1 Attribute-Based Access Control Models - PowerPoint Presentation

Slide1

1

Attribute-Based Access Control Modelsand BeyondProf. Ravi SandhuExecutive Director, Institute for Cyber SecurityLutcher Brown Endowed Chair in Cyber SecurityUniversity of Texas at San AntonioCybersecurity Lecture SeriesCIC 2015, Hangzhou. ChinaOct 29, 2015ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.eduv2.0

© Ravi

Sandhu

World-Leading Research with Real-World Impact!Slide2

© Ravi

Sandhu2World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide3

© Ravi

Sandhu3World-Leading Research with Real-World Impact!PEI ModelsIdealized

Enforceable

(Approximate)

CodeableSlide4

© Ravi

Sandhu4World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide5

© Ravi

Sandhu5World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????FixedpolicyFlexiblepolicySlide6

© Ravi

Sandhu6World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????EnterpriseOrientedBeyondEnterpriseSlide7

© Ravi

Sandhu7World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????AdministrationDrivenAutomatedAdaptiveSlide8

8

World-Leading Research with Real-World Impact!RBAC96 Model© Ravi SandhuConstraintsSlide9

Fundamental Theorem of RBAC

© Ravi Sandhu9World-Leading Research with Real-World Impact!RBAC can be configured to do MACRBAC can be configured to do DACRBAC is policy neutralRBAC is neither MAC nor DAC!Slide10

10

World-Leading Research with Real-World Impact!RBAC Shortcomings© Ravi SandhuConstraintsHard EnoughImpossibleSlide11

© Ravi

Sandhu11World-Leading Research with Real-World Impact!The RBAC StoryRBAC96modelNIST-ANSIStandard ProposedNIST-ANSIStandardAdoptedLudwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76Slide12

© Ravi

Sandhu12World-Leading Research with Real-World Impact!ABAC StatusRBAC96paperProposedStandardStandardAdoptedABAC still in pre/early phase1990?2015Slide13

13

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsSlide14

14

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.500DirectoryPre Internet, early 1990sSlide15

15

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.509AttributeCertificatesPost Internet, late 1990sSlide16

16

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsPost Internet, late 1990sSPKI CertificatesSlide17

17

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsMature Internet, 2000sAnonymousCredentialsSlide18

18

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewActionUserSubjectObjectContextPolicyAuthorization DecisionYes/No

Attributes

Mature Internet, 2000s

XACMLSlide19

19

© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUsage Control Models, early 2000s unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributesSlide20

© Ravi

Sandhu20World-Leading Research with Real-World Impact!ABAC StatusRBAC96paperProposedStandardStandardAdoptedABAC still in pre/early phase1990?2015Slide21

© Ravi

Sandhu21World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide22

22

World-Leading Research with Real-World Impact!ABACα Model Structure© Ravi SandhuPolicy Configuration PointsCan be configured to do simple forms of DAC, MAC, RBACSlide23

23

World-Leading Research with Real-World Impact!RBAC Extensions3. Subject attributes constrained by attributes of subjects created by the same user.5. Meta-Attributes2. Subject attribute constraints policy are different at creation and modification time.1. Context Attributes4. Policy Language1, 2, 4, 5

1, 4, 5

4, 5

1,4

1, 4, 5

1, 2, 3, 4, 5

4Slide24

24

ABACβ ModelCan be configured to do many RBAC extensionsSlide25

25

SOME RESEARCH CHALLENGES © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide26

26

© Ravi SandhuWorld-Leading Research with Real-World Impact!Ultimate Unified ModelSecurityAccess ControlTrustRiskAttributesRelationshipsProvenanceSlide27

© Ravi

Sandhu27World-Leading Research with Real-World Impact!Expressive PowerIdealized

Enforceable

(Approximate)

CodeableSlide28

© Ravi

Sandhu28World-Leading Research with Real-World Impact!Safety AnalysisIdealized

Enforceable

(Approximate)

CodeableSlide29

29

Attribute and Policy EngineeringSlide30

Application Domains

© Ravi Sandhu30World-Leading Research with Real-World Impact!Cloud computingInternet of Things……….Slide31

© Ravi

Sandhu31World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????