The Laboratory of Information Integration, Security and Privacy ● University of North Carolina at Charlotte URL:www.sis.uncc.edu/LIISPSTECH 306, UNC Charlotte.

Slides:

Advertisements

Similar presentations

1 Framework for Role-Based Delegation Models (RBDMs) By: Ezedin S.Barka and Ravi Sandhu Laboratory Of Information Security Technology George Mason University.

Advertisements

Lousy Introduction into SWITCHaai

© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Formalizing Security Requirements for Grids Syed Naqvi 1,2, Philippe Massonet 1, Alvaro Arenas 2 1 Centre of Excellence in Information and Communication.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Access Control RBAC Database Activity Monitoring.

Access Control Methodologies

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Overview FAA IT & ISS R&D: Security Today Security Tomorrow Marshall Potter Chief Scientist for Information Technology Federal Aviation Administration.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Knowledge Management: and.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin – Medicity/THSA.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

USING METADATA TO FACILITATE UNDERSTANDING AND CERTIFICATION ABOUT THE PRESERVATION PROPERTIES OF A PRESERVATION SYSTEM Jewel H. Ward, Hao Xu, Mike C.

Demonstration of the Software Prototypes PRIME PROJECT 17 December 2004.

 Dr. Syed Noman Hasany.  Review of known methodologies  Analysis of software requirements  Real-time software  Software cost, quality, testing and.

The Science of Cyber Security Laurie Williams 1 Figure from IEEE Security and Privacy, May-June 2011 issue.

An Investigation on Testing RBAC Constraints Presented by Jiao Chen 04/29/2003.

8.1 Lawson Security Overview Del Dehn Product Manager.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

G53SEC 1 Access Control principals, objects and their operations.

Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco.

United States Department of Justice Global Security Working Group Update Global Advisory Committee November 2, 2006 Washington, D.C.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아.

Privilege Management Chapter 22.

Computer Security: Principles and Practice

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

The NIST Special Publications for Security Management By: Waylon Coulter.

What IHE Delivers Healthcare Provider Directories IHE IT Infrastructure Planning Committee Eric Heflin - Medicity.

1 SFS: Secure File Sharing For Dynamic Groups In Cloud Shruthi Suresh M-tech CSE RCET.

Institute for Cyber Security

Building Distributed Educational Applications using P2P

Security and Boundaryless Information Flow

Chapter 19: Building Systems with Assurance

PLUG-N-HARVEST ID: H2020-EU

Access Control What’s New?

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

The Laboratory of Information Integration, Security and Privacy ● University of North Carolina at Charlotte URL: 306, UNC Charlotte Secure Information Sharing within a Collaborative Environment DoE ECPI Project Gail-Joon Ahn UNC Charlotte

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 2 Contents  Introduction  Motivation and Related Work  Our approach – Role-based Delegation : Concepts and Model – Other Supporting Mechanisms  Ongoing and Future work  Summary

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 3 Access control is concerned with limiting the activity of legitimate users Security techniques WW W Mail Resources (O) DB User (S) File/ Dir Authentication Incident Handling Cryptography Intrusion Detection Auditing Who are you?What can you do?Vulnerabilities, where?How to detect attacks?Encipher/decipher codes?How to react to attacks? Access Control Reference Monitor

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 4 Collaborative Environment  Selective information sharing is necessary  Information may be shared across organizational boundaries  It is impossible to fully predict what data should be shared, when and to whom  A mechanism must be provided for revoking the sharing when it is no longer needed Healthcare Information System Dr. Chen Dr. Jain Patient - Jennifer Specialist Clinic Dr. White Hospital A Community Relationship Authorization Authentication –Scalable authentication –Token-based Access Control –Role-based delegation –Interoperable access management Identity Management –Privacy Attribute Mgmt. –Identity Federation How can we share critical information in a secure manner ?

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 5 Research Issues  Can we share information in a secure manner?  Do we need new security models for this environment?  What kind of security requirements/constraints/policies should be identified?  How can we specify them?  How can we enforce security policies over distributed domains?  What security architectures are needed?

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 6 Our Approaches – Propose security model to address human- to-human delegation and revocation – Use authorization language to express and enforce delegation and revocation policies in this model – Identify security architectures and supporting components – Evaluate the feasibility and applicability of our approach

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 7 Delegation Issues  Permanence – Type of delegation in terms of their time duration  Monotonicity – The state of the power that the delegating role member possesses after he or she delegates the role – Monotonic and non-monotonic  Totality – How completely the permissions assigned to a role are delegated  Administration – Who will be the actual administrator of the delegation?  Levels of delegation – Defines whether or not each delegation can be further delegated and for how many times  Multiple delegation – The number of users to whom a delegating role member can delegate at any given time – More effective if the delegation is temporary  Delegation Forms – Human-to-Human A user delegates his/her privileges to anther users – Human-to-Machine A user delegates his/her privileges to a system so that the system can access the resources on behalf of the user – Machine-to-Machine

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 8 Role-based Delegation SEMANTICS RULE-BASED POLICY LANGUAGE RBAC96 ARTIFACTSFUNCTIONS ARBAC97RDM2000 URAPRARRADLGT FUNCTIONS Derivation Rules FUNCTIONSBASIC RULES UTILITY FUNCTIONS Available in ACM Transactions on Information and System Security, Vol.6, No.3

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 9 ShareEnabler a) ShareEnabler Agent b) Administrative Policy Editor  Currently testing it on Grid and Scishare (P2P)

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 10 Other Supporting Components  Role Engineering – Role identification – Meta-modeling System, permission, and domain  Role Administration – Structural analysis – Behavioral analysis

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 11 Information flow types in RE  Forward Information Flow (FIF)  Backward Information Flow (BIF) “On Modeling System.centric Information for Role Engineer-ing,” Proc. of 8th ACM Symposium on Access Control Model and Technology, June 2-3, 2003, Como, Italy.

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 12 RolePartner

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 13 Ongoing and Future Works  Ongoing related projects are – Marriage with Wireless Communication and Collaborative Delegation Supported by NSF & DoE CAREER Award ACM TISSEC Vol.6 /No , IEEE ITCC 2004 – Private Attribute Management Supported by Bank of America IEEE IPCCC and DEXA 2004 – Role Engineering Methodology Collaboration with NIST ACM SACMAT 2003, ACM SAC 2003 – Vulnerabilities in Collaborative Systems Supported by SPAWAR  Our future research includes – Another type of delegation Permission-centric delegation Role-role delegation – Specification of constraints related to delegation – Correctness and convergence of rule derivations – Distribute and manage rules across organizational boundaries

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 14 Other Applicable Domains Information sharing in Military domain  – Robotic warfare may be a reality by the year – Battlefield robots need to communicate each other for their mission. They should be able to share information in a secure manner Official DOD Photo  Proactive protection for Critical Infrastructures –Critical infrastructures need to share information each other because one incidents in a critical infrastructure may cause severe damages to other infrastructures due to interdependencies between critical infrastructures

University Of North Carolina at Charlotte September 28, 2005The Laboratory of Information Integration, Security and Privacy Slide 15 Summary  First attempt to propose a systematic role-based delegation model  We have – articulated issues in delegation – specified this model with rule-based language – implemented a role-based delegation framework to manage information sharing in the healthcare information system System components, System architecture, System implementation Highlighted features: rule management and context constraints  Acknowledgement – Supported by Department of Energy CAREER award (DE- FG02-03ER25565) and National Science Foundation (IIS )