INSTITUTE FOR CYBER SECURITY April Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio April 2008
INSTITUTE FOR CYBER SECURITY April Theme Access control has always had to adjust as new Information Technologies came into play Operating systems Relational DBMSs Object oriented systems XML: XACML, XRML Therefore, semantic web technologies will also require a change in access control But in the meantime access control itself has evolved DAC and MAC RBAC Trust Management, Obligations, Attribute-based access control Policy languages Usage control So semantic web technologies may also need to change to accommodate some of these developments
INSTITUTE FOR CYBER SECURITY April Theme Security itself has fundamentally changed Enterprise security Multi-party security Black-and-white security Gray security Limited points of access Access anytime anywhere Engage with one service at a time Engage with multiple services concurrently
INSTITUTE FOR CYBER SECURITY April Models versus Policy Languages Access control models Built on abstractions Incomplete Testable for conformance Guidance for security architects DAC, MAC, RBAC, UCON Policy languages Specify what authorizations apply under various circumstances Industry standard: XACML Academic implementation oriented: Ponder Several theoretical languages Semantic web: Kaos, Rei, Rein, KAoS Need synergy between these two streams of research Models provide a framework but are necessarily incomplete Languages by themselves provide no guidance or framework
INSTITUTE FOR CYBER SECURITY April Partners in Crime Proceedings ACM Symposium on Access Control Models and Technologies (SACMAT), 2008, to appear
INSTITUTE FOR CYBER SECURITY April NIST RBAC Standard Model
INSTITUTE FOR CYBER SECURITY April NIST RBAC Standard Model
INSTITUTE FOR CYBER SECURITY April NIST RBAC Standard RBAC
INSTITUTE FOR CYBER SECURITY April US Persons Role Hierarchy
INSTITUTE FOR CYBER SECURITY April ROWLBAC: 2 Approaches
INSTITUTE FOR CYBER SECURITY April Common Elements
INSTITUTE FOR CYBER SECURITY April Roles as Classes: Role Hierarchies
INSTITUTE FOR CYBER SECURITY April Roles as Classes: SSD, DSD
INSTITUTE FOR CYBER SECURITY April Roles as Classes: Role- Permission
INSTITUTE FOR CYBER SECURITY April Roles as Classes: Enforcing DSD
INSTITUTE FOR CYBER SECURITY April Roles as Values
INSTITUTE FOR CYBER SECURITY April Roles as Values: Hierarchical Roles
INSTITUTE FOR CYBER SECURITY April Roles as Values: SSD, DSD
INSTITUTE FOR CYBER SECURITY April Roles as Values: Role Permissions
INSTITUTE FOR CYBER SECURITY April Roles as Values: Enforcing RBAC
INSTITUTE FOR CYBER SECURITY April ROWLBAC: 2 Approaches
INSTITUTE FOR CYBER SECURITY April The UCON Model unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes
INSTITUTE FOR CYBER SECURITY April UCON Extensions UCON future obligations UCON system obligations
INSTITUTE FOR CYBER SECURITY April Unifying Policy Framework
INSTITUTE FOR CYBER SECURITY April Unifying Policy Framework