Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented By: Smriti Bhatt

Published byBuddy Greer Modified over 7 years ago

Similar presentations

Presentation on theme: "Presented By: Smriti Bhatt"— Presentation transcript:

1 Presented By: Smriti Bhatt
Policy Machine What is? Why its designed? What we can do in PM? Presented By: Smriti Bhatt

2 Overview PM Many policies and access control models –
DAC, MAC, RBAC, ABAC, LaBAC, ReBAC, … Policy Machine – immense concept and capabilities PM vs ABAC Attributes, relationships, etc. Access Control Models PM Policy Definition Policy Enforcement

3 Introduction Policy Machine (PM): Goal & Objective:
Unified access control framework Express and enforce arbitrary access control policies Attribute-based access control policies Goal & Objective: To provide a generic platform that supports Commonly known and implemented access control policies Combinations of policies Policies for which no access control mechanism presently exists

4 Characteristics of PM Comprehensive enforcement of many policies across both centralized and distributed systems Single administrative domain Comprises of a family of standards that recognizes Policy Administration Point (PAP), Policy enforcement points (PEP), Policy Decision Point(s) (PDP), A policy database

5 PM Framework- a logical ‘machine’

6 PM Core Elements Users (U): actual users/individuals in a system
Objects (O): files, records, resources User Attributes (UA) and Object Attributes (OA): containers for users and objects respectively Policy Classes (PC): containers for each access control policies Processes (p): similar to a subject, issues access request Operations (Op): actions (r, w, etc.) can be performed on contents of objects/resources or PM data elements and relations Access Rights (AR): access rights required to carry out an operation

7 PM vs ABAC Attributes PM attributes ABAC attributes
Containers for users and objects No defined domain Set of members in the container Example: User attribute – Manager = manager_1, manager 2 Employee = employee_1, employee 2 Object attribute – Medical records = mrec1, mrec2 ABAC attributes Characteristics/properties of users and objects Finite domain Set or atomic valued Example: User attribute – Title = { manager, employee} Age = {18, 19} Object attribute – Owner = Alice Label = {private, public}

8 Attributes (User/Object)
assignment assignment Fig3: ABAC user and attribute-value pair Fig1: PM user attribute and assigned users assignment assignment Owner = Alice Type = private File Fig2: PM object attribute and assigned objects Fig4: ABAC object and object-value pair

9 PM Relations Assignment: x ASSIGN y
Association: relationship between user attributes (UA) and user attributes and objects attributes (AT = UA U OA) via operations/actions, policies Prohibition: constraints and restrictions on access rights on users, processes or user attributes, SSD Obligations: dynamically change the policy state in response to user/process event, DSD When pattern do response These relations allows to express a wide range of attribute-based policies.

10 PM Assignments Containment Property: Hierarchical relationships
Inheritance shown downwards x x contained by y y both oa1 and oa2 are contained by oa20 and acquire the properties of oa20, and oa1, oa2, and oa20 are contained by oa21 and likewise acquire its properties. Inverted inheritance

11 PM Authorization Graph
Assignments Associations {r}, {w} - Operations

12 Derived Privileges - Enumerations
Enumerations all explicit and implicit privileges/accesses Association (Group1, {w}, Project1) Users(Group1)={u1} Access right={w} Elements(Project1)={Project1, o1, o2} Derived privileges for user u1: (u1, w, Project1), (u1, w, o1), and (u1, w, o2)

13 PM Administrative Authorization Graph

14 Example – RBAC Policy

15 Combination of Policies

16 LaBACH LaBACH Characteristics: Assignments and Associations relations
User/object label hierarchy Only operations on objects/resources (no admin operations) Enumerated policies

17 LaBACH in PM

18 LaBACH in PM Tweaked

19 PM Tool PM Server: Policy Administration Point (PAP), Policy Decision Point (PDP), includes a PM Database, an event processing module Administrative Client: Admin Tool (PAP) Database: Active Directory PM client: PEP, an application programming interfaces (API), and PM-aware applications User Environment Simulator Kernel Simulator: acts as PEP Session Manager

20 PM System Architecture
PEP within the PM client traps each access request, and then asks the PDP within the PM server to decide whether to grant or reject the access request. The physical location of each object is known to the PM server (and transparent to the client). In the case of a granted request, the server response is accompanied by the physical location of the object. The PM client exposes a standard set of APIs that can be used to develop PM-aware applications. PM uses the resource repositories and servers to store and retrieve the physical contents of its objects. A user may be associated with one or more processes, while a process is always associated with just one user.

21 LaBACH Configuration in PM
Look into PM Tool at the end!!!

22 PM and ABAC Analysis Defining policies in ABAC models:
Logical formula: ABACα, XACML - Pros: simple, easy, and flexible - Cons: reviewing, updating policies become NP-complete Enumerated policies: LaBAC, 2-sorted RBAC, PM - Pros: good for updating and reviewing policies - Cons: size might becomes exponential

23 PM in Cloud PM & OpenStack OpenStack PM Server (PEP) (PAP, PDP)
REST API OpenStack (PEP) PM Server (PAP, PDP) grant/deny Nova Neutron Swift Keystone access request

24 PM & OpenStack Better understand PM and OpenStack
Proof of Concept PM-ABAC in cloud Performance overhead PM specific issues

25 Conclusion & Limitations
Platform for testing and enforcing policies ABAC attributes vs PM attributes Configuration overhead Many details and complexities Active Directory Certificates and keys, …

26

Download ppt "Presented By: Smriti Bhatt"

Similar presentations

Institute for Cyber Security

Institute for Cyber Security
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Data Management I DBMS Relational Systems. Overview u Introduction u DBMS –components –types u Relational Model –characteristics –implementation u Physical.

Data Management I DBMS Relational Systems. Overview u Introduction u DBMS –components –types u Relational Model –characteristics –implementation u Physical.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.

Database System Concepts and Architecture Lecture # 3 22 June 2012 National University of Computer and Emerging Sciences.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
5 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved.

5 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved.

Similar presentations

Ads by Google