1. INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio February 2009 ravi.sandhu@utsa.edu www.profsandhu.com © Ravi Sandhu

2. INSTITUTE FOR CYBER SECURITY Principles Context principle: No security without context There is no definition of security without application context 1985: The Orange Book tried to do this and failed miserably 1990: The Trusted Database Interpretation of the Orange Book clearly demonstrated this principle Goldilocks principle: Rightsize We cannot acheive absolute security BUT we dont need to try and reach it. Its all about mission assurance. Overreaching security can compromise the mission as can underreaching. © Ravi Sandhu2

3. INSTITUTE FOR CYBER SECURITY Usage Control Model (UCON) © Ravi Sandhu3 unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributes

4. INSTITUTE FOR CYBER SECURITY Announcement Dagstuhl seminar on Distributed Usage Control (Germany), April 6-9, 2010 Sandro Etalle (TU Eindhoven, NL) Alexander Pretschner (TU Kaiserslautern, DE) Ravi Sandhu (Univ. of Texas at San Antonio, US) Marianne Winslett (University of Illinois - Urbana, US) © Ravi Sandhu4

5. INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers © Ravi Sandhu5

6. INSTITUTE FOR CYBER SECURITY Conclusion The Institute for Cyber Security is looking for collaborators with domain expertise in application areas Application/technology areas with ongoing work: Assured information sharing Group-based secure information systems Social networks Healthcare RBAC in large enterprises © Ravi Sandhu6