Presentation is loading. Please wait.

Presentation is loading. Please wait.

UnifiedSec-1 CSE 5810 Integrated Secure Software Engr. Approach for Functional, Collaborative, and Information Concerns J. A. Pavlich-Mariscal, S. Berhe,

Published byStephen Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "UnifiedSec-1 CSE 5810 Integrated Secure Software Engr. Approach for Functional, Collaborative, and Information Concerns J. A. Pavlich-Mariscal, S. Berhe,"— Presentation transcript:

1 UnifiedSec-1 CSE 5810 Integrated Secure Software Engr. Approach for Functional, Collaborative, and Information Concerns J. A. Pavlich-Mariscal, S. Berhe, A. De la Rosa Algarin, S. Demurjian Computer Science & Engineering Department The University of Connecticut 371 Fairfield Road, Box U-1155 Storrs, CT 06269-1155 steve@engr.uconn.edu http://www.engr.uconn.edu/~steve (860) 486 - 4818

2 UnifiedSec-2 CSE 5810 Present an Integrated Approah  Merging and combining  Functional Security (Jaime’s work)  Collaborative Security (Solomon’s work)  Information Security (Alberto’s work)  A secure software engineering approach that tackles the major concepts of an application  Methods and Operations  Collaboration and Adaptive Workflows  Information and Resources used  Leveraging access control models across all three topics  RBAC  MAC  DAC

3 UnifiedSec-3 CSE 5810 Overview of the Process

4 UnifiedSec-4 CSE 5810 High Level View of the Process

5 Security UML -5 CSE 5810 Recall Virtual Chart Example

6 Security UML -6 6 VCA Use Case Diagram

7 Security UML -7 7 Two Main Classes

8 Security UML -8 CSE 5810 Diagrams for Functional Security  Secure Subsystem  Role Slice Diagram  User Diagram  Delegation Diagram  MAC Extensions

9 Security UML -9 Secure Subsystem

10 Security UML -10 Role Slice Diagram

11 Security UML -11 User Diagram

12 Security UML -12 Delegation Diagram

13 Security UML -13 MAC Extensions

14 Security UML -14 Enforcement Code Generation

15 Security UML -15 Functional Enforcement Code

16 Security UML -16 Functional Enforcement Code

17 Security UML -17 CSE 5810 Diagrams for Collaborative Security  Collaboration Workflow Slice Diagram  Extended Role Slice Diagram  Obligation Slice Diagram  Team Slice Diagram

18 Security UML -18 Collaboration Workflow Slice Diagram

19 Security UML -19 Extended Role Slice Diagram

20 Security UML -20 Obligation Slice Diagram

21 Security UML -21 Team Slice Diagram

22 Security UML -22 Collaborative Enforcement Generation

23 Security UML -23 Collaborative Enforcement Code

24 Security UML -24 Collaborative Enforcement Code

25 Security UML -25 CSE 5810 Diagrams for Information Security  XML Schema Segment  XML Schema Class Diagram  XSRD Role Slice Diagram

26 Security UML -26 XML Schema Segment

27 Security UML -27 XML Schema Class Diagram

28 Security UML -28 XSRD Role Slice Diagram

29 Security UML -29 XSRD Role Slice Diagram

30 Security UML -30 Information Enforcement Generation

31 Security UML -31 Mapping XRSD to XACML

32 Security UML -32 Three Segments of Code- Subject

33 Security UML -33 Three Segments of Code - Resource

34 Security UML -34 Three Segments of Code - Action

35 Security UML -35 Combined Code

36 Security UML -36 CSE 5810 More Detailed View of Policy Generation  XML Schema Class Diagram: Artifact that holds all the characteristics of an XML schema  Structure, Data Type, Value Constraints  Hierarchical nature of XML schemas is modeled  xs:complexType, xs:element, xs:sequence  UML Class with respective Stereotypes  Child Relations (xs:element, xs:sequence, xs:simpleType)  UML Subclass  xs:extension  Association between Classes  Data-type Cardinality Requirements and Constraints; type  «constraint»; «type» stereotypes

