rimbac n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
RiMBAC PowerPoint Presentation
Download Presentation
RiMBAC

Loading in 2 Seconds...

play fullscreen
1 / 54

RiMBAC - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

RiMBAC. Michael Frangos Supervised by: Dr William Scott and Dr Paul Montague. Risk Management Based Access Control. Overview. Background & Motivation Risk Risk Management Access Control Multi Level Security Research questions & strategy Research Achievements The RiMBAC Model

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'RiMBAC' - yamal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
rimbac

RiMBAC

Michael FrangosSupervised by: Dr William Scott and

Dr Paul Montague

Risk Management Based Access Control

overview
Overview
  • Background & Motivation
    • Risk
    • Risk Management
    • Access Control
    • Multi Level Security
  • Research questions & strategy
  • Research Achievements
    • The RiMBAC Model
    • Comparison of RiMBAC and MLS
slide3
Risk
  • What is Risk?
    • “The expected impact on objectives due to one or more future events”
    • Likelihood X Consequence
    • Can be associated with negative or positive outcomes.
risk management
Risk Management
  • A key business process.
    • Standardized in AS/NZS 4360:2004.
access control
Access Control
  • What is Access Control?
    • The process of mediating requests to resources and data maintained by a system and determining whether the request should be granted or denied.
  • Access Control Models
    • Discretionary
    • Mandatory
    • Role-based
multi level security mls
Multi Level Security (MLS)
  • What is MLS?
    • A form of mandatory access control.
  • MLS Classifications
what s wrong with mls
What’s wrong with MLS?
  • Risk involved in each access is determined statically.
    • Clearances and classifications rarely reviewed.
    • Sensitivity of information will vary with time and context.
    • Trustworthiness of individuals varies with time and context.
  • Risk estimates are binary entities.
    • Risk is either zero or worst case consequence.
  • Total organizational risk for information sharing is unknown.
    • Risk can’t be capped.
  • No provision to deal with emergencies.
research questions
Research Questions
  • How can an access control model based on risk management be developed for organizations that currently employ MLS?
  • How effective would such an access control model be when compared to traditional MLS?
research strategy
Research Strategy
  • Phase 1 – Access Control Model Design
  • Phase 2 – Agent-based Modelling
the rimbac model
The RiMBAC Model
  • Design Principles
the rimbac model1
The RiMBAC Model

Organizational Context:

the rimbac model2
The RiMBAC Model

Key Concepts and definitions:

Subject – An individual or computer process acting on behalf of an individual

Object – An information resource.

Compromise – Any event in which a subject who is not authorized by the access control system gains access to an object.

Harm – Negative impact on organizational goals (due compromise of an object).

Benefit – Positive impact on organizational goals (due to completion of a task).

RiM – a unit of harm or benefit.

rimbac overview

Establish the Context

Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

RiMBAC Overview

Organizational Goals established

Risk Tolerance Levels established

Goals

Goals

Information Sharing Risks defined

Information Sharing Benefits defined

Risk Thresholds

Risks

Benefits

Transactional Risk Calculated

Maximum Transactional Benefit Calculated

Monitor and Review

RiMBAC Monitor and Review

Level of Benefit

Level of Risk

Access Control Decision Made

AC Policy

AC Decision

Access Control Decision Enforced

RiMBAC

AC Result

Organization

the rimbac model3
The RiMBAC Model
  • Establish the context:
    • Establish organizational goals.
      • i.e. “to make profit”, “to preserve national security”
    • Set Risk Tolerance Levels for information sharing.
      • i.e. $5M per annum.

(specified in RiMs)

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model4
The RiMBAC Model

2. Identify Risk:

  • Identify information sharing risks:
    • Transactional risk – the risk involved each time a subject accesses an object.
  • Identify information sharing benefits:
    • Transactional benefit – the benefit involved each time a subject accesses an object.

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model5
The RiMBAC Model
  • Analyze Risk:
    • Calculate Transactional Risk.
    • Calculate Transactional Benefit

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model6
The RiMBAC Model

Calculate Transactional Risk:

Object Risk (ROBJ) - Expected harm associated with an object.

Likelihood of harm x Consequence of harm

Consequence of harm:

RiMBAC Object

i.e.

