Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

Outline Perspective on security Role Based Access Control (RBAC) Objective Model-Architecture Mechanism (OM-AM) Framework Usage Control (UCON) Discussion

PERSPECTIVE

Security Conundrum Nobody knows WHAT security is Some of us do know HOW to implement pieces of it Result: hammers in search of nails

Security Confusion USAGE purpose INTEGRITY modification AVAILABILITY electronic commerce, electronic business DRM, client-side controls INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure

Success is largely unrecognized by the security community Security Successes On-line banking On-line trading Automatic teller machines (ATMs) GSM phones Set-top boxes ……………………. Success is largely unrecognized by the security community

Good enough security Exceeding good enough is not good You will pay a price in user convenience, ease of operation, cost, performance, availability, … There is no such thing as free security Determining good enough is hard Necessarily a moving target

Business models dominate Good enough security Real-world users Security geeks SECURE EASY end users operations staff help desk whose security perception or reality of security Business models dominate security models COST System owner system cost operational cost opportunity cost cost of fraud

Good enough security In many cases good enough is achievable at a pretty low threshold The “entrepreneurial” mindset In extreme cases good enough will require a painfully high threshold The “academic” mindset

Good enough security COST L M H Entrepreneurial mindset H 1 2 3 Academic mindset R I S K 2 3 4 M L 3 4 5

ROLE-BASED ACCESS CONTROL (RBAC)

MAC and DAC For 25 years access control has been divided into Mandatory Access Control (MAC) Discretionary Access Control (DAC) In the past 10 years RBAC has become a dominant force RBAC subsumes MAC and DAC

Mandatory Access Control (MAC) TS S Lattice of security labels C Information Flow Dominance U

Mandatory Access Control (MAC) S,{A,B} S,{A] S,{B} Lattice of security labels Information Flow Dominance S,{}

Discretionary Access Control (DAC) The owner of a resource determines access to that resource The owner is often the creator of the resource Fails to distinguish read from copy

RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS ... CONSTRAINTS SESSIONS

RBAC SECURITY PRINCIPLES least privilege separation of duties separation of administration and access abstract operations

HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Health-Care Provider

Fundamental Theorem of RBAC RBAC can be configured to do MAC RBAC can be configured to do DAC RBAC is policy neutral

OM-AM (Objective/Model Architecture/Mechanism) Framework

THE OM-AM WAY A What? s u Objectives r Model a n Architecture c Mechanism How?

LAYERS AND LAYERS Multics rings Layered abstractions Waterfall model Network protocol stacks Napolean layers RoFi layers OM-AM etcetera

OM-AM AND MANDATORY ACCESS CONTROL (MAC) u r a n c e What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels

OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) u r a n c e What? How? Owner-based discretion numerous ACLs, Capabilities, etc

OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) u r a n c e What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc.

RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard) ROLE HIERARCHIES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS ROLES PERMISSIONS ... CONSTRAINTS SESSIONS

Server-Pull Architecture Client Server User-role Authorization Server

User-Pull Architecture Client Server User-role Authorization Server

Proxy-Based Architecture Client Proxy Server Server User-role Authorization Server

USAGE CONTROL (UCON)

The UCON Vision: A unified model Traditional access control models are not adequate for today’s distributed, network-connected digital environment. Authorization only – No obligation or condition based control Decision is made before access – No ongoing control No consumable rights - No mutable attributes Rights are pre-defined and granted to subjects

OM-AM layered Approach

Prior Work Problem-specific enhancement to traditional access control Digital Rights Management (DRM) mainly focus on intellectual property rights protection. Architecture and Mechanism level studies, Functional specification languages – Lack of access control model Trust Management Authorization for strangers’ access based on credentials

Prior Work Incrementally enhanced models Provisional authorization [Kudo & Hada, 2000] EACL [Ryutov & Neuman, 2001] Task-based Access Control [Thomas & Sandhu, 1997] Ponder [Damianou et al., 2001]

Usage Control (UCON) Coverage Protection Objectives Sensitive information protection IPR protection Privacy protection Protection Architectures Server-side reference monitor (SRM) Client-side reference monitor (CRM) Both SRM and CRM

Core UCON (Usage Control) Models ongoing pre post Continuity of decisions Mutability of attributes

Examples Long-distance phone (pre-authorization with post-update) Pre-paid phone card (ongoing-authorization with ongoing-update) Pay-per-view (pre-authorization with pre-updates) Click Ad within every 30 minutes (ongoing-obligation with ongoing-updates) Business Hour (pre-/ongoing-condition)

Beyond the UCON Core Models

DISCUSSION

THE OM-AM WAY A What? s u Objectives r Model a n Architecture c Mechanism How?

Good enough security COST L M H Entrepreneurial mindset H 1 2 3 Academic mindset R I S K 2 3 4 M L 3 4 5