Information Classification & Access Control. Background All information is not equal  Context decides the sensitivity Even then, all information in the.

Slides:



Advertisements
Similar presentations
Information Flow and Covert Channels November, 2006.
Advertisements

Operating System Security
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 12 Jonathan Katz.
Security and Integrity
Database Management System
Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
User Domain Policies.
Mandatory Flow Control Bismita Srichandan. Outline Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models –The Bell-LaPadula.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Information Systems Controls for System Reliability -Information Security-
Network security policy: best practices
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
3/16/2004Biba Model1 Biba Integrity Model Presented by: Nathan Balon Ishraq Thabet.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Chapter 5 – Designing Trusted Operating Systems  What makes an operating system “secure”? Or “trustworthy?  How are trusted systems designed, and which.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
Security Architecture and Design Chapter 4 Part 3 Pages 357 to 377.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Chapter 5 Network Security
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
G53SEC 1 Access Control principals, objects and their operations.
Advantage of File-oriented system: it provides useful historical information about how data are managed earlier. File-oriented systems create many problems.
Chapter 6: Integrity Policies  Overview  Requirements  Biba’s models  Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 25 Integrity Protection: Biba, Clark Wilson, and Chinese Wall.
Multics CysecLab Graduate School of Information Security KAIST.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Academic Year 2014 Spring Academic Year 2014 Spring.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Trusted Operating Systems
Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.
Access Control: Policies and Mechanisms Vinod Ganapathy.
Privilege Management Chapter 22.
Computer Security: Principles and Practice
CS426Fall 2010/Lecture 211 Computer Security CS 426 Lecture 21 The Bell LaPadula Model.
Security Models Xinming Ou. Security Policy vs. Security Goals In a mandatory access control system, the system defines security policy to achieve security.
Dr. Jeff Teo Class 4 July 2, Deliverables Lecture on Trusted Computing: Evolution and Direction Review of students’ blogs and assignments Summarize.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Database Administration Advanced Database Dr. AlaaEddin Almabhouh.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Access control techniques Once an organization decides upon the access control model it will implement(DAC,MAC, or RBAC), then it needs to look at the.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
9- 1 Last time ● User Authentication ● Beyond passwords ● Biometrics ● Security Policies and Models ● Trusted Operating Systems and Software ● Military.
Database System Implementation CSE 507
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Software Project Configuration Management
Security Models and Designing a Trusted Operating System
Database Security and Authorization
Computer Security Access Control
CS703 - Advanced Operating Systems
Presentation transcript:

Information Classification & Access Control

Background All information is not equal  Context decides the sensitivity Even then, all information in the same sensitivity should not be revealed to the same set of people  The more the sensitivity, the tighter the sharing becomes Information sharing needs to be accountable  A person knowing some information should not be able to share it with someone else without certain controls Thus, information access should be controlled based on the type of information and the type of people

What we will cover Information Classification  Principles and Case Studies Types of controls  Classic Models of Access Control  Access controls in practice Case Studies Windows and Linux Access Controls

Introduction Aspects of information Classification  Classification from a Legal Standpoint  Responsibility for care and control of information  Integrity of Information  Criticality of information and systems processing the information  Simple to use and administer (ISO)  Effective to determine the level of protection required (ISO)  Applied uniformly (ISO)

Initialization To start information classification, need to understand the following  What are the mission-critical or sensitive activities or operations?  Where is mission-critical or sensitive information stored?  Where is this information processed?  Who requires access to this information? Based on the above a classification can be determined. Remember,  Only governments have standard classification.  Corporations require classifications based on need  Reduce the number of classes as much as possible

ISO Suggested Classification Top Secret  Impending mergers or acquisitions, investment strategies, plans or designs Highly Confidential  Accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records Proprietary  Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates Internal Use Only  Internal memos, internal project reports, minutes of meetings, policy documents etc Public Documents  Press statements, annual reports, etc.

