
    • Least-privilege control

March 14-15, 2004

addressing i3p and workshop themes
Addressing I3P and Workshop Themes

I3P Agenda

Workshop

Themes

March 14-15, 2004

ad