Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World
Role Based Access Control
Cyber-Identity, Authority and Trust in an Uncertain World
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
INSTITUTE FOR CYBER SECURITY April Access Control and Semantic Web Technologies Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Access Control Prof. Ravi Sandhu Executive Director and Endowed Chair
INSTITUTE FOR CYBER SECURITY 1 Industry-Academia Research Synergy: Fantasy or Reality? Ravi Sandhu Executive Director and Endowed Professor Institute for.
The Future: Evolution of the Technology Ravi Sandhu Chief Scientist TriCipher, Inc. Los Gatos, California Executive Director and Chaired Professor Institute.
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
Institute for Cyber Security (ICS) Prof. Ravi Sandhu Executive Director and Lutcher Brown Endowed Chair
INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Role-Based Access Control Prof. Ravi Sandhu George Mason University and NSD Security SACMAT 2003.
ARBAC99 (Model for Administration of Roles)
Ravi Sandhu Venkata Bhamidipati
Institute for Cyber Security
Role Activation Hierarchies Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
SECURING CYBERSPACE: THE OM-AM, RBAC AND PKI ROADMAP Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
1 New Trends and Challenges in Computer Network Security Ravi Sandhu Executive Director and Endowed Professor September 2010
An ORACLE Implementation of the PRA97 Model for Permission-Role Assignment Ravi Sandhu Venkata Bhamidipati George Mason University.
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
INFS 767 Fall 2003 Administrative RBAC
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
Access Control RBAC Database Activity Monitoring.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Future of Access Control: Attributes, Automation, Adaptation
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
1 Security and Trust Convergence: Attributes, Relations and Provenance Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown.
Attribute-Based Access Control Models and Beyond
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
1 The Science, Engineering, and Business of Cyber Security Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
1 The Authorization Leap from Rights to Attributes: Maturation or Chaos? Prof. Ravi Sandhu Executive Director and Endowed Chair SecurIT 2012 August 17,
1 Role-Based Access Control (RBAC) Prof. Ravi Sandhu Executive Director and Endowed Chair January 29, © Ravi.
Role-Based Access Control (RBAC)
Past, Present and Future
Institute for Cyber Security (ICS) & Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director Professor of.
Attribute-Based Access Control: Insights and Challenges
Role-Based Access Control (RBAC)
Executive Director and Endowed Chair
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
Discretionary Access Control (DAC)
Attribute-Based Access Control (ABAC)
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control: Insights and Challenges
Application-Centric Security
ASCAA Principles for Next-Generation Role-Based Access Control
Role-Based Access Control George Mason University and
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control (ABAC)
Access Control Evolution and Prospects
Access Control Evolution and Prospects
Presentation transcript:

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security Univ of Texas at San Antonio

Institute for Cyber Security The State of Cyber Security –We are in the midst of big change in cyber space –Nobody knows where we are headed –So far we have done a pretty bad job in cyber security –There is hope New services will not be held back Need for security will remain Good enough security is achievable

Institute for Cyber Security Security Schools of Thought –OLD THINK: We had it figured out. If the industry had only listened to us our computers and networks today would be secure. –REALITY: Todays and tomorrows cyber systems and their security needs are fundamentally different from the timesharing era of the early 1970s.

Institute for Cyber Security Change Drivers Stand-alone computersInternet Enterprise security Mutually suspicious yet mutually dependent security VandalsCriminals Few standard services Many and new innovative services

Institute for Cyber Security DAC: Discretionary Access Control –The owner decides who gets access –Anyone with read access can copy and owns the copy –The classic formulation of DAC is fundamentally broken –Solving the owner-control problem correctly is high priority (but a different lecture) but only to the original First emerged: early 1970s First models: early 1970s

Institute for Cyber Security MAC: Mandatory Access Control –Who gets access is determined by security labels –A users security label is assigned by a security officer –Copies are automatically labeled correctly by the security system First emerged: early 1970s First models: early 1970s

Institute for Cyber Security MAC: Mandatory Access Control TS S C U Information Flow Lattice of security labels

Institute for Cyber Security Orange Book 1983 –There is MAC (good) –There is DAC (weak) –Dont need anything else

Institute for Cyber Security RBAC: Role-Based Access Control –Access is determined by roles –A users roles are assigned by security administrators –A roles permissions are assigned by security administrators –Control on copies determined by configuration of roles First emerged: mid 1970s First models: mid 1990s Is RBAC MAC or DAC or neither?

Institute for Cyber Security Fundamental Theorem of RBAC –RBAC can be configured to do MAC –RBAC can be configured to do DAC –RBAC is policy neutral RBAC is neither MAC nor DAC!

Institute for Cyber Security RBAC96 Model ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS PERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS

Institute for Cyber Security Example Role Hierarchy Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) Employee (E) Inheritance hierarchy

Institute for Cyber Security Example Role Hierarchy Engineering Department (ED) Project Lead 1 (PL1) Engineer 1 (E1) Production 1 (P1) Quality 1 (Q1) Director (DIR) Project Lead 2 (PL2) Engineer 2 (E2) Production 2 (P2) Quality 2 (Q2) Employee (E) Inheritance and activation hierarchy

Institute for Cyber Security NIST/ANSI RBAC Standard Model 2004 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERS PERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS Permission-role review is advanced requirement Inheritance and/or activation Limited to separation of duties Overall formal model is more complete

Institute for Cyber Security Founding Principles of RBAC96 –Abstraction of Privileges Credit is different from Debit even though both require read and write –Separation of Administrative Functions Separation of user-role assignment from role- permission assignment –Least Privilege Right-size the roles Dont activate all roles all the time –Separation of Duty Static separation: purchasing manager versus accounts payable manager Dynamic separation: cash-register clerk versus cash-register manager

Institute for Cyber Security ASCAA Principles for Future RBAC –Abstraction of Privileges Credit vs debit Personalized permissions –Separation of Administrative Functions –Containment Least Privilege Separation of Duties Usage Limits –Automation Revocation Assignment: (i) Self-assignment, (ii) Attribute-based Context and environment adjustment –Accountability Re-authentication/Escalated authentication Click-through obligations Notification and alerts

Institute for Cyber Security Usage Control: The UCON Model unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes

Institute for Cyber Security Conclusion –RBAC is here to stay ABAC will still use roles as one attribute Attribute-based assignment to roles –Access control needs agility Usage limits Automation (self-administration) Accountability –This is already happening Our models have fallen behind –ASCAA principles apply beyond RBAC UCON model incorporates ASCAA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.