1 / 29

Process Model for Access Control

Process Model for Access Control. Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais. Create a Privacy Model that reduces attacks by following privacy specifications while detecting conflict. Goal. Why?. Process. Security and Privacy Breaches.

heather-walton
Download Presentation

Process Model for Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais

  2. Create a Privacy Model that reduces attacks by following privacy specifications while detecting conflict Goal Why?

  3. Process Security and Privacy Breaches • 60% of security attacks are internal • Attacks come from legitimate users Reason users bypass the process

  4. Plan • Basics • Existing Models • Privacy • Issues and requirements • Concept of process based privacy • Evaluation • Support of existing concepts • Advantages over existing models • Verification • Conclusion

  5. Subject:wael Students Verb:can access can access Object:computer their office Back to Basics What is the structure of a secure access control instruction? Single Group

  6. Security • Basic:- • Identity  Access Right • An identity justifies an access-right • Example: given I am a wael, I can access my lab • Extended:- • Identity1, Identity2  Forwarding Right (object) • A right is owned and can be forwarded (delegated) • Example: given I am an assistant in the admissions department, • I own the right to access personal student file, • I can allow Jasmine access to my file • Combined:- • Identity1, Identity2 Concurrent Access(object) • Two subjects may be allowed to have concurrent access to an object

  7. Privacy • Basic:- • Purpose Access-Right (Identity) • A purpose justifies access-right • Example: To update student profile, • Jo-Anne needs to have access to accepted student application data • Extended:- • Step  Forwarding Right (Identity1, Identity2) • A step which can be owned by a person in a process suggests a right, and that right may be forwarded (delegated) iff the recipient has access to the process/step. • Example: given that Jo-Anne participates in the admissions procedure, • She is assigned access to activity open personal student file, • She can allow Jasmine (another officer) access to the same file as long as she has the authority and she is assigned to the process • Combined:- • Process1, Process2 Concurrent Access(object) • Two subjects participating in two processes may or not have concurrent access to certain objects.

  8. Existing Models There are 3 existing security models that we inherit

  9. Bell-Lapadula Intended for military applications, Flow Based • Security Clearances • Security Requirement A can access y iff • clearance of A > requirement of y A can forward access to y for B iff • clearance of B > requirement of y A y Level B X

  10. Chinese Wall Originally intended for banking applications • Creates separation of concerns groups • Group A & Group B cannot share access to an object set {x,y,z} B A X Y z

  11. RBAC Role based Access Control • Principle • Group people in order to reduce management overhead • Application • Corporate • Uses corporate hierarchy to suggest groups • Example: • Director, Executive Assistant • All Directors have access to client accounts

  12. Issues with current systems When applied to privacy • They only answer • Does a person A have access to object X • They don’t • Capture context and purpose of an operation • They grant • Access once and for all times, irrelevant of the job function Therefore, they do not satisfy privacy principles of collection, retention, distribution

  13. What is needed • Privacy requires the ability to say • Does • a person A have access to resource X for purpose P • Is • a person A trying to gain access to a resource x as a part of a process • Is • a person A trying to gain access in the proper sequence of operation

  14. Process Based Governance Governance of organizations by specifying control of access (to information) by applyingpolicies to processes

  15. Process Process Based Control • A business process is a unit that can be composed of steps and/or processes. • Steps in a process are sequenced

  16. Business Process In a business process environment it should be • Easy to tie purposes to actions • Possible to apply invariants for a complete structure • Easy to trace policy modifications

  17. Process Approach Supports • Flow of information (Bell Lapadula) • Separation of concerns (Chinese Wall)

  18. Information flow • A part of standard procedures is delegating work to others. • Example: delegate meeting announcement to secretary • Using process model • Action delegate meeting, allowed in a process • Action meeting cancellation cannot be delegated

  19. Separation of Concerns • In the banking industry, different groups may not share access to particular resources. • Using process model we can set rules to separate groups • Example: • No data that admission and scholarship share

  20. Advantages • Captures context • Simplifies management (privacy)

  21. Captures Context • As a part of credit application process (x,y,z,t), an employee A receives access to credit information in step z. • A can download all credit information of all customers on file • When using a process model, • access is granted or revoked based on the sequence of operations. • Therefore, under the process model, an employee A will only have access If steps x & y have been performed • Access will be revoked after operation t is completed

  22. Simplifies Management • Privacy is dependent on the application and not on the identity • An identity can have a role which is involved in several functions. Its privileges are dependent on process. • Grouping policies per process reduces time and management policies that are based on roles. • Example: • Old • If rank is General, then grant access • If rank is secretary and name is Lise then grant access • New: • Secretary allow-access step 3 • General allow-access process change-direction

  23. Implementation and Validation • A validation environment is provided by the language Alloy • A formal language based on set theory and first order predicate calculus • Model analyser • Consistency checker • Being developed at MIT

  24. Alloy • Signatures or elements are the basic constructs of an Alloy model; • they are a cluster of relationships grouped in a class like structure. • Sig [abstract] enterprise { • root : CEO • }{ • [lone] root • } Enterprise Process • abstract sig process { • parent : lone process, • composedOf : set steps • } Policy abstract sig policy { attachedTo : lone process, permitted: role -> process, denied : role -> process Facts & Rules } no permitted & denied role.permitted in attachedTo role.denied in attachedTo }

  25. Alloy Separation of Concerns

  26. Translation Manual Translation Manual Manual Verification Manual Verification Alloy Meta Model ebXML XACML Alloy Policy Specification Architecture UML Model Verification

  27. Pragmatic Goals • GUIs to formulate validated policies • Able to answer questions: • Given an enterpise model and a set of policies • Who can/cannot and under what circumstances • Given circumstances, who can/cannot? • Is there inconsistency or incompleteness? • Automatic translation between • GUI representation • XACML representation • Formal representation (Alloy or other)

  28. Conclusion Privacy requires a native model; The transposition of existing security models does not address the right requirements. We propose a process based model that attaches policies to processes which are composed of activities, We use Alloy as model analyzer to verify properties.

  29. Thanks from Wael Hassan, Luigi Logrippo wael@ieee.org, luigi@uqo.ca

More Related