SlideShare a Scribd company logo

smu_abac_150410.pptx

Download as PPTX, PDF
H
HashStriker

This document summarizes a presentation on attribute-based access control models. It discusses the evolution of access control models from discretionary access control and mandatory access control in the 1970s to role-based access control in 1995. Attribute-based access control is presented as the next evolution, allowing flexible, automated and adaptive access control policies based on attributes. The presentation outlines some shortcomings of role-based access control that attribute-based access control aims to address through a more flexible approach using attributes. An ABACα model is proposed as an initial step to unify discretionary, mandatory and role-based access control under a common attribute-based framework. Ongoing and future research directions on attribute-based access control are also mentioned

Science
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Singapore Management University Singapore April 10, 2015 ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.edu © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security
Cyber Security Technologies © Ravi Sandhu 2 World-Leading Research with Real-World Impact! AUTHENTICATION INTRUSION/MALWARE DETECTION AND AUDIT CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT
 Analog Hole  Inference  Covert Channels  Side Channels  Phishing  Social Engineering  Attack Asymmetry  Privacy vs Security  Base-rate Fallacy  …. © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Security Limitations Can manage Cannot eliminate
© Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ????
© Ravi Sandhu 5 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Fixed policy Flexible policy
© Ravi Sandhu 6 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Administration Driven Automated Adaptive
© Ravi Sandhu 7 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Enterprise Oriented Beyond Enterprise
© Ravi Sandhu 8 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Messy or Chaotic?
 Discretionary Access Control (DAC), 1970  Owner controls access  But only to the original, not to copies  Grounded in pre-computer policies of researchers  Mandatory Access Control (MAC), 1970  Synonymous to Lattice-Based Access Control (LBAC)  Access based on security labels  Labels propagate to copies  Grounded in pre-computer military and national security policies  Role-Based Access Control (RBAC), 1995  Access based on roles  Can be configured to do DAC or MAC  Grounded in pre-computer enterprise policies © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Access Control Models Numerous other models but only 3 successes: SO FAR
10 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration MAC, DAC Main focus RBAC, ABAC Initial focus RBAC, ABAC Next step focus MAC, DAC Easy (relatively)
© Ravi Sandhu 11 World-Leading Research with Real-World Impact! The RBAC Story 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 model NIST-ANSI Standard Proposed NIST-ANSI Standard Adopted Ludwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76
12 World-Leading Research with Real-World Impact! RBAC96 Model © Ravi Sandhu Constraints
13 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Security Architect Security Administrator User Security Architect Security Architect Security Administrator Security Architect
Fundamental Theorem of RBAC © Ravi Sandhu 14 World-Leading Research with Real-World Impact!  RBAC can be configured to do MAC  RBAC can be configured to do DAC  RBAC is policy neutral RBAC is neither MAC nor DAC!
 Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 15 World-Leading Research with Real-World Impact! RBAC Shortcomings
16 World-Leading Research with Real-World Impact! RBAC Shortcomings © Ravi Sandhu Constraints Hard Enough Impossible
17 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets
18 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.500 Directory Pre Internet, early 1990s
19 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.509 Attribute Certificates Post Internet, late 1990s
20 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Post Internet, late 1990s SPKI Certificates
21 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Mature Internet, 2000s Anonymous Credentials
22 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes
23 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes Mature Internet, 2000s Usage Control XACML Attribute-Based Encryption
© Ravi Sandhu 24 World-Leading Research with Real-World Impact! ABAC Status 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 paper Proposed Standard Standard Adopted ABAC still in pre/early phase 1990? 2014
 Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  actions  users  subjects  objects  contexts  policies  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  but also possibly by users OR reputation and trust mechanisms  Inherently extensible © Ravi Sandhu 25 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)
 An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify simple forms of DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 26 World-Leading Research with Real-World Impact! ABACα Hypothesis (DBSEC 2012) A small but crucial first step
27 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points
28 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points Can be configured to do DAC, MAC, RBAC
29 World-Leading Research with Real-World Impact! ABACβ Scope 3. Subject attributes constrained by attributes of subjects created by the same user. 5. Meta-Attributes 2. Subject attribute constraints policy are different at creation and modification time. 1. Context Attributes 4. Policy Language 1, 2, 4, 5 1, 4, 5 4, 5 1,4 1, 4, 5 1, 2, 3, 4, 5 4
30 ABACβ Model
31 © Ravi Sandhu World-Leading Research with Real-World Impact! Beyond ABAC Security Access Control Trust Risk Attributes Relationships Provenance
 GURA model for user-attribute assignment  Safety analysis of ABACα and ABACβ  Undecidable safety for ABAC models  Decidable safety for ABAC with finite fixed attributes  Constraints in ABAC  ABAC Cloud IaaS implementations (OpenStack)  Attribute Engineering  Attribute Mining  Unification of Attributes, Relationships and Provenance © Ravi Sandhu 32 World-Leading Research with Real-World Impact! ABAC Research at ICS

