1 / 16

A Conceptual Framework for Group-Centric Secure Information Sharing

A Conceptual Framework for Group-Centric Secure Information Sharing. Ram Krishnan (George Mason University) Ravi Sandhu , Jianwei Niu , William Winsborough (University of Texas at San Antonio) ASIACCS 2009, Sydney, Australia. Secure Information Sharing (SIS).

herman
Download Presentation

A Conceptual Framework for Group-Centric Secure Information Sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Conceptual Framework forGroup-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, JianweiNiu, William Winsborough (University of Texas at San Antonio) ASIACCS 2009, Sydney, Australia

  2. Secure Information Sharing (SIS) • A fundamental problem in cyber security • Share but protect • Current approaches not satisfactory • Classic models (DAC/MAC/RBAC) do not work • Recent approaches • Proprietary systems for Enterprise Rights Management • Many solutions: IBM, CA, Oracle, Sun, Authentica, etc. • Interoperability is a major issue • Many languages have been standardized • XrML, ODRL, XACML, etc. • Primarily, dissemination or object centric

  3. Dissemination Centric Sharing • Attach attributes and policies to objects • Objects are associated with sticky policies • XrML, ODRL, XACML, etc. provide sticky policies Attribute + Policy Cloud Attribute + Policy Cloud Attribute + Policy Cloud Attribute + Policy Cloud Object Object Object Object Alice Bob Charlie Ravi Shashi Attribute Cloud Attribute Cloud Attribute Cloud Attribute Cloud Attribute Cloud Dissemination Chain with Sticky Policies on Objects

  4. Group Centric Sharing (g-SIS) • Advocates bringing users & objects together in a group • In practice, co-exists with dissemination centric sharing Join Add Never Group Subject Current Group Subject Past Group Subject Never Group Object Current Group Object Past Group Object Join Add Remove Leave • Two useful metaphors • Secure Meeting/Document Room • Users’ access may depend on their participation period • E.g. Program committee meeting, Collaborative Product Development, Merger and Acquisition, etc. • Subscription Model • Access to content may depend on when the subscription began • E.g. Magazine Subscription, Secure Multicast, etc.

  5. Core g-SIS Properties 1. Provenance: Authorization can only originate during a simultaneous period of membership Authz Authz Join Add Add Join 2. Bounded Authorization: Authorization cannot grow during non-membership periods 3. Persistence: Authorization cannot change if no group event occurs

  6. g-SIS Operation Semantics Subjects Subjects Strict Leave Strict Join Join Leave GROUP Authz (S,O,R)? Liberal Join LiberalLeave GROUP Authz (S,O,R)? Strict Add Strict Remove 6 Remove Add Liberal Add Liberal Remove Objects Objects

  7. Operation Semantics (Continued) • Strict Join (SJ): Only access objects added after Join time • Liberal Join (LJ): Also access objects added before Join time • Strict Leave (SL): Lose access to all objects • Liberal Leave (LL): Retain authorizations held at Leave time

  8. Operation Semantics (Continued) • Strict Add (SA): Only existing subjects at Add time are authorized • Liberal Add (LA): No such restrictions • Strict Remove (SR): All subjects lose access • Liberal Remove (LR): Subjects who had authorization at Remove time can retain access

  9. Family of g-SIS Models Traditional Groups: <LJ, SL, LA, SR> Secure Multicast: <SJ, LL, LA, *> Most Restrictive g-SIS Specification:

  10. Conclusion & Future Work • Group-centric Vs Dissemination-centric • Focus on group operation semantics • Lattice of g-SIS models • Ongoing Work • Extension to other operations such as write, etc. • Multiple groups • Investigate information flow • Compare with Lattice Based Access Control models • Attribute Based Access Control in g-SIS

  11. Thank You! Comments & Questions Email: rkrishna@gmu.edu Web: http://mason.gmu.edu/~rkrishna

  12. Backup

  13. Presentation Outline • Secure Information Sharing (SIS) • Dissemination Vs Group Centric • Group Centric SIS (g-SIS) • g-SIS Core Properties • g-SIS Operation Semantics • Family of g-SIS Models • Usage Scenarios • Conclusions

  14. g-SIS (continued) Join Never Group Subject Current Group Subject Past Group Subject Join Leave Subject Membership States Add Never Group Object Current Group Object Past Group Object Add Remove Object Membership States

  15. Operation Semantics (Continued)

  16. Re-visiting Metaphors • Program Committee Meeting • Committee members initially enter room with LJ • Exit room with LL • Re-admitted with SJ if no access allowed to conversations during periods of absence • LJ, on the other hand, will allow access • Objects added with SA are accessible to existing members in the room

More Related