1. Cyber-Identity, Authority and Trust in an Uncertain World
Prof. Ravi Sandhu
Laboratory for Information Security Technology
George Mason University

2. Outline Perspective on security Role Based Access Control (RBAC)
Objective Model-Architecture Mechanism (OM-AM) Framework
Usage Control (UCON)
Discussion

3. PERSPECTIVE

4. Security Conundrum Nobody knows WHAT security is
Some of us do know HOW to implement pieces of it
Result: hammers in search of nails

5. Security Confusion USAGE purpose INTEGRITY modification AVAILABILITY
electronic commerce, electronic business
DRM, client-side controls
INTEGRITY
modification
AVAILABILITY
access
CONFIDENTIALITY
disclosure

6. Success is largely unrecognized by the security community
Security Successes
On-line banking
On-line trading
Automatic teller machines (ATMs)
GSM phones
Set-top boxes
…………………….
Success is largely unrecognized
by the security community

7. Good enough security Exceeding good enough is not good
You will pay a price in user convenience, ease of operation, cost, performance, availability, …
There is no such thing as free security
Determining good enough is hard
Necessarily a moving target

8. Business models dominate
Good enough security
Real-world users
Security geeks
SECURE
EASY
end users
operations staff
help desk
whose security
perception or reality of security
Business models dominate
security models
COST
System owner
system cost
operational cost
opportunity cost
cost of fraud

9. Good enough security
In many cases good enough is achievable at a pretty low threshold
The “entrepreneurial” mindset
In extreme cases good enough will require a painfully high threshold
The “academic” mindset

10. Good enough security COST L M H Entrepreneurial mindset H 1 2 3
Academic
mindset R I S K 2 3 4 M L 3 4 5

11. ROLE-BASED ACCESS CONTROL (RBAC)

12. MAC and DAC For 25 years access control has been divided into
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
In the past 10 years RBAC has become a dominant force
RBAC subsumes MAC and DAC

13. Mandatory Access Control (MAC)TS S
Lattice of
security
labels C
Information
Flow
Dominance U

14. Mandatory Access Control (MAC)
S,{A,B}
S,{A]
S,{B}
Lattice of
security
labels
Information
Flow
Dominance
S,{}

15. Discretionary Access Control (DAC)
The owner of a resource determines access to that resource
The owner is often the creator of the resource
Fails to distinguish read from copy

16. RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard)
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
PERMISSIONS-ROLE
ASSIGNMENT
USERS
ROLES
PERMISSIONS
...
CONSTRAINTS
SESSIONS

17. RBAC SECURITY PRINCIPLES
least privilege
separation of duties
separation of administration and access
abstract operations

18. HIERARCHICAL ROLES Primary-Care Physician Specialist Physician
Health-Care Provider

19. Fundamental Theorem of RBAC
RBAC can be configured to do MAC
RBAC can be configured to do DAC
RBAC is policy neutral

20. OM-AM (Objective/Model Architecture/Mechanism) Framework

21. THE OM-AM WAY A What? s u Objectives r Model a n Architecture c
Mechanism
How?

22. LAYERS AND LAYERS Multics rings Layered abstractions Waterfall model
Network protocol stacks
Napolean layers
RoFi layers
OM-AM
etcetera

23. OM-AM AND MANDATORY ACCESS CONTROL (MAC)u r a n c e
What?
How?
No information leakage
Lattices (Bell-LaPadula)
Security kernel
Security labels

24. OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC)u r a n c e
What?
How?
Owner-based discretion
numerous
ACLs, Capabilities, etc

25. OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC)u r a n c e
What?
How?
Objective neutral
RBAC96, ARBAC97, etc.
user-pull, server-pull, etc.
certificates, tickets, PACs, etc.

26. RBAC96 model (Currently foundation of a NIST/ANSI/ISO standard)
ROLE HIERARCHIES
USER-ROLE
ASSIGNMENT
PERMISSIONS-ROLE
ASSIGNMENT
USERS
ROLES
PERMISSIONS
...
CONSTRAINTS
SESSIONS

27. Server-Pull Architecture
Client
Server
User-role
Authorization
Server

28. User-Pull Architecture
Client
Server
User-role
Authorization
Server

29. Proxy-Based Architecture
Client
Proxy
Server
Server
User-role
Authorization
Server

30. USAGE CONTROL (UCON)

31. The UCON Vision: A unified model
Traditional access control models are not adequate for today’s distributed, network-connected digital environment.
Authorization only – No obligation or condition based control
Decision is made before access – No ongoing control
No consumable rights - No mutable attributes
Rights are pre-defined and granted to subjects

32. OM-AM layered Approach

33. Prior Work Problem-specific enhancement to traditional access control
Digital Rights Management (DRM)
mainly focus on intellectual property rights protection.
Architecture and Mechanism level studies, Functional specification languages – Lack of access control model
Trust Management
Authorization for strangers’ access based on credentials

34. Prior Work Incrementally enhanced models
Provisional authorization [Kudo & Hada, 2000]
EACL [Ryutov & Neuman, 2001]
Task-based Access Control [Thomas & Sandhu, 1997]
Ponder [Damianou et al., 2001]

35. Usage Control (UCON) Coverage
Protection Objectives
Sensitive information protection
IPR protection
Privacy protection
Protection Architectures
Server-side reference monitor (SRM)
Client-side reference monitor (CRM)
Both SRM and CRM

36. Core UCON (Usage Control) Models
ongoing
pre
post
Continuity of decisions
Mutability of attributes

37. Examples Long-distance phone (pre-authorization with post-update)
Pre-paid phone card (ongoing-authorization with ongoing-update)
Pay-per-view (pre-authorization with pre-updates)
Click Ad within every 30 minutes (ongoing-obligation with ongoing-updates)
Business Hour (pre-/ongoing-condition)

38. Beyond the UCON Core Models

39. DISCUSSION

40. THE OM-AM WAY A What? s u Objectives r Model a n Architecture c
Mechanism
How?

41. Good enough security COST L M H Entrepreneurial mindset H 1 2 3
Academic
mindset R I S K 2 3 4 M L 3 4 5