Potential Harm Function

Information Categories

the rimbac model7
The RiMBAC Model

Likelihood of Harm:

Assume that harm will always result from compromise of an object.

i.e. PC = PHARM

Object

TTI1

HTIm

TTI2

HTI2

TTIn

HTI1

the rimbac model8
The RiMBAC Model

Object

PTC= 1-TTI

PHC= 1-HTI

TTI1

HTIm

TTI2

HTI2

TTIn

HTI1

PC = PTC1 U PTC2 … U PTCn U PHC1 U PHC2 … U PHCm

the rimbac model9
The RiMBAC Model
  • Calculate Transactional Risk:
  • Object Risk (ROBJ)
  • Expected harm associated with an object.
  • Organizational Risk (RORG)
  • Sum of object risk for all objects in the organization.
the rimbac model10
The RiMBAC Model
  • Calculate Transactional Risk:
  • Transactional Risk (RTRANS)
  • Expected harm involved in a subject accessing an object
the rimbac model11
The RiMBAC Model

Cumulative Transactional Risk:

TRB

Object 1

Object 1

Object 1

Object 1

Object 1

Object 1

Object 1

Object 1

Time

Object 1

Object 1

Object 1

Object 1

Object 1

Object

Bob

the rimbac model12
The RiMBAC Model

Cumulative Transactional Risk:

Organization

TRB

Task A

Task B

Task C

Time

Bob

Sue

the rimbac model13
The RiMBAC Model

Cumulative Transactional Risk:

TRA

Organization

TRB

Task A

Task B

Task C

Time

Bob

Sue

the rimbac model14
The RiMBAC Model
  • Analyze Risk:
    • Calculate Transactional Risk.
    • Calculate Transactional Benefit

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model15
The RiMBAC Model

Calculate Transactional Benefit:

Maximum Transactional Benefit (MBTrans)

The potential benefit involved each time a subject accesses an object.

RiMBAC Object

Potential Harm Function

Information Categories

the rimbac model16
The RiMBAC Model

Calculate Transactional Benefit:

{1,2,3,4}

{1,2,5,6}

Task A

Task B

Task C

{1,2,3,4,5,6}

Bob

the rimbac model17
The RiMBAC Model

Calculate Transactional Benefit:

TBV=50 RiMs

TBV=100 RiMs

{1,2,3,4}

{1,2,5,6}

Task A

Task B

Task C

TIF=0.5

TIF=0.2

Object

Cat {1, 44, 32}

{1,2,3,4,5,6}

Bob

the rimbac model18
The RiMBAC Model

Calculate Transactional Benefit:

TBV=50 RiMs

TBV=100 RiMs

{1,2,3,4}

{1,2,5,6}

Task A

Task B

Task C

TIF=0.5

TIF=0.2

Object

Cat {1, 44, 32}

{1,2,3,4,5,6}

Bob

MBTRANS = 50 x 0.2 + 100 x 0.5

= 60 RiMs

the rimbac model19
The RiMBAC Model

Break Glass Provision

What happens in an emergency?

No time to create a task etc.

Override Capability.

Known benefit specified.

Acceptance of risk signed by higher authority.

Risk is accounted for.

Risk tolerance thresholds can still apply

Help!!!

30

the rimbac model20
The RiMBAC Model
  • Analyze Risk:
    • Calculate Transactional Risk.
    • Calculate Transactional Benefit

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model21
The RiMBAC Model
  • Evaluate and Treat Risk:

Apply Access Control Policy to make access control decision:

Policy Examples

Allow all transactions where MBTRANS > RTRANS and TRATASK not exceeded.

Allow all transactions where MBTRANS > 5xRTRANS and TRASUBJ not exceeded.

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

the rimbac model22
The RiMBAC Model
  • Monitor and Review:
  • Monitor every access
    • Audit logs
  • Monitor information leakage
    • Update TTI and HTI parameters.
  • Regularly review:
    • organizational goals
    • risk tolerance thresholds
    • access control policy.
    • TBVs, TIFs

Establish the Context

Identify Risk

Analyze Risk

Monitor and Review

Evaluate Risk

Treat Risk

technological requirements
Technological Requirements
  • Direct Access:
    • HTI for subject, TTI for storage and transfer technology.
    • Tasks, TBVs and information category sets.
    • TIFs for each subject.
  • Indirect Access:
    • Portable credential exchange devices.
  • RiMBAC Objects:
    • Metadata containing information categories, potential harm function.
    • Ontology for describing contextual factors.
technological requirements1
Technological Requirements
  • Information Leakage Monitoring
      • Mechanisms (i.e. object tracking, label management, audit logs)
  • Transition from MLS to RiMBAC
    • 3 phase transition plan:

(Still being finalized)

comparing rimbac with mls
Comparing RiMBAC with MLS

Agent-based modelling

  • Model a system from the bottom up.
    • Agents are a collection of autonomous decision-making entities.
  • Shown to be effective at modeling human systems such as organizations. (Prietula et al. (1998))
    • Provides a natural description of the system
    • Flexible
    • Captures emergent phenomena (i.e. Organizational behaviour)
  • Repast (Recursive Porous Agent Simulation Toolkit)
    • Open source, Java-based, good documentation.
comparing rimbac with mls1
Comparing RiMBAC with MLS

Information

Store

ORGANIZATION

REPAST SIMULATION

External Agents

comparing rimbac with mls2
Comparing RiMBAC with MLS

Measurands

For each access control model:

  • How many resources are compromised?
  • How much harm is caused due to compromise?
  • How many beneficial resources do employees get hold of?
comparing rimbac with mls3
Comparing RiMBAC with MLS

Employee Agents

Attributes

comparing rimbac with mls4
Comparing RiMBAC with MLS

Employee Agents

Desire

  • When being trustworthy:
    • Obtain any information resources required to complete assigned tasks.
    • Share information resources with any employees approved by security policy.
  • When being untrustworthy:
    • Obtain any resources not required to complete assigned tasks.
    • Share information resources with anyone.
comparing rimbac with mls5
Comparing RiMBAC with MLS

Employee Agents

Decisions

  • Decide what type of resource to ask for next based on trustworthiness and required information categories.
  • Decide when to ask for information based on information appetite.
  • Decide who to ask for information:
    • When being trustworthy, ask an employee who is believed to have such information (based on the tasks they are working on).
    • When being untrustworthy, ask an employee who is known to thwart policy (based on prior dealings)
  • Decide whether to hand over a resource to another individual based on access control decision and trustworthiness.
comparing rimbac with mls6
Comparing RiMBAC with MLS

External Agents

Attributes

comparing rimbac with mls7
Comparing RiMBAC with MLS

External Agents

Desire

  • Obtain any possible information resources from within the organization.
comparing rimbac with mls8
Comparing RiMBAC with MLS

External Agents

Decisions

  • Decide what type (subject and classification of resource to ask for:
    • Choose a resource type at random.
  • Decide when to ask for information
    • based on information appetite.
  • Decide who to ask for information:
    • Initially target random employees.
    • Later target mostly those employees known to thwart policy (based on previous experience).
comparing rimbac with mls9
Comparing RiMBAC with MLS

Simulation Parameters

  • 20 Employees
    • Even distribution of MLS clearances
    • RiMBAC HTI derived from MLS clearance.
  • 2 External Agents
comparing rimbac with mls10
Comparing RiMBAC with MLS

Simulation Parameters

  • 10,000 Information Resources
  • RiMBAC Harm Value of Resources:
comparing rimbac with mls11
Comparing RiMBAC with MLS

Sample Results: Beneficial Resources Obtained

Initialization

Period

Real Simulation

comparing rimbac with mls12
Comparing RiMBAC with MLS

Sample Results: Information Leakage

comparing rimbac with mls13
Comparing RiMBAC with MLS

Sample Results: Estimated Harm

comparing rimbac with mls14
Comparing RiMBAC with MLS

Sample Results: Information Leakage

Organizational Risk Allowance applied (75 RiMs per annum)

comparing rimbac with mls15
Comparing RiMBAC with MLS

Sample Results: Estimated Harm

Organizational Risk Allowance applied (75 RiMs per annum)

summary of achievements
Summary of Achievements
  • Existing Access Control Models incorporating risk reviewed.
  • Risk Management Based Access Control (RiMBAC) Model Developed.
  • Agent Based Model developed to assess RiMBAC with MLS.
future work
Future Work
  • Refine RiMBAC model
    • Trust models (TTI, HTI) developed.
    • Incentive for low risk, high benefit transactions.
  • More complex Agent Based Model.
    • Dynamic harm value for objects included.
    • More complex agent characteristics and behaviour
      • Trust, friendships, annoyance, manipulation techniques etc.
    • Simulate larger organization.
    • Use of “Knowledge Pieces” to quantify benefit.
questions
Questions?

Thanks for your attention!