Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco.

Published byElfrieda Alexia Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco."— Presentation transcript:

1 Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco

2 Information Security - City College2 Overview Introduction Collaborative Access Control Intermediate Access Controls Requirements of Access Control in Collaborative systems Access Control models The Matrix Access Control Space Model Role-Based Access Control (RBAC) Task-Based Access Control (TBAC) Team-Based Access Control (TMAC) Evaluation Criteria Conclusion

3 Information Security - City College3 Introduction Collaborative systems are becoming used extensively in the last decade The aim of such systems is to achieve communication and collaboration between users concerned with common tasks Need of security emerges in such systems Access control is one the most import aspects of security in collaborative systems Not only authentication, but authorization also Traditional Access Control Models for collaboration, satisfy requirements??

4 Information Security - City College4 Collaborative Access Control

5 Information Security - City College5 Intermediate Access Controls Privileges If you are allowed to do something in a system, you usually have a certain level of privilege to be able to use the operating system functions or perform some actions. This introduces a concept called least privilege. It requires that a user be given no more privilege than necessary to perform a job. Protection Rings Protection Rings have been mainly used for integrity protection. The representative examples are system/user protection in operating system design and the machine language protection for microprocessor design.

6 Information Security - City College6 Intermediate Access Controls Intermediate Abilities More flexible and have more internal structure, convenient for mathematical analysis, experimental stage Group and Negative Permissions Define group forbiddance of accessing objects RBAC Fundamental way of implementing intermediate layer of various access control policies

7 Information Security - City College7 Requirements for Access Control in Collaborative Systems Multiple, dynamic user roles The model should allow users access rights to be inferred from their roles. Moreover, it should allow users to take multiple roles simultaneously and change these roles dynamically during different phases of collaboration Collaboration rights operations whose results can affect multiple users should be protected by collaboration rights Flexibility The system should support fine - grained subjects, objects, and access rights

8 Information Security - City College8 Requirements for Access Control in Collaborative Systems Easy specification Access control models must allow high-level specification of access rights Efficient storage and evaluation The storage of access definitions and evaluation of the access checking rule should be efficient Automation Easy to implement access control in multi-user applications. Performance and resource costs should be kept within acceptable bounds Meta-access control Support for fine-grained protection, assignment of administrators, joint and multiple ownership issues, and the delegation and revocation of access rights

9 Information Security - City College9 Collaborative Access Control Models

10 Information Security - City College10 Matrix Access Control Object The basic resource entity controlled by the computer. Subject Entity initiating an activity to objects. The access matrix is a basic model specifying the rights that subjects have to objects. Each subject and object correspond to a row and column, respectively. Each cell in the matrix denotes the access authorized for the object in the column by the subject in the row. The main objective of the access control system is to strictly execute the operations imposed by the access matrix.

11 Information Security - City College11 Implementations of Matrix Access Control Implementations of Matrix Access Control involve splitting the matrix in more manageable parts in order to obtain acceptable performance for the authorization operations. Access Control Lists (ACL) Stores the matrix by columns Provides convenient access review with respect to the object Capability Lists (C-Lists) Stores the matrix by rows Provides convenient access review with respect to the subject

12 Information Security - City College12 Implementation (Matrix Access Control) cont

13 Information Security - City College13 Shortcomings (Matrix Access Control) A collaborative organization ownership might not be at the discretion of the user: The system might own resources. Change of Responsibilities ACL and C-List lack the ability to support dynamic changes of access rights. More sophisticated access policies are difficult to be provided without access rights that are associated with a subject's credentials. Least Privilege Conflict-of-Interest Rules

14 Information Security - City College14 SPACE Model The basic idea behind this model consists of two concepts: Boundaries and Access Graph. Environment is divided into small manageable regions by boundaries. In each region, a certain level access control policy is applied. Within a region, access control is granted as the same level. An access graph is built to summarize the constrains on movement among regions Two matrices called adjacency and classification matrices are created by using standard mathematical means The two matrices are the kernel of the SPACE model

15 Information Security - City College15 SPACE Model

16 Information Security - City College16 Shortcomings (SPACE) Provides navigational access requirements in collaborative environments and does not provide for fine-grained control It is not provably secure users can create insecure regions SPACE model lacks the complexity needed for systems where the level of security provided is important Application domain is restricted to systems that can be represented in terms of regions and boundaries

17 Information Security - City College17 Role-Base Access Control (RBAC) The fundamental principal of RBAC is that the decision to allow access to objects is based on the role of the user A role can represent specific task competency RBAC offers a new way of assigning access rights to individuals in an enterprise First a role is established and least privileges are assigned to it. Then an individual derive their access rights of a role by being assigned to membership of that role which describes his job or responsibility in that enterprise The determination of the role membership is determined by the organization's security policy RBAC is flexible and easy to manage

18 Information Security - City College18 RBAC

19 Information Security - City College19 Shortcomings (RBAC) In early implementations of RBAC, the set of roles and the membership functions as well, were defined early in the life-time of a session Supports the notion of role activation within sessions, but it does not go far enough in encompassing the overall context associated with any collaborative activity Traditional RBAC lacks the ability to specify a fine- grained control on individual users in certain roles and on individual object instances.

20 Information Security - City College20 Task-Based Access Control (TBAC) Extend the traditional access models, by introducing domains that include task-based contextual information. Two basic fundamental abstractions: Authorization Step Task Templates The protection state of each authorization step is unique and disjoint from the protection states of other steps. TBAC recognizes the notion of a life-cycle and associated processing steps for authorizations. Dynamically manages permissions as authorizations progress to completion.

21 Information Security - City College21 Shortcomings (TBAC) Permissions are activated and deactivated in a just-in-time manner. Problem: across workflows and race conditions Collaborative systems require much broader definition of context Nature of collaboration cannot always be easily partitioned into tasks with usage counts

22 Information Security - City College22 Team Based Access Control (TMAC) The model defines the team components as a set of users in various roles Team permission is a set of permissions that are defined across team roles and objects. Context-Based TMAC (C-TMAC) Variation of TMAC Consists of five sets: role, user, context, permission, and session Team is used as a context to group users in various roles to access other contexts that have some resources or environmental factors such as time and location.

23 Information Security - City College23 Shortcomings (TMAC and C- TMAC) The models lack the self administration of assignment relations between entities Need to reflect multidimensional definitions of rich collaborative contexts: such as: organizational entities, workflow tasks, groupware's environmental components Both models have not yet been fully developed

24 Information Security - City College24 Requirements Satisfaction

25 Information Security - City College25 Evaluation Criteria Simple Mechanism (Expressability) Groups of Users Easy of Use Policy Specifications Policy Enforcement Fine-Grained Control Contextual Information Active/Passive

26 Information Security - City College26 Summary The traditional Access Models The Matrix Access Control Space Model Role-Based Access Control (RBAC) Task-Based Access Control (TBAC) Team-Based Access Control (TMAC) Not all requirements for Collaborative Access Control are satisfied by traditional models Need for new Access Control Models

Download ppt "Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco."

Similar presentations

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Database Systems: Design, Implementation, and Management Tenth Edition

Database Systems: Design, Implementation, and Management Tenth Edition
Access Control Methodologies

Access Control Methodologies
Microkernels How to build a dependable, modular and secure operating system?

Microkernels How to build a dependable, modular and secure operating system?
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 14: Protection.

Chapter 14: Protection.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
User Domain Policies.

User Domain Policies.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Similar presentations

Ads by Google