Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2012
Outline of the Unit Need to Know to Need to Share RBAC UCON RBUC ABAC Dissemination Risk based access control Trust Management/Credential/Disclosure Directions Major conferences for Policy and Access Control: IEEE Policy Workshop ACM SACMAT
Need to Know to Need to Share Need to know policies during the cold war; even if the user has access, does the user have a need to know? Post 9/11 the emphasis is on need to share User may not have access, but needs the data Do we give the data to the user and then analyze the consequences Do we analyze the consequences and then determine the actions to take Do we simply not give the data to the user What are risks involved?
RBAC Access to information sources including structured and unstructured data both within the organization and external to the organization Access based on roles Hierarchy of roles: handling conflicts Controlled dissemination and sharing of the data
RBAC (Sandhu)
UCON RBAC model is incorporated into UCON and useful for various applications Authorization component Obligations Obligations are actions required to be performed before an access is permitted Obligations can be used to determine whether an expensive knowledge search is required Attribute Mutability Used to control the scope of the knowledge search Condition Can be used for resource usage policies to be relaxed or tightened
UCON (Sandhu)
Role-based Usage Control (RBUC) RBAC with UCON extension RBUC integrated RBAC and UCON to provide flexible access control for coalition environment, not only has RBAC flexibility , but also has great UCON features, such as use control,continuity of decisions and mutability of attributes. 8
RBUC in Coalition Environment The coalition partners maybe trustworthy), semi-trustworthy) or untrustworthy), so we can assign different roles on the users (professor) from different infospheres, e.g. professor role, trustworthy professor role, semi-trustworthy professor role, untrustworthy professor role. We can enforce usage control on data by set up object attributes to different roles during permission-role-assignment, e.g. professor role: 4 times a day, trustworthy role: 3 times a day semi-trustworthy professor role: 2 times a day, untrustworthy professor role: 1 time a day This is an use case how to enforce usage/usage rate control on data, based on the partners’ trustworthy, the four “professor” roles have different usage right on the same documents student record). 9
Release and Dissemination Policies Release policies will determine to whom to release the data What is the connection to access control Is access control sufficient Once the data is retrieved from the information source (e.g., database) should it be released to the user Once the data is released, dissemination policies will determine who the data can be given to Electronic music, etc.
ABAC: Attribute-based Access Control
Risk Based Data Sharing/Access Control What are the risks involved in releasing/disseminating the data Risk modeling should be integrated with the access control model Simple method: assign risk values Higher the risk, lower the sharing What is the cost of releasing the data? Cost/Risk/Security closely related
Trust Management Trust Services Identify services, authorization services, reputation services Trust negotiation (TN) Digital credentials, Disclosure policies TN Requirements Language requirements Semantics, constraints, policies System requirements Credential ownership, validity, alternative negotiation strategies, privacy Example TN systems KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC)
Trust Management
The problem: establishing trust in open systems Interactions between strangers - In conventional systems user identity is known in advance and can be used for performing access control - In open systems partecipants may have no pre-existing relationship and may not share a common security domain ? Mutual authentication - Assumption on the counterpart honesty no longer holds - Both participants need to authenticate each other The Internet, being a standard way to communicate, has become a standard way to exchange information or perform electronic transactions from anywhere in the world. Purchasing products and services online is becoming a way of life for millions of people and businesses. The information exchanged between parties on the Internet in most cases is sensitive and must be protected. The communicating parties most often are strangers because they do not share the same security domain and will not have a local login. Traditional security approaches require a stranger to pre-register in order to establish trust, but the traditional way is not good enough. The client usually has no proof of the server’s identity, and the server cannot really trust that you are who you said you were on the registration form, so the paradox between strangers continues.
Trust Negotiation model A promising approach for open systems where most of the interactions occur between strangers The goal: establish trust between parties in order to exchange sensitive information and services The approach: establish trust by verifying properties of the other party costituisce un nuovo approccio alla realizzazione di sistemi di autorizzazione tra soggetti sconosciuti
Trust negotiation: the approach Interactions between strangers in open systems are different from traditional access control models Policies and mechanisms developed in conventional systems need to be revised ACCESS CONTROL POLICIES VS. DISCLOSURE POLICIES USER ID’s VS. SUBJECT PROPERTIES
Subject properties: digital credentials Assertion about the credential owner issued and certified by a Certification Authority. Each entity has an associated set of credentials, describing properties and attributes of the owner. CA CA CA
Use of Credentials Digital Credentials Credential Issuer Alice Check Julie 3 kids Married American Alice Check Check -Julie - Married -Julie - American Company B Want to know marital status Company A Referenced from http://www.credentica.com/technology/overview.pdf Want to know citizenship
Credentials Credentials can be expressed through the Security Assertion Mark-up Language (SAML) SAML allows a party to express security statements about a given subject Authentication statements Attribute statements Authorization decision statements
Disclosure policies Disclosure policies Disclosure policies govern: Access to protected resources Access to sensitive information Disclosure of sensitive credentials Disclosure policies express trust requirements by means of credential combinations that must be disclosed to obtain authorization Access control policies work well in closed systems with a known set of subjects and static objects. The targeting of our research is an open environment where subjects are characterized by their role or other attributes. Policies must express trust requirements by means of credentials proving properties of the counterpart
Disclosure policies - Example Suppose NBG Bank offers loans to students To check the eligibility of the requester, the Bank asks the student to present the following credentials The student card The ID card Social Security Card Financial information – either a copy of the Federal Income Tax Return or a bank statement
Disclosure policies - Example p1= ({}, Student_Loan Student_Card()); p2= ({p1}), Student_Loan Social_Security_Card()); p3= ({p2}, Student_Loan Federal_Income_Tax_Return()); p4= ({p2}, Student_Loan Bank_Statement()); P5=({p3,p4}, Student_Loan DELIV); These policies result in two distinct “policy chains” that lead to disclosure [p1, p2, p3, p5] [p1, p2, p4, p5]
Trust Negotiation - definition The gradual disclosure of credentials and requests for credentials between two strangers, with the goal of establishing sufficient trust so that the parties can exchange sensitive information and/or resources Il modello di Tn costituisce un nuovo approccio alla realizzazione di sistemi di autorizzazione tra soggetti sconosciuti attraverso lo scambio di credenziali che descrivono attributi di interesse dei partecipanti.