More Related Content

PDF
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
CA Technologies
 
PPTX
How to Achieve NIST Compliance using SanerNow?
SecPod
 
PPTX
Microservice Lifecycle Demo Presentation
Matt McLarty
 
PPT
Test Your Cloud Maturity Level: A Practical Guide to Self Assessment
David Resnic
 
PPT
OWASP - Building Secure Web Applications
alexbe
 
PDF
Cyber Resiliency 20120420
Steve Goeringer
 
PPTX
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 
PDF
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
IndicThreads
 
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
CA Technologies
 
How to Achieve NIST Compliance using SanerNow?
SecPod
 
Microservice Lifecycle Demo Presentation
Matt McLarty
 
Test Your Cloud Maturity Level: A Practical Guide to Self Assessment
David Resnic
 
OWASP - Building Secure Web Applications
alexbe
 
Cyber Resiliency 20120420
Steve Goeringer
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
IndicThreads
 

Similar to smu_abac_150410.pptx (20)

PDF
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
IndicThreads
 
PDF
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
CA Technologies
 
PDF
Simplifying Cloud Adoption with Cisco
Cisco Canada
 
PDF
The Cloudification Perspectives of Search-based Software Testing
Sebastiano Panichella
 
PDF
Top 12 Kali Linux Tools for Ethical Hackers | USCSI®
United States Cybersecurity Institute (USCSI®)
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PPTX
Cloud Security using NIST guidelines
Srishti Ahuja
 
PDF
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
IndicThreads
 
PDF
Security and Virtualization in the Data Center
Cisco Canada
 
PPTX
Defining Microservices
Matt McLarty
 
PDF
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
Cisco Canada
 
PDF
CWSP Certified Wireless Security Professional Official Study Guide Coll.
vlyucyv879
 
PPTX
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
Hussein Khazaal
 
PDF
The Changing Data Center Landscape
Cisco Canada
 
PDF
Case Study: Datalink—Manage IT monitoring the MSP way
CA Technologies
 
PDF
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
CA Technologies
 
PPTX
SD-WAN_MoD.pptx for SD WAN networks connectivity
bayusch
 
PDF
CISSP-2022 Update domain 3 certification handouts
jboy80616
 
PDF
Building The Right Network
Cisco Canada
 
PPTX
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
IndicThreads
 
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
CA Technologies
 
Simplifying Cloud Adoption with Cisco
Cisco Canada
 
The Cloudification Perspectives of Search-based Software Testing
Sebastiano Panichella
 
Top 12 Kali Linux Tools for Ethical Hackers | USCSI®
United States Cybersecurity Institute (USCSI®)
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
Cloud Security using NIST guidelines
Srishti Ahuja
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
IndicThreads
 
Security and Virtualization in the Data Center
Cisco Canada
 
Defining Microservices
Matt McLarty
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
Cisco Canada
 
