1 / 18

The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu

The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio September 2008 ravi.sandhu@utsa.edu www.profsandhu.com. Advertised title.

trina
Download Presentation

The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The ASCAA* Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio September 2008 ravi.sandhu@utsa.edu www.profsandhu.com Advertised title * Abstraction, Separation, Containment, Automation, Accountability

  2. Alternate title A Perspective on Usage Control and its Future Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio September 2008 ravi.sandhu@utsa.edu www.profsandhu.com

  3. Outline • Security trends and change drivers • Foundational security assumptions • Usage: a fundamental security objective • The Usage Control or UCON model • The PEI (Policy, Enforcement, Implementation) framework • The ASCAA principles (Abstraction, Separation, Containment, Automation, Accountability)

  4. Security Trends and Change Drivers Stand-alone computers Internet Vandals Criminals, Nation states, Terrorists Mutually suspicious yet mutually dependent security Enterprise security Many and new innovative services Few standard services We are at an inflection point

  5. Diffie on Information Security … 2007 • “Now we face a new challenge to security, a world of shared computing and web services. As with radio, this technology is too valuable to go unused, By contrast with radio, which could be protected with cryptography, there may be no technology that can protect shared computation to the degree we would call secure today. In a decade or a generation, there may be no secure computing.” Need to be realistic in our security expectations

  6. Butler Lampson Paraphrased (I think) • Computer scientists could never have designed the web because they would have tried to make it work. But the Web does “work.” What does it mean for the Web to “work”? • Security geeks could never have designed the ATM network because they would have tried to make it secure. But the ATM network is “secure. What does it mean for the ATM network to be “secure”?

  7. Foundational Security Assumptions • Information needs to be protected • In motion • At rest • In use • Absolute security is impossible and unnecessary • Trying to approximate absolute security is a bad strategy • “Good enough” security is feasible and meaningful • Security is meaningless without application context • Cannot know we have “good enough” without this context • Models and abstractions are all important • Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it” We are not very good at doing any of this

  8. Security Objectives USAGE purpose USAGE INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure

  9. Usage Control Scope Security Objectives Security Architectures

  10. Access Control Models • Discretionary Access Control (DAC) • Owner controls access but only to the original, not to copies • Mandatory Access Control (MAC) • Access based on security labels • Labels propagate to copies • Role-Based Access Control (RBAC) • Access based on roles • Can be configured to do DAC or MAC • Attribute-Based Access Control (ABAC) • Access based on attributes, to possibly include roles, security labels and whatever

  11. Usage Control Model (UCON) • unified model integrating • authorization • obligation • conditions • and incorporating • continuity of decisions • mutability of attributes

  12. PEI Models: 3 Layers/5 Layers

  13. Policy Model • Access to current documents only (or) • Access to current documents and past documents • Access can be further restricted with rate and/or usage limits • Access can be further restricted on basis of individual user credentials • Past member loses access to all documents (or) • can access any document created during his membership (or) • can access documents he accessed during membership (or) • can access all documents created before he left the group (this includes the ones created before his join time) • all subject to possible additional rate, usage and user credential restrictions • No rejoin of past members is allowed, rejoin with new ID (or) • Past members rejoin the group just like any other user who has never been a member • The same access policies defined during his prior membership should again be enforced (or) • access policies could vary between membership cycles • Straight-forward. User has no access to any group documents. enroll Initial state: Never been a member State I Currently a member State II Past member State III enroll dis-enroll

  14. Enforcement Model Control Center (CC) • Two sets of attributes • Authoritative: as known to the CC • Local: as known on a member’s computer 4 2 3 5 7 1 • Member enroll and dis-enroll (steps 1-2, 5) • Document add and remove (step 6, 7) • Read policy enforcement (step 3) • Attribute update (step 4) Joining Member Group-Admin Member 6 D-Member Ideal Model: steps 3 and 4 are coupled Approximate Model: steps 3 and 4 are de-coupled

  15. Implementation Model • Use TC mechanisms to bind group key + attributes to TRM

  16. Founding Principles of RBAC • Abstraction of Privileges • Credit is different from Debit even though both require read and write • Separation of Administrative Functions • Separation of user-role assignment from role-permission assignment • Least Privilege • Right-size the roles • Don’t activate all roles all the time • Separation of Duty • Static separation: purchasing manager versus accounts payable manager • Dynamic separation: cash-register clerk versus cash-register manager

  17. ASCAA Principles • Abstraction of Privileges • Credit vs debit • Personalized permissions • Separation of Administrative Functions • Containment • Least Privilege • Separation of Duties • Usage Limits • Automation • Revocation • Assignment: (i) Self-assignment, (ii) Attribute-based • Context and environment adjustment • Accountability • Re-authentication/Escalated authentication • Click-through obligations • Notification and alerts

  18. Conclusion • Security trends and change drivers • Foundational security assumptions • Usage: a fundamental security objective • The Usage Control or UCON model • The PEI (Policy, Enforcement, Implementation) framework • The ASCAA principles (Abstraction, Separation, Containment, Automation, Accountability) Questions?? Comments!!

More Related