Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Slides:

Advertisements

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

Advertisements

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Security Policy Implementation Strategies for Common Carrier Monitoring Service Providers Short Position Paper for IEEE POLICY 2009 Carl A. Gunter University.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.

Remote mailbox access gateway Software lab project.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Chapter 5 Database Application Security Models

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

1 No More Paper, No More Stamps: Targeted myWSU Communications Jack Alilunas, Lavon Frazier October 20, 2004.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Dynamics AX Technical Overview Application Architecture Dynamics AX Technical Overview.

1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.

Final Year Project Presentation E-PM: A N O NLINE P ROJECT M ANAGER By: Pankaj Goel.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

BMC Software confidential. BMC Performance Manager Will Brown.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

AMPol: Adaptive Messaging Policy Raja N. Afandi, Jianqing Zhang, Munawar Hafiz, Carl A. Gunter Computer Science Department, University of Illinois Urbana-Champaign.

Identity Management Report By Jean Carreon and Marlon Gonzales.

By: Bill Stevenson Jose Plancarte Erik Magsino. Overview Messaging and collaboration server Send and Receive electronic mail and other forms of interactive.

Database Application Security Models Database Application Security Models 1.

Best of Both Worlds: Information Management Solutions SmartCore Management Dashboards.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

CS480 Computer Science Seminar Introduction to Microsoft Solutions Framework (MSF)

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Architecture and Design of Customer Support System using Microsoft.NET technologies Nikolay Pavlov Asen Rahnev.

Novell NetMail 3.1 Date Presenter, Title. © 2002 Novell Inc, Confidential & Proprietary A business necessity.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

© 2005 IBM Corporation IBM Business-Centric SOA Event SOA on your terms and our expertise Operational Efficiency Achieved through People and SOA Martin.

563.4 Web Services Presented by: Carl A. Gunter University of Illinois Spring 2006.

Module 7 Planning and Deploying Messaging Compliance.

Windows Role-Based Access Control Longhorn Update

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

David Wippich, CEO Ensim. What We’ll Talk About Today Crazy Market Dynamics Convergence of Convergence Unifying Unified Communications Benefits of Complexities.

I Copyright © 2007, Oracle. All rights reserved. Module i: Siebel 8.0 Essentials Training Siebel 8.0 Essentials.

Access Control Policy Tool (ACPT) Ensure the safety and flexibility in composing access control policies Current features: Allows policy authors to conveniently.

CRM in Education: Raising Standards. Saving Time. Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

Understanding StarTeam Enterprise Advantage Course #4124.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Networking Material taken mainly from HowStuffWorks.com.

PolicyMorph: Interactive Policy Model Transformations for a Logical ABAC Framework Michael LeMay Omid Fatemieh Carl A. Gunter.

Comprehensive Project Management Solutions with the.NET Server family.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.

Module 1: Introduction to Microsoft SQL Server Reporting Services

M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Architecture Overview Server Database (can be on the server or separate ) Client1 Client2 Client3 HTTP  View ppt notes pages for discussion!

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.

Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

XACML and the Cloud.

Server Concepts Dr. Charles W. Kann.

Research Challenges in Enterprise Privacy Authorization Language

Presentation transcript:

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter and Himanshu Khurana University of Illinois at Urbana-Champaign

Illinois Security Lab ACSAC 2006 Introduction to ABM Attribute-Based Messaging (ABM): Targeting messages based on attributes. To: faculty going on sabbatical

Illinois Security Lab ACSAC 2006 Introduction to ABM Examples Address all faculty going on sabbatical next term Notify all female CS graduate students who passed qualifying exams of a scholarship opportunity Attribute-Based Messaging (ABM): Targeting messages based on attributes.

Illinois Security Lab ACSAC 2006 Why ABM? Attribute-based systems have desirable properties –flexibility, privacy and intuitiveness Attribute-Based Messaging (ABM) brings these advantages to messaging –enhances confidentiality by supporting targeted messaging via dynamic and transient groups –enhances relevance of messages by reducing unwanted messages

Illinois Security Lab ACSAC 2006 Challenges Access Control –access to such a system should be carefully controlled potential for spam privacy of attributes Deployability –system should be compatible with existing infrastructure Efficiency –system should have comparable performance to regular

Illinois Security Lab ACSAC 2006 Enterprise Architecture Ensuing Issues ABM Address Format, Client I/F Access Control - policy specification and enforcement Attribute Database creation and maintenance To: Managers Attr. DB Policy Decision MTA ABM Server

Illinois Security Lab ACSAC 2006 Enterprise Architecture cont. Attribute database –all enterprises have attribute data about their users –data spread over multiple, possibly disparate databases –assume that this attribute data is available to ABM system “information fabric”, “data services layer” ABM address format −logical expressions of attribute value pairs −disjunctive normal form

Illinois Security Lab ACSAC 2006 Access Control Access Control Lists (ACLs) –difficult to manage

Illinois Security Lab ACSAC 2006 Access Control ×Access Control Lists (ACLs) ×difficult to manage Role-Based Access Control (RBAC) –simplified management if roles already exist

Illinois Security Lab ACSAC 2006 Access Control ×Access Control Lists (ACLs) ×difficult to manage ×Role-Based Access Control (RBAC) ×simplified management if roles already exist Attribute-Based Access Control (ABAC) −uses same attributes used to target messages −more flexible policies than with RBAC Access policy −XACML is used to specify access policies −Sun’s XACML engine is used for policy decision

Illinois Security Lab ACSAC 2006 Access Control cont. Problem –need policy per logical expression –policy explosion Solution? –one policy per

Illinois Security Lab ACSAC 2006 Deployability Use existing infrastructure (SMTP) –address ABM messages to the ABM server (MUA) and add ABM address as a MIME attachment No modification to client –use a web server to aid the sender in composing the ABM address via a thin client (web browser) like semantics –policy specialization

Illinois Security Lab ACSAC 2006 PDP Sun’s XACML Engine Sender Attribute DB MS SQL Server Policy xml ABM Server Web Server Windows IIS MTA PS1 PS8 PS2 AR2 AR1 AR3 PS7 AR4 MS1 MS2 Putting It All Together Legend PS: Policy Specialization MS: Messaging AR: Address Resolution

Illinois Security Lab ACSAC 2006 Security Analysis Problem –open to replay attacks Solution –MTA configured with SMTP authentication with additional message specific checks

Illinois Security Lab ACSAC 2006 Experimental Setup Measured –latency over regular with and without access control –latency of Policy Specialization Setup –up to 60K users –100 attributes in the system 20% of attributes common to most users 80% of attributes sparsely distributed

Illinois Security Lab ACSAC 2006 Results

Illinois Security Lab ACSAC 2006 Results Continued… Policy Specialization Latency

Illinois Security Lab ACSAC 2006 Other Considerations Policy Administration –one policy per not per address –further be reduced to one policy per attribute Privacy –of sender and receivers –of ABM address Usability –user interfaces

Illinois Security Lab ACSAC 2006 Related Work Technologies –List Servers –Customer Relationship Management (CRM) Secure role-based messaging WS

Illinois Security Lab ACSAC 2006 Future Work Inter-domain ABM –e.g., address doctors in the tri-state area who have expertise in a specific kind of surgical procedure –challenge – “attribute mapping” –application in ‘emergency communications’ Encrypted ABM

Illinois Security Lab ACSAC 2006