CWSP Certified Wireless Security Professional Official Study Guide Coll.
vlyucyv879
 
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
Hussein Khazaal
 
The Changing Data Center Landscape
Cisco Canada
 
Case Study: Datalink—Manage IT monitoring the MSP way
CA Technologies
 
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
CA Technologies
 
SD-WAN_MoD.pptx for SD WAN networks connectivity
bayusch
 
CISSP-2022 Update domain 3 certification handouts
jboy80616
 
Building The Right Network
Cisco Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
 

Recently uploaded (20)

PPTX
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
PPT
veterinary parasitology ````````````.ppt
midolyon1990gmailcom
 
PPT
Heredity-grade-9 Heredity-grade-9. Heredity-grade-9.
tipaniiisheyn
 
PDF
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
PPTX
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 
PDF
S2 SOIL BY TR. OKION.pdf based on the new lower secondary curriculum
JAKI68
 
PDF
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
PPT
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
PDF
Wound infection.pdfWound infection.pdf123
nassr11hameed77salh
 
PPT
Presentation of a Romanian Institutee 2.
TeodoraRusu3
 
PDF
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
PPTX
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
PPT
Computional quantum chemistry study .ppt
SrilakshmivenkataNar
 
PPT
LEC Synthetic Biology and its application.ppt
Hassan Yousaf
 
PPTX
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
PPTX
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PPTX
Seminar Hypertension and Kidney diseases.pptx
johnsalaoudine
 
PPTX
Microbes in human welfare class 12 .pptx
chinmayikalokhe
 
PDF
Science Form five needed shit SCIENEce so
ArielLucifer1
 
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
veterinary parasitology ````````````.ppt
midolyon1990gmailcom
 
Heredity-grade-9 Heredity-grade-9. Heredity-grade-9.
tipaniiisheyn
 
CHAPTER 2 The Chemical Basis of Life Lecture Outline.pdf
DaniseNobrera
 
SCIENCE 4 Q2W5 PPT.pptx Lesson About Plnts and animals and their habitat
irishjeancui
 
S2 SOIL BY TR. OKION.pdf based on the new lower secondary curriculum
JAKI68
 
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
1. INTRODUCTION TO EPIDEMIOLOGY.pptx for community medicine
olawooreteslim
 
Wound infection.pdfWound infection.pdf123
nassr11hameed77salh
 
Presentation of a Romanian Institutee 2.
TeodoraRusu3
 
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
ap-psych-ch-1-introduction-to-psychology-presentation.pptx
sz664
 
Computional quantum chemistry study .ppt
SrilakshmivenkataNar
 
LEC Synthetic Biology and its application.ppt
Hassan Yousaf
 
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
PMR- PPT.pptx for students and doctors tt
DiyaSajid2
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
Seminar Hypertension and Kidney diseases.pptx
johnsalaoudine
 
