Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
Institute for Cyber Security
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Institute for Cyber Security
1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010
11 World-Leading Research with Real-World Impact! A Lattice Interpretation of Group-Centric Collaboration with Expedient Insiders Khalid Zaman Bijon, Tahmina.
Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
Protection and Security An overview of basic principles CS5204 – Operating Systems1.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
Summary For Chapter 8 Student: Zhibo Wang Professor: Yanqing Zhang.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
11 World-Leading Research with Real-World Impact! A Group-Centric Model for Collaboration with Expedient Insiders in Multilevel Systems Khalid Zaman Bijon,
UTSA Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio San Antonio, TX Nov 03, 2014 Presented.
1 Institute for Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair February 4, 2015
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Professor (CS) and Executive Director.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.
11 World-Leading Research with Real-World Impact! Group-Centric Secure Information Sharing: A Lattice Interpretation Institute for Cyber Security Ravi.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor October 2010
1 RABAC : Role-Centric Attribute-Based Access Control MMM-ACNS 2012 Xin Jin, Ravi Sandhu, Ram Krishnan University of Texas at San Antonio San Antonio,
INSTITUTE FOR CYBER SECURITY A Hybrid Enforcement Model for Group-Centric Secure Information Sharing (g-SIS) Co-authored with Ram Krishnan, PhD Candidate,
1 Group-Centric Models for Secure Information Sharing Prof. Ravi Sandhu Executive Director and Endowed Chair March 30, 2012
1 Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security.
Application-Centric Security Models
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
A Conceptual Framework for Group-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough.
Computer Security: Principles and Practice
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Institute for Cyber Security
Institute for Cyber Security
Past, Present and Future
Institute for Cyber Security
World-Leading Research with Real-World Impact!
An Access Control Perspective on the Science of Security
Institute for Cyber Security (ICS) & Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director Professor of.
Attribute-Based Access Control: Insights and Challenges
Cyber Security Research: Applied and Basic Combined*
Institute for Cyber Security
Institute for Cyber Security
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control: Insights and Challenges
Application-Centric Security
ASCAA Principles for Next-Generation Role-Based Access Control
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Cyber Security Research: Applied and Basic Combined*
Access Control Evolution and Prospects
Cyber Security R&D: A Personal Perspective
DOMAIN TYPE ENFORCEMENT
Access Control Evolution and Prospects
Presentation transcript:

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University of Texas at San Antonio

Secure Information Sharing (SIS) Share but protect Saltzer-Schroeder 1 identified the desirability and difficulty of maintaining: some control over the user of the information even after it has been released 1 J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of IEEE, 63(9):1278–1308, 1975.

SIS Major Challenges Policy Challenge – Modeling, specifying and enforcing SIS policies – Need intuitive yet formal models, guaranteed security properties, etc. Containment Challenge – Ensure that protected information is accessible to users as permitted by the policy – Security mechanisms such as authentication, cryptography, trusted hardware, etc.

Community Cyber Security Community refers to a geographical area – E.g. county or a city with demarcated boundary The Center for Infrastructure Assurance and Security at UTSA conducts nation-wide cyber security preparedness exercises and training – communication – incident response – disaster recovery – business continuity – security awareness, etc.

The Current Status… Exchange of business cards – No process exists for information sharing Technology is not the bottleneck – Resistance due to political/competitive reasons – Also want to avoid embarrassment E.g. by sharing attack data Participants have no clue as to what to share and how to effectively specify what to share

Requirements Need abstract models – With rigorous mathematical foundations – Should ease administration Classic models are limited – Discretionary Access Control Too low-level to configure – Lattice-Based Access Control (E.g. Bell LaPadula) Rigid One directional info flow is not the primary concern – Lot of work on Dynamic Coalitions Many times heavy-weight Mainly focus on technological/infrastructural integration

Life-Cycle of a Cyber Incident Secure Sharing in a Community Core Group Incident Group Open Group Conditional Membership Automatic Membership Administered Membership Filtered RW Administered Membership Filtered RW Administered Membership Domain Experts

Life-Cycle of Cyber Incident Secure Sharing in Community (contd) Core Group Incident Groups Open Group g1 g2 g3 Automatic Membership Conditional Membership Filtered Read Filtered Write Domain Experts Administered Membership

A Family of Group-Centric SIS Models g-SIS Models Isolated Connected Isolated + ABAC Connected + ABAC Isolated – Users and objects are isolated – Membership in one group has no impact on authorizations in another group Connected – Membership in one group impacts authorization in another – E.g. Subordination, conditional membership, mutual exclusion, etc. Attribute-Based Access Control – For fine-grained authorization

Conclusion SIS is still an open problem Technology is relatively under control Policy specification is key to SIS – Clear, usable and friendly policies can overcome political and competitive barriers to SIS One size does not fit all – Domain and application specific modeling and analysis is needed

Backup

g-SIS and LBAC A sample lattice for one directional information flow Equivalent g-SIS configuration of Org A lattice 1.Read Subordination 2.Write Subordination 3.Subject Create Subordination

Agile Collaboration Agile collaboration in LBAC enabled by g-SIS 1.Read Subordination 2.Write Subordination 3.Subject Create Subordination

Agile Collaboration (continued) Collaboration groups established between two different lattices 1.Read Subordination 2.Write Subordination 3.Subject Create Subordination

Domain and Type Enforcement and g-SIS A sample DTE matrix Equivalent g-SIS configuration 1.Read Subordination 2.Write Subordination 3.Subject Create Subordination

RBAC 0 and g-SIS RBAC 0 with RW permissions in g-SIS 1.Read Subordination 2.Write Subordination 3.Subject Create Subordination 4.Subject Move Subordination