1 / 24

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH. Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University sandhu@gmu.edu www.list.gmu.edu. AUTHORIZATION, TRUST AND RISK. Information security management is fundamentally about managing

werin
Download Presentation

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University sandhu@gmu.edu www.list.gmu.edu

  2. AUTHORIZATION, TRUST AND RISK • Information security management is fundamentally about managing • authorization and • trust so as to manage risk

  3. What? How? ENGINEERING AUTHORITY & TRUST4 LAYERS Policy Model Architecture Mechanism

  4. What? How? ENGINEERING AUTHORITY & TRUST4 LAYERS Multilevel Security No information leakage Lattices (Bell-LaPadula) Security kernel Security labels

  5. What? How? ENGINEERING AUTHORITY & TRUST4 LAYERS Role-Based Access Control (RBAC) Policy neutral RBAC96 user-pull, server-pull, etc. certificates, tickets, PACs, etc.

  6. ROLE-BASED ACCESS CONTROL (RBAC) • A user’s permissions are determined by the user’s roles • rather than identity or clearance • roles can encode arbitrary attributes • multi-faceted • ranges from very simple to very sophisticated

  7. RBAC SECURITY PRINCIPLES • least privilege • separation of duties • separation of administration and access • abstract operations

  8. RBAC96IEEE Computer Feb. 1996 • Policy neutral • can be configured to do MAC • roles simulate clearances (ESORICS 96) • can be configured to do DAC • roles simulate identity (RBAC98)

  9. RBAC1 ROLE HIERARCHIES RBAC2 CONSTRAINTS RBAC96 FAMILY OF MODELS RBAC3 ROLE HIERARCHIES + CONSTRAINTS RBAC0 BASIC RBAC

  10. USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERS ROLES PERMISSIONS ... SESSIONS RBAC0

  11. ... RBAC1 ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSION-ROLE ASSIGNMENT USERS ROLES PERMISSIONS SESSIONS

  12. HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Physician Health-Care Provider

  13. EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)

  14. ... RBAC3 ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS SESSIONS CONSTRAINTS

  15. ... ADMINISTRATIVE RBAC ROLES PERMISSIONS USERS CONSTRAINTS ADMIN ROLES ADMIN PERMISSIONS

  16. EXAMPLE ROLE HIERARCHY Director (DIR) Project Lead 1 (PL1) Project Lead 2 (PL2) Production 1 (P1) Quality 1 (Q1) Production 2 (P2) Quality 2 (Q2) Engineer 1 (E1) Engineer 2 (E2) Engineering Department (ED) PROJECT 1 PROJECT 2 Employee (E)

  17. EXAMPLE ADMINISTRATIVE ROLE HIERARCHY Senior Security Officer (SSO) Department Security Officer (DSO) Project Security Officer 1 (PSO1) Project Security Officer 2 (PSO2)

  18. RBAC PARAMETERS • RBAC has many facets, including • number of roles: large or small • flat roles versus hierarchical roles • permission-role review capability • static separation of duties • dynamic separation of duties • role-activation capability • at least 64 variations

  19. NIST RBAC MODELin progress • Level 1: flat RBAC • user-role review • Level 2: hierarchical RBAC • plus role hierarchies • Level 3: constrained RBAC • plus separation constraints • Level 4: true RBAC • plus permission-role review

  20. CLASS I SYSTEMSENFORCEMENT ARCHITECTURE Client Server

  21. CLASS I SYSTEMSADMINISTRATION ARCHITECTURE Server1 Administrative Client Authorization Center Server2 ServerN

  22. CLASS II SYSTEMSSERVER-PULL Client Server Authorization Server Authentication Server

  23. CLASS II SYSTEMSUSER-PULL Client Server Authorization Server Authentication Server

  24. R&D IN INTERNET TIME • new technology needs to be developed and deployed continuously in the very short term • need focused applied research • need synergy between Universities and Industry

More Related