Microbes in human welfare class 12 .pptx
chinmayikalokhe
 
Science Form five needed shit SCIENEce so
ArielLucifer1
 

smu_abac_150410.pptx

  • 1. 1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Singapore Management University Singapore April 10, 2015 [email protected], www.profsandhu.com, www.ics.utsa.edu © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security
  • 2. Cyber Security Technologies © Ravi Sandhu 2 World-Leading Research with Real-World Impact! AUTHENTICATION INTRUSION/MALWARE DETECTION AND AUDIT CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT
  • 3.  Analog Hole  Inference  Covert Channels  Side Channels  Phishing  Social Engineering  Attack Asymmetry  Privacy vs Security  Base-rate Fallacy  …. © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Security Limitations Can manage Cannot eliminate
  • 4. © Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ????
  • 5. © Ravi Sandhu 5 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Fixed policy Flexible policy
  • 6. © Ravi Sandhu 6 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Administration Driven Automated Adaptive
  • 7. © Ravi Sandhu 7 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Enterprise Oriented Beyond Enterprise
  • 8. © Ravi Sandhu 8 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Messy or Chaotic?
  • 9.  Discretionary Access Control (DAC), 1970  Owner controls access  But only to the original, not to copies  Grounded in pre-computer policies of researchers  Mandatory Access Control (MAC), 1970  Synonymous to Lattice-Based Access Control (LBAC)  Access based on security labels  Labels propagate to copies  Grounded in pre-computer military and national security policies  Role-Based Access Control (RBAC), 1995  Access based on roles  Can be configured to do DAC or MAC  Grounded in pre-computer enterprise policies © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Access Control Models Numerous other models but only 3 successes: SO FAR
  • 10. 10 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration MAC, DAC Main focus RBAC, ABAC Initial focus RBAC, ABAC Next step focus MAC, DAC Easy (relatively)
  • 11. © Ravi Sandhu 11 World-Leading Research with Real-World Impact! The RBAC Story 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 model NIST-ANSI Standard Proposed NIST-ANSI Standard Adopted Ludwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76
  • 12. 12 World-Leading Research with Real-World Impact! RBAC96 Model © Ravi Sandhu Constraints
  • 13. 13 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Security Architect Security Administrator User Security Architect Security Architect Security Administrator Security Architect
  • 14. Fundamental Theorem of RBAC © Ravi Sandhu 14 World-Leading Research with Real-World Impact!  RBAC can be configured to do MAC  RBAC can be configured to do DAC  RBAC is policy neutral RBAC is neither MAC nor DAC!
  • 15.  Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 15 World-Leading Research with Real-World Impact! RBAC Shortcomings
  • 16. 16 World-Leading Research with Real-World Impact! RBAC Shortcomings © Ravi Sandhu Constraints Hard Enough Impossible
  • 17. 17 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets
  • 18. 18 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.500 Directory Pre Internet, early 1990s
  • 19. 19 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.509 Attribute Certificates Post Internet, late 1990s
  • 20. 20 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Post Internet, late 1990s SPKI Certificates
  • 21. 21 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Mature Internet, 2000s Anonymous Credentials
  • 22. 22 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes
  • 23. 23 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes Mature Internet, 2000s Usage Control XACML Attribute-Based Encryption
  • 24. © Ravi Sandhu 24 World-Leading Research with Real-World Impact! ABAC Status 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 paper Proposed Standard Standard Adopted ABAC still in pre/early phase 1990? 2014
  • 25.  Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  actions  users  subjects  objects  contexts  policies  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  but also possibly by users OR reputation and trust mechanisms  Inherently extensible © Ravi Sandhu 25 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)
  • 26.  An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify simple forms of DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 26 World-Leading Research with Real-World Impact! ABACα Hypothesis (DBSEC 2012) A small but crucial first step
  • 27. 27 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points
  • 28. 28 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points Can be configured to do DAC, MAC, RBAC
  • 29. 29 World-Leading Research with Real-World Impact! ABACβ Scope 3. Subject attributes constrained by attributes of subjects created by the same user. 5. Meta-Attributes 2. Subject attribute constraints policy are different at creation and modification time. 1. Context Attributes 4. Policy Language 1, 2, 4, 5 1, 4, 5 4, 5 1,4 1, 4, 5 1, 2, 3, 4, 5 4
  • 31. 31 © Ravi Sandhu World-Leading Research with Real-World Impact! Beyond ABAC Security Access Control Trust Risk Attributes Relationships Provenance
  • 32.  GURA model for user-attribute assignment  Safety analysis of ABACα and ABACβ  Undecidable safety for ABAC models  Decidable safety for ABAC with finite fixed attributes  Constraints in ABAC  ABAC Cloud IaaS implementations (OpenStack)  Attribute Engineering  Attribute Mining  Unification of Attributes, Relationships and Provenance © Ravi Sandhu 32 World-Leading Research with Real-World Impact! ABAC Research at ICS