Trust-X system: Joint Research with University of Milan A comprehensive XML based framework for trust negotiations: Trust negotiation language (X-TNL) System architecture Algorithms and strategies to carry out the negotiation process Trust-X aims at providing a comprehensive infrastructure for trust negotiation, composed by a complete and expressive syntax formalized by the most used representation language (e.g. XML) and supported by an efficient and modular engine.
Trust-X language: X-TNL Able to handle mutliple and heterogeneus certificate specifications: Credentials Declarations Able to help the user in customizing the management of his/her own certificates X-Profile Data Set Able to define a wide range of protection requirements by means of disclosure policies First, the protection of Web data and their security related information is %%@ uniform, in that credentials and policies are XML documents and thus can be protected using the same %%@ mechanisms developed for the protection of conventional XML documents. Furthermore, the use of an XML %%@ formalism for specifying credentials facilitates credential submission and distribution, as well as their %%@ analysis and verification by use of a standard query language such as XQuery \cite{XML}.
X-TNL: Credential type system X-TNL simplifies the task of credential specification by using a set of templates called credential types Uniqueness is ensured by use of XML Namespaces Credential types are defined by using Document Type Definition <!DOCTYPE library_badge[ <!ELEMENT library_badge (name, address, phone_number*, email?, release_date, profession,Issuer)> <!ELEMENT name (fname, lname)> <!ELEMENT address (#PCDATA)> <!ELEMENT phone_number (#PCDATA)> <!ELEMENT email (#PCDATA)> <!ELEMENT release_date (#PCDATA)> <!ELEMENT profession (#PCDATA)> <!ELEMENT fname (#PCDATA)> <!ELEMENT lname (#PCDATA)> <!ELEMENT Issuer ANY> <!ATTLIST Issuer XML:LINK CDATA #FIXED “SIMPLE” HREF CDATA #REQUIRED TITLE CDATA #IMPLIED> <!ATTLIST library_badge CredID ID #REQUIRED> <!ATTLIST library_badge SENS CDATA #REQUIRED> ]> Each credential is digitally signed according to the W3C standard for digital signature. The use of credential types helps in managing a common onthology so that trust negotiation software can reference standard credential schemas
Trust-X negotiation phases- basic model Introduction Send a request for a resource/service Introductory policy exchanges Policy evaluation phase Disclosure policy exchange Evaluation of the exchanged policies in order to determine secure solutions for both the parties. Certificate exchange phase Exchange of the sequence of certificates determined at step n. 2. La negoziazione è articolata in tre fasi distinte meccanismo di protezione multilivello, evita il rilascio di informazioni non volute o non necessarie, politiche o credenziali.
Trust-X Architecture Trust-X has been specifically designed for a peer-to-peer environment in that each party is equipped with the same functional modules and thus it can alternatively act as a requester or resource controller during different negotiations. Trust-${\cal X}$ has been specifically designed for a peer-to-peer environment in that both the negotiating parties are equally responsible for negotiation management and can both drive the negotiation process, by selecting the strategy that better fits their needs.
How a policy is processed Upon receiving a disclosure policy the compliance checker determines if it can be satisfied by any certificate of the local X-profile. Then, the module checks in the policy base the protection needs associated with the certificates, if any. The state of the negotiation is anyway updated by the tree manager, which records whether new policies and credentials have been involved or not. COMPLIANCE CHECKER If a set of credentials and associated policies are actually found, a counterpolicy is sent. TREE MANAGER Disclosure Policies Policy Base X-Profile Policy Reply
Directions Policies are of much interest to many organizations and applications Financial, Medical, Retail, Manufacturing etc Roles and responsibilities Flexible policies RBAC, UCON, RBUC, Trust Negotiation, Dissemination Policies Need to Know to Need to Share IEEE POLICY and ACM SACMAT