1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World
Privacy-Enhancing Models and Mechanisms for Securing Provenance and its Use October 2010 Lead PI: Ravi Sandhu (UT San Antonio) PIs: Elisa Bertino (Purdue),
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
INSTITUTE FOR CYBER SECURITY 1 Cyber Security: What You Need to Know Prof. Ravi Sandhu Executive Director and Chief Scientist Institute for Cyber Security.
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director February © Ravi Sandhu.
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
Institute for Cyber Security
1 Towards a Discipline of Mission-Aware Cloud Computing (A Position Paper) Ravi Sandhu Executive Director and Endowed Professor October 2010
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
THE ORANGE BOOK Ravi Sandhu ORANGE BOOK CLASSES A1Verified Design B3Security Domains B2Structured Protection B1Labeled Security Protection.
1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.
1 Cyber Security Research: A Personal Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair January 18, 2013
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
1 The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi Sandhu Executive Director and Endowed Chair 11/11/11
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Attribute-Based Access Control Models and Beyond
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
SEC835 Database and Web application security Information Security Architecture.
1 The Challenge of Data and Application Security and Privacy (DASPY) Ravi Sandhu Executive Director and Endowed Professor March 23, 2011
Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.
INSTITUTE FOR CYBER SECURITY 1 Cyber Security: Past, Present and Future Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
1 Institute for Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair February 4, 2015
1 Challenges of Cyber Security Education at the Graduate Level Ravi Sandhu Executive Director and Endowed Professor Nov. 9, 2012
1 The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
1 Group-Centric Models for Secure Information Sharing Prof. Ravi Sandhu Executive Director and Endowed Chair March 30, 2012
1 Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
1 © Ravi Sandhu OM-AM and PEI Prof. Ravi Sandhu. 2 © Ravi Sandhu THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance.
1 Cyber Security A Personal Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair January 15, 2016
INSTITUTE FOR CYBER SECURITY 1 Enforcement Architecture and Implementation Model for Group-Centric Information Sharing © Ravi Sandhu Ram Krishnan (George.
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Institute for Cyber Security
World-Leading Research with Real-World Impact!
Institute for Cyber Security (ICS) & Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director Professor of.
UTSA's New Center Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director of ICS and C-SPECC Professor.
Broad Emerging Themes in CPS/IoT
Introduction to Cyber Security
Introduction and Basic Concepts
Cyber Security Research: Applied and Basic Combined*
IS4680 Security Auditing for Compliance
Cyber Security Research: Applied and Basic Combined*
Institute for Cyber Security: Research Vision
THE ORANGE BOOK Ravi Sandhu
UTSA Cyber Security Ecosystem
How to Mitigate the Consequences What are the Countermeasures?
Big Data and Privacy Panel Prof. Ravi Sandhu
Cyber Security Trends and Challenges
World-Leading Research with Real-World Impact!
Application-Centric Security
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: Applied and Basic Combined*
Access Control Evolution and Prospects
Cyber Security R&D: A Personal Perspective
World-Leading Research with Real-World Impact!
Access Control Evolution and Prospects
Presentation transcript:

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security

2 Application and Technology Context Basic premise There is no security without application context There is no application context without some technology context Opposite premise Orange Book and Rainbow Series Era ( ) Application context makes high-assurance impossible o Good-enough security is good enough o Mission-assurance not information-assurance Towards the end of this era applications had to be addressed: Trusted Database Interpretation (TDI) © Ravi Sandhu World-Leading Research with Real-World Impact! trust

3 Application Context What precisely is Secret? There exists a SecureWin7 project Alice works on SecureWin7 Alices effort on SecureWin7 is 75% All or some of the above How do we maintain integrity of the database Depends Data and security model are intertwined Much work and $$$ by researchers and vendors, late 80s-early 90s Software ArchitectProject% TimeLabel AliceWin725%U AliceSecureWin775%S BobVista100%U © Ravi Sandhu World-Leading Research with Real-World Impact!

4 Application Centric Security Modern applications Multi-party Different objectives and responsibilities, often in conflict Ongoing projects at ICS Secure information sharing Social networking Critical infrastructure assurance SaaS in the Cloud/Intercloud Smart grid New ACM Conference on Data and Application Security and Privacy (CODASPY) Feb 21-23, 2011, San Antonio, Texas Papers due: Sept 15 th 2010 © Ravi Sandhu World-Leading Research with Real-World Impact! The future is application centric

5 PEI Models Security and system goals (objectives/policy) Policy models Enforcement models Implementation models Necessarily informal Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. Security analysis (objectives, properties, etc.). Approximated policy realized using system architecture with trusted servers, protocols, etc. Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.). Technologies such as Cloud Computing, Trusted Computing, etc. Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.) Software and Hardware Concrete System © Ravi Sandhu World-Leading Research with Real-World Impact! What? How?

6 Sample Scenario U U B B A A U U B B A A U U B B A A U U B B A A Low Power Sensor Mobile PC Server Cloud Rorschach test

7 System Principles KISS vs TooMMP Keep is Simple Stupid Too Many Moving Parts Keep the user out of the loop Smart grid: max 2 hours/year for end user in the loop Alternately: dont move the misery around Future proof Adjustable trust/assurance with minimal pain © Ravi Sandhu World-Leading Research with Real-World Impact!

8 Enforcement Principles Protect the root key and thereby non-root keys Protect what can use a key and thereby who can use the key Enforce usage limits and thereby contain damage Run-time monitoring Protection will be broken Decoys? Lies? Attack back? … Defense ecosystem? Reporting and patching? … © Ravi Sandhu World-Leading Research with Real-World Impact!

9 Sample Scenario: Explanation Applications A and B reside on various devices connected by diverse networks (as well as other apps we do not know about). This is a multi-domain setting. A & B will share information up and down the stack. We want to make sure that we can trust all the layers and that this information is properly handled and properly shared. The systems are dynamic, and the threats are also dynamic. Each device and domain have own sets of policies. Devices join and leave domains. Rorschach test

10 Multi-Tier Approach Applications Devices Domains Networks Stack Dynamic How do we organize this into tiers/layers? How does trust/assurance compose across tiers? What does trust/assurance means at different tiers? What does information sharing within/across applications mean, and how do we achieve it? © Ravi Sandhu World-Leading Research with Real-World Impact!

11 Some Research Challenges How does higher trust/assurance at lower layers effectively support higher assurance at the upper (application) layer? Is it possible to achieve higher trust/assurance at the upper layers than the lower layer baseline? What application scenarios are appropriate for evaluation of solution approaches? What can we learn from approaches that have been successful in the real world? Credit cards, Automatic Teller Machines, On-Line Banking? How do we develop a discipline of mission assurance as opposed to information assurance? …….. © Ravi Sandhu World-Leading Research with Real-World Impact!