ACCESS CONTROL THE NEGLECTED FRONTIER Ravi Sandhu George

ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University

SECURITY OBJECTIVES CONFIDENTIALITY most studied INTEGRITY less studied © Ravi Sandhu AVAILABILITY least studied USAGE newest 2

SECURITY TECHNOLOGIES u Access Control u Cryptography u Audit and Intrusion Detection u Authentication u Assurance u Risk Analysis u. . . © Ravi Sandhu 3

CRYPTOGRAPHY LIMITATIONS u Cryptography cannot protect confidentiality and integrity of l data, keys, software in end systems u Prevent or detect use of covert channels © Ravi Sandhu 4

AUDIT AND INTRUSION DETECTION LIMITATIONS u Intrusion detection cannot by itself protect audit data and audit collection and analysis software l prevent security breaches l protect against covert channels l © Ravi Sandhu 5

ACCESS CONTROL LIMITATIONS u Access control cannot by itself protect data in transit or storage on an insecure medium l safeguard against misuse by authorized users l protect against covert channels l © Ravi Sandhu 6

AUTHENTICATION LIMITATIONS u By itself authentication does very little but what it does is critical u pre-requisite for effective cryptography l access control l intrusion detection l © Ravi Sandhu 7

A MIX OF MUTUALLY SUPPORTIVE TECHNOLOGIES AUTHENTICATION ASSURANCE RISK ANALYSIS ACCESS CONTROL CRYPTOGRAPHY INTRUSION DETECTION © Ravi Sandhu SECURITY ENGINEERING & MANAGEMENT 8

CLASSICAL ACCESS CONTROL DOCTRINE u Lattice-based mandatory access control (MAC) strong l too strong l not strong enough l u Owner-based discretionary access control (DAC) too weak l © Ravi Sandhu too confused l 9

ISSUES IN LATTICE-BASED MAC u MAC enforces one-directional information flow in a lattice of security labels u can be used for aspects of confidentiality l integrity l aggregation (Chinese Walls) l © Ravi Sandhu 10

PROBLEMS WITH LATTICEBASED MAC u does not protect against covert channels and inference l not strong enough u inappropriate l © Ravi Sandhu too strong 11

ISSUES IN OWNER-BASED DAC u negative “rights” u inheritance of rights l interaction between positive and negative rights u grant flag u delegation of identity u temporal and conditional authorization © Ravi Sandhu 12

PROBLEMS WITH OWNERBASED DAC u does l not control information flow too weak u inappropriate in many situations too weak l too confused l © Ravi Sandhu 13

BEYOND OWNER-BASED DAC u separation between ability to use a right l to grant a right l u non-discretionary l © Ravi Sandhu elements user who can use a right should not be able to grant it and vice versa 14

NON-DISCRETIONARY (BEYOND LATTICE-BASED MAC) u control of administrative scope rights that can be granted l to whom rights can be granted l u rights that cannot be simultaneously granted to same user u rights that cannot be granted to too many users © Ravi Sandhu 15

WHAT IS THE POLICY IN NONDISCRETIONARY ACCESS CONTROL? u Non-discretionary access control is a means to articulate policy u does not incorporate policy but does support security principles least privilege l abstract operations l separation of duties l © Ravi Sandhu 16

ISSUES IN NON-DISCRETIONARY ACCESS CONTROL u models for non-discretionary propagation of access rights u role-based access control (RBAC) u task-based authorization (TBA) © Ravi Sandhu 17

NON-DISCRETIONARY PROPAGATION MODELS u HRU, 1976 u TAKE-GRANT, 1976 -82 u SPM/ESPM, 1985 -92 u TAM/ATAM, 1992 onwards © Ravi Sandhu 18

NON-DISCRETIONARY PROPAGATION MODELS u type-based non-discretionary controls u rights that authorize propagation can be separate or closely related to right being propagated u testing for absence of rights is essential for dynamic separation policies © Ravi Sandhu 19

ROLE-BASED ACCESS CONTROL: RBAC 0 USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSION-ROLE ASSIGNMENT PERMISSIONS SESSIONS 20

ROLE-BASED ACCESS CONTROL: RBAC 1 ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSION-ROLE ASSIGNMENT PERMISSIONS SESSIONS 21

HIERARCHICAL ROLES Primary-Care Physician Specialist Physician Health-Care Provider © Ravi Sandhu 22

HIERARCHICAL ROLES Supervising Engineer Hardware Engineer Software Engineer © Ravi Sandhu 23

ROLE-BASED ACCESS CONTROL: RBAC 3 ROLE HIERARCHIES USER-ROLE ASSIGNMENT USERS ROLES . . . © Ravi Sandhu PERMISSIONS-ROLE ASSIGNMENT SESSIONS PERMISSIONS CONSTRAINTS 24

RBAC MANAGEMENT ROLES USERS CANMANAGE . . . ADMIN ROLES © Ravi Sandhu PERMISSIONS ADMIN PERMISSIONS 25

RBAC MANAGEMENT S S 3 CSO T 1 T 2 T 5 T 4 SO 1 SO 2 SO 3 P ROLE HIERARCHY © Ravi Sandhu ADMINISTRATIVE ROLE HIERARCHY 26

ROLES AND LATTICES u RBAC can enforce classical latticebased MAC H HR LW LATTICE L © Ravi Sandhu ROLES LR HW 27

ROLES AND LATTICES u RBAC can accommodate variations of classical lattice-based MAC H HR LATTICE ROLES LW L © Ravi Sandhu HW LR 28

TASK-BASED AUTHORIZATION (TBA) u beyond subjects and objects u authorization is in context of some task u transient use-once permissions instead of long-lived use-many-times permissions © Ravi Sandhu 29

TRANSACTION CONTROL EXPRESSIONS (TCEs) u TCEs are an example of TBA u prepare clerk; approve supervisor; issue clerk; © Ravi Sandhu 30

CONCLUSION u access control is important u there are many open issues © Ravi Sandhu 31