37 Security UML -37 CSE 5810 XSCD of CCR Segment «complexType» StructuredProductType «element» Product «complexType» «sequence» «type» CodedDescriptionType «element» ProductName «type» CodedDescriptionType «constraint» minOccurs=0 «element» BrandName «element» Strength «constraint» minOccurs=0 «constraint» maxOccurs=-1 «extension» CCRCodedDataObjectType XSCD

38 Security UML -38 CSE 5810 XML Role Slice Diagram  Represents Access Control Definitions  With respect to XSCD Attributes  Fine Grained Control through  Security Policies and Definitions to the XSCD  Permissions on XML Documents  Read, Write, No Read, No Write  Represented in the XRSD with Stereotypes:  «read/write»  «read/nowrite»  «noread/write»  «noread/nowrite»

39 Security UML -39 CSE 5810 Example of XRSDs «XRSD» Physician «RoleDescription» «RoleRequirements» «read/write» «element» Product «read/write» «element» ProductName «read/write» «element» BrandName «read/write» «element» Strength «read/write» «element» StrengthSequencePosition «read/write» «element» VariableStrengthModifier «XRSD» Nurse «RoleDescription» «RoleRequirements» «read/nowrite» «element» Product «read/nowrite» «element» ProductName «read/nowrite» «element» BrandName «read/nowrite» «element» Strength «read/nowrite» «element» StrengthSequencePosition «read/nowrite» «element» VariableStrengthModifier

40 Security UML -40 CSE 5810 What is XACML?  Aims to Define a Common Language and Processing Model  Permits a Level of Security Interoperability  XACML schema Provides Several Structures and Elements to Represent Policies  PolicySet, Policy, Rule  PolicySets and Rules Combined by Policy/Rule Combination Algorithm  Permit-overrides  Deny-overrides  First-applicable  Only-one-applicable

41 Security UML -41 CSE 5810 XACML General Structure PolicySet Policy Rule Subject Action Resource Rule Combination Algorithm Policy Combination Algorithm

42 Security UML -42 CSE 5810 Mapping to a Security Policy (XACML)  Policies’ Language Structure and Processing Model  PolicySet, Policy, Rule  Policy and Rule Combination Done with Normative Algorithms  Deny-overrides, permit-overrides, first-applicable, only-one-applicable  Use Deny-overrides as Combination Algorithm for Enforcement  If the Evaluation of One Rule Results in Deny, the Policy Evaluation is Deny  Mapping Process Divided in 3 Sub-Mappings  Role, Element and Permission

43 Security UML -43 CSE 5810 Mapped Policy Role Mapping Permission Mapping

44 Security UML -44 CSE 5810 Mapped Policy Element Mapping

45 Security UML -45 CSE 5810 Enforcement in a Security Architecture   The architecture has a number of components:  Policy Enforcement Point (PEP)  Allows a request to be made on a resource  Policy Decision Point (PDP)  Evaluates the request and provides a response according to the policies in place  Policy Administration Point (PAP)  Utilized to write and manage policies  Policy Information Point (PIP)  Arbitrate very fine grained security issues

46 Security UML -46 CSE 5810 Enforcement in a Security Architecture Physician Nurse XRSDs XACML Policy Mapping XACML Policy – Schema 1 XACML Policy – Schema 2 Policy Retrieval Point (PRP) PAP PDP PEP PIP XACML Architecture

47 Security UML -47 Overall Secure SWE Process

48 Security UML -48 CSE 5810 Overall View – Initial Design (1)Main Security Design of the Application (2a,b) Initial Functional Security and Collaboration Design (2a,b.1) Define Functional Security and Collaboration Use Cases (2a,b.2) Define Secure SubSystem + Collaboration Capable Subsystem (2c) Initial Information Security Design (2c.1) Define XML Schema Class Diagram (2c.2) Define Information Security Requirements

49 Security UML -49 CSE 5810 Overall View – Functional Security (3a) Functional Security Design Define Security Features Group Users into Roles Separation of Duty, Delegation Authority Select MAC Features [NEEDS MAC] Security Refinement Process [DONE] [NOT DONE]