Case Study 1 Highly Confidential  disclosing this data can cause severe financial, legal or reputation damage  E.g., Acquisitions data, tender details, negotiation strategies (especially, buying strategies) Confidential  disclosing may cause financial, legal or reputation damage  E.g., employee information, salaries etc General  Internal information which is restricted for use within the company

Case Study 2 Top Secret  disclosing this information can cause severe impact to the company’s competitive advantage or business strategies. E.g., IP, Mergers etc Confidential  disclosing this information can violate privacy of individuals, reduce competitive advantage etc Restricted  information that can be given to only a subset of employees. E.g., Employee appraisals etc Internal Use  information that is available for all company employees for usage in company’s business e.g., codes for identifying themselves to customer care etc Public  Information that can be made available to public through website, new releases etc

Case Study 3 Confidential Red  Disclosing causes severe damage to operations, result in contractual or legal liability, loss of business partners, and/or cause severe drop in stock value. Confidential Yellow  Disclosing causes, moderate damage to the company, reveals modus operandi of company at least sufficiently, reveals important technical or financial aspects, causes temporary drop in stock value etc. Confidential Green  disclosing might given some one business advantage, cannot be associated with a particular product easily and has little competitive value. Mostly internal information. Public  Information such as audited results, changes in directorate etc, information that is probably of interest to vendors, stockholders.

Case Study 4 Confidential  Likely to adversely affect the company, embarrass an individual etc. E.g., Customer health records Internal  All forms of proprietary information originated or owned by the company or entrusted to it. E.g., policies, procedures, phone directories etc Public  Information officially released for widespread disclosure E.g., product brochures, disclaimers annual reports, employment advertising

Exercise Consider all the previous classifications and give a detailed policy of protection for these classifications. Consider both printed and electronic data. Stored as well as transmitted data. For example, the document should address issues such as, How to store the data, how to use the data and how to monitor the sharing of data? This whole exercise is called Records management

Access Control Purpose: To limit access of data to only those individuals to whom it is necessary to carry out necessary tasks Problems faced in access control  Data falls in different classes and there are various constraints in using, sharing and destroying the data.  Need to describe appropriate models of access control that will capture these constraints without violating any security tenets How to ensure that the access control mechanisms we have, can address all conflicts appropriately?

Security Models and Assumptions Purpose of Security Models  To describe, study or analyze situations or associations  To test a policy for completeness and consistency  Document a policy  Visualize and design of an implementation  Check for consistency of implementation with the policy requirements Assumptions  Access control policy is pre-defined for various users and objects  The policy is defined outside of any model

Classical Access Control Models Lattice Model Bell-LaPadula Model Denning Model Biba Model Chinese Wall Model

Lattice Model A Mathematical structure of elements organized by a relation among using a relational operator. A relation is a partial order if it is both transitive and antisymmetric  Consider a set of elements: a, b, c and some operation <  Transitive: If a < b and b < c then, a < c  antisymmetric: If a<b and b<a, the a=b Note: in a lattice every pair of elements need not be comparable. But the following hold in every lattice  Upper bound: An element such that it is > for all other elements  Lower bound: An element such that it is < for all other elements

Example Relation is “is a factor of” Typical relations: “reports to”, “descendant of”, “is subset of”, “is lesser than”

Bell- LaPadula Model Defines formal model for allowable information flows in a secure system Identifies allowable communication which maintaining secrecy Secure information flows describe acceptable connections between subjects and objects of different levels of sensitivity. Such analysis the constructing systems that can perform concurrent computation on data at two different sensitivity levels.  For example, the same machine can process top-secret and confidential data at the same time.  The programs processing top-secret data would be prevented from leaking top-secret data to the confidential data, and the confidential users would be prevented from accessing the top- secret data. The Bell LaPadula model is useful as the basis for the design of systems that handle data of multiple sensitivities.

