Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security

Published byThomas Ashby Modified over 11 years ago

Similar presentations

Presentation on theme: "Institute for Cyber Security"— Presentation transcript:

1 Institute for Cyber Security
An Attribute Based Framework for Risk-Adaptive Access Control Models Ravi Sandhu Executive Director and Endowed Professor August 2011 Joint work with Savith Kandala and Venkata Bhamidipati © Ravi Sandhu World-Leading Research with Real-World Impact!

2 RAdAC Concepts Access to resources are automatically (or semi-automatically) granted based on: Purpose for the access request, Security risk, and Situational Factors Motivating Example: Displaying a classified document… © Ravi Sandhu World-Leading Research with Real-World Impact! 2

3 Benefits of Abstract Models Core Characteristics of RAdAC
Outline Benefits of Abstract Models Core Characteristics of RAdAC Components of RAdAC Model Mapping RAdAC to UCON Extending UCON Principles to RAdAC and Modified UCON Model © Ravi Sandhu World-Leading Research with Real-World Impact! 3

4 Benefits of Abstract Models
Proposed at the Policy Layer Do not lay out enforcement and implementation details Successful practice – DAC, MAC and RBAC Provides a formal and structural foundation © Ravi Sandhu World-Leading Research with Real-World Impact! 4

5 Core Characteristics of RAdAC
Reference – Robert McGraw, NIST Privilege Management Workshop, 2009 Operational Need Security Risk Situational Factors Heuristics Adaptable Access Control Policies © Ravi Sandhu World-Leading Research with Real-World Impact! 5

6 RAdAC Model World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 6

7 Operational Need / Purpose
© Ravi Sandhu World-Leading Research with Real-World Impact! 7

8 Operational Need / Purpose
Purpose (Operational Need) The reason for the user’s access request Can manifest as: A user’s membership in a role An authority is attesting to a user’s need to access the object Examples: Health Care – Emergency treatment Energy – Impending power emergency Banking – Consent to access acct info. © Ravi Sandhu World-Leading Research with Real-World Impact! 8

9 Security Risk World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 9

10 Attribute Providers and Level of Assurance
Security Risk Users Devices Objects Operations Connections Attribute Providers and Level of Assurance Security risk evaluation be based on risk associated with each of these components, as well as a composite risk. © Ravi Sandhu World-Leading Research with Real-World Impact! 10

11 Situational Factors World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 11

12 Environmental or system oriented decision factors
Situational Factors Environmental or system oriented decision factors Global Situational Factors Example : National terrorist threat level, Enterprise under cyber attack Local Situational Factors Example: location, current local time for accessible time period (e.g., business hours), current location for accessible location checking (e.g., area code, connection origination point) © Ravi Sandhu World-Leading Research with Real-World Impact! 12

13 Access History World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 13

14 Heuristics can be used to
Access History Access History Provides two functions updates the object access history repository with the attributes in the access request and the access control decision provides input for future access decisions Heuristics can be used to Fine-tune access control policies Improve future access decisions Inputs the access decisions © Ravi Sandhu World-Leading Research with Real-World Impact! 14

15 Adaptable Access Control Policies
© Ravi Sandhu World-Leading Research with Real-World Impact! 15

16 Adaptable Access Control Policies
Adaptable access control policies can be defined based on all the components Overrides Automatic Semi-Automatic Manual © Ravi Sandhu World-Leading Research with Real-World Impact! 16

17 UCON Model World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 17

18 Extending UCON Principles to RAdAC
Mapping RAdAC to UCON Key missing features Subject definition Access History Risk Evaluation Extending UCON Principles to RAdAC © Ravi Sandhu World-Leading Research with Real-World Impact! 18

19 Modified UCON Model World-Leading Research with Real-World Impact!
© Ravi Sandhu World-Leading Research with Real-World Impact! 19

20 Conclusion and Future Work
Purely focused on the abstract models The modified UCON model with the decomposed subject definition and the added functions of access history and risk evaluation is most suitable for modeling and implementing the RAdAC concept. Future Work: Enforcement and implementation Defining architecture, protocols and mechanisms for the proposed RAdAC model © Ravi Sandhu World-Leading Research with Real-World Impact! 20

Download ppt "Institute for Cyber Security"

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
OWASP CLASP Overview.

OWASP CLASP Overview.
Cyber-Identity, Authority and Trust in an Uncertain World

Cyber-Identity, Authority and Trust in an Uncertain World
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010

1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 The PEI + UCON Framework for Application Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,

1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,

1 ACSAC 2002 © Mohammad al-Kahtani 2002 A Model for Attribute-Based User-Role Assignment Mohammad A. Al-Kahtani Ravi Sandhu George Mason University SingleSignOn.net,
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.

Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.

INSTITUTE FOR CYBER SECURITY 1 The PEI Framework for Application-Centric Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for.
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.

11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
1 Towards a Discipline of Mission-Aware Cloud Computing (A Position Paper) Ravi Sandhu Executive Director and Endowed Professor October 2010

1 Towards a Discipline of Mission-Aware Cloud Computing (A Position Paper) Ravi Sandhu Executive Director and Endowed Professor October 2010
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Similar presentations

Ads by Google