50 Security UML -50 CSE 5810 Overall View – Collaborative Security Create Collaboration Workflow Name Create Collaboration Step/Workflow Security Refinement Process Collaboration Team Collaboration Obligation (3b) Collaboration Security Design [DONE] [NOT DONE]

51 Security UML -51 CSE 5810 Overall View – Information Security Define set of Roles with Information Access Determine Permissions of Roles to Information Create XML Role Slice Diagrams for each Role (3c) Information Security Design Security Refinement Process [DONE] [NOT DONE]

52 Security UML -52 CSE 5810 Overall View – Refinement and Mappings Generated Functional, Collaborative & Information Secure System (4) Refinement of Functional, COD/AWF and Information Security Design (5) Combine Three Facets and Transition into Final Design (6) Mapping to Enforcement Code and XACML Policies

53 Security UML -53 CSE 5810 A Second Example – Crash Report System   Crash report system (CRS) big data application to collect information on accidents   Cars involved, people involved, location, specifics of actual accident, etc.)   Based on an actual crash report system in Connecticut that has data from over 20 years that has been a  Joint effort by faculty in the Civil & Environmental Engineering and Computer Science & Engineering faculty  Under the supervision of the State of Connecticut Department of Transportation.

54 Security UML -54 CSE 5810 A Second Example – Crash Report System   CRS serves as a means for researchers to collaboratively analyze the data for future crash prevention and other operational purposes.   The example presented excerpted from the Model Minimum Uniform Crash Criteria Guide (MMUCC)  An XML standard for data to be collected on traffic crashes to be stored in CRS.  http://mmucc.us/sites/default/files/MMUCC_4th_E d.pdf   http://www.cti.uconn.edu/connecticut-transportation- safety-research-center/ and http://www.ctcrash.uconn.edu/ http://www.cti.uconn.edu/connecticut-transportation- safety-research-center/ http://www.ctcrash.uconn.edu/

55 Security UML -55 Secure Subsystem

56 Security UML -56 CSE 5810 CRS Roles  Passenger and Researcher  Police Office  Local  State  Federal  Each Utilizes Different Portions of Secure Subsystem

57 Security UML -57 Role Slice Diagram

58 Security UML -58 SoD Diagram

59 Security UML -59 Collaboration Workflow Slice Diagram

60 Security UML -60 Extended Role Slice Diagram

61 Security UML -61 Obligation Slice Diagram

62 Security UML -62 Team Slice Diagram

63 Security UML -63 RBAC for CRS

64 Security UML -64 RBAC for CRS – Info Based

65 Security UML -65 RBAC for CRS – Info Based

66 Security UML -66 XML Role Slice Diagram – Info Based

67 Security UML -67 XML Role Slice Diagram

68 UnifiedSec-68 CSE 5810 Concluding Remarks  Security is Part of an Overall Security Strategy  Definition of Security Requirements  Realization of Security at Application Level  Integration of Security from User to OS to DB  Rigorous Definition of Security Policy  Dynamic Nature of Security Privileges  Enforcement of Defined Privileges at Application and DB Levels  Overall, Security in Today’s World Integral Part of Everyday Life - Some Key Concerns  Confidentiality of an Individuals Data  Identity Theft  Protecting National Infrastructure

69 Security UML -69 CSE 5810 Other areas of interest for info security  Modeling of other access control models  Lattice Based Access Control (LBAC)  Attribute Based Access Control (ABAC)  Collaboration and adaptive workflows from the perspective of information security  Documents that are utilized by multiple roles/individuals at the same time  Hierarchically structured data with no validation agents  Specialized XML  JSON and JSON-LD  RDF  OWL

Download ppt "UnifiedSec-1 CSE 5810 Integrated Secure Software Engr. Approach for Functional, Collaborative, and Information Concerns J. A. Pavlich-Mariscal, S. Berhe,"

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Database Planning, Design, and Administration

Database Planning, Design, and Administration
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.

Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Chapter 9 Database Design

Chapter 9 Database Design
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Lecture Nine Database Planning, Design, and Administration

Lecture Nine Database Planning, Design, and Administration
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Object Oriented Analysis and Design Using the UML

Object Oriented Analysis and Design Using the UML
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Similar presentations

Ads by Google