Semantics of Bell LaPadula Considers: Subject Set: S and Object Set: O Each subject s in S and o in O has fixed security class:  C(s) : Clearance level  C(o) : Classification level  Ordered by a relation say “<“ The model can work for a lattice type of ordering easily, but can also work on restricted classes (i.e., classes that do not necessarily have a strict or partial ordering)

Properties Simple Security Property: A Subject s may have read access to an object o only if C(o) < C(s)  Meaning?  Security class of the information must be atleast as high as the classification of the information Star Property: A Subject s who has read access to an object o may have write access to an object p only if C(o)<C(p)  Meaning?  Prevents “write-down” which occurs when a subject at a higher level data access transfers that data to a low-level object  Property requires that a person receiving information at one level not talk with people cleared at levels lower than the level of the information

Semantics

Biba Integrity Model Bell LaPadula model addresses secrecy and inappropriate flow of information Integrity of Information is addressed by Biba Model Properties  Simple Integrity: s can modify object o only if I(s)> I(o) An untrusted subject who has write access to an object reduces the integrity of that object  Integrity *: If s has read access to object o with integrity level I(o), s can have write access to object p only if I(o) > I(p) The low integrity of a source object implies low integrity for any object based on the source object.

Specifying Access Control Policies Two conditions to be met:  The access control structure should help to express your desired access control policy  You should be able to check that your policy has been captured correctly Some methods:  Access control matrix  Capabilities  Access Control Lists

Access Control Matrix Conditions:  Bill.doc may be read & written by Bill while Alice has no access  Edit.exe can be executed both by Alice and Bill but otherwise they have no access  Fun.com can be executed and read by both users, but only Bill can write to the file Bill.doc Edit.exe fun.com Alice Bob - - Execute Execute, read - Read, write execute exe, read, write

Capabilities Alice’s capability: edit.exe:execute; fun.com:execute, read Bill’s capability: bill.doc: read, write; edit.exe:execute; fun.com:execute, read, write Problems? Difficult to get an overview of who has permission to access a given object Difficult to revoke capability

Access Control Lists ACL stores the access rights to an object with the object itself ACL for the previous example: ACL for bill.doc: Bill: read, write ACL for edit.exe: Alice: execute; Bill: execute ACL for fun.com: Alice: execute; Bill:execute, read, write Problem? Finding and revoking a particular users access permissions

Intermediate Controls Access controls based on objects or subjects alone are prone to the problem of scalability and revocation  Introduce intermediate layers between users and objects to represent policies in a more manageable fashion Types of layers:  Groups and negative permissions  Privileges  Role-based Access Control  Protection Rings

Groups and Negative Permissions Users with similar access rights are collected in groups and groups are given permission to access objects Negative permissions: an entry in the access control structure to prevent a user from accessing an object he would normally get by being part of a group

Privileges Collect the right to execute certain operations in privileges, for example, operating system level operations  E.g., system administration, backup, mail access

Popular Access Control Mechanisms Role-based Access Control : Roles are created, access control is through high level data types and procedures Discretionary Access Control : An owner is defined for each resource and the owner can decide who can be granted access to the resource Mandatory Access Control : A system-wide policy decides who gets access to which resources

Role-Based Access Control Roles: a role is a collection of procedures. Roles are assigned to users. A user can have more than one role and more than one user can have the same role Procedures: procedures are ‘high-level’ access control methods with a more complex semantic than read or write. Procedures can only be applied to objects of certain datatypes. Datatypes: each object is of a certain datatype and can be accessed only through the procedures defined for this datatype  E.g., A lecturer can create a role Student, for students in the course and assign the privilege to read course material to this role

Protection Rings Each subject and each object is assigned a number depending on its importance  E.g., 0-operating system kernel  1-operating system  2-utilities  3-user processes Access control decision is made by comparing the subject’s and object’s numbers  If a process is assigned the number i, then we say that the process ‘runs in ring i’  Sample security policy: a) Processes can only access objects in their own ring or in outer rings. b) Processes can invoke subroutines only within their own ring