and Beyond Prof Ravi Sandhu Executive Director Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Cybersecurity Lecture Series CIC 2015 Hangzhou China ID: 743008
Download Presentation The PPT/PDF document "1 Attribute-Based Access Control Models" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Attribute-Based Access Control Modelsand BeyondProf. Ravi SandhuExecutive Director, Institute for Cyber SecurityLutcher Brown Endowed Chair in Cyber SecurityUniversity of Texas at San AntonioCybersecurity Lecture SeriesCIC 2015, Hangzhou. ChinaOct 29, 2015ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.eduv2.0
© Ravi
Sandhu
World-Leading Research with Real-World Impact!Slide2
© Ravi
Sandhu2World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide3
© Ravi
Sandhu3World-Leading Research with Real-World Impact!PEI ModelsIdealized
Enforceable
(Approximate)
CodeableSlide4
© Ravi
Sandhu4World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide5
© Ravi
Sandhu5World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????FixedpolicyFlexiblepolicySlide6
© Ravi
Sandhu6World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????EnterpriseOrientedBeyondEnterpriseSlide7
© Ravi
Sandhu7World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????AdministrationDrivenAutomatedAdaptiveSlide8
8
World-Leading Research with Real-World Impact!RBAC96 Model© Ravi SandhuConstraintsSlide9
Fundamental Theorem of RBAC
© Ravi Sandhu9World-Leading Research with Real-World Impact!RBAC can be configured to do MACRBAC can be configured to do DACRBAC is policy neutralRBAC is neither MAC nor DAC!Slide10
10
World-Leading Research with Real-World Impact!RBAC Shortcomings© Ravi SandhuConstraintsHard EnoughImpossibleSlide11
© Ravi
Sandhu11World-Leading Research with Real-World Impact!The RBAC StoryRBAC96modelNIST-ANSIStandard ProposedNIST-ANSIStandardAdoptedLudwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76Slide12
© Ravi
Sandhu12World-Leading Research with Real-World Impact!ABAC StatusRBAC96paperProposedStandardStandardAdoptedABAC still in pre/early phase1990?2015Slide13
13
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsSlide14
14
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.500DirectoryPre Internet, early 1990sSlide15
15
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.509AttributeCertificatesPost Internet, late 1990sSlide16
16
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsPost Internet, late 1990sSPKI CertificatesSlide17
17
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsMature Internet, 2000sAnonymousCredentialsSlide18
18
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewActionUserSubjectObjectContextPolicyAuthorization DecisionYes/No
Attributes
Mature Internet, 2000s
XACMLSlide19
19
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUsage Control Models, early 2000s unified model integrating authorization obligation conditions and incorporating continuity of decisions mutability of attributesSlide20
© Ravi
Sandhu20World-Leading Research with Real-World Impact!ABAC StatusRBAC96paperProposedStandardStandardAdoptedABAC still in pre/early phase1990?2015Slide21
© Ravi
Sandhu21World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide22
22
World-Leading Research with Real-World Impact!ABACα Model Structure© Ravi SandhuPolicy Configuration PointsCan be configured to do simple forms of DAC, MAC, RBACSlide23
23
World-Leading Research with Real-World Impact!RBAC Extensions3. Subject attributes constrained by attributes of subjects created by the same user.5. Meta-Attributes2. Subject attribute constraints policy are different at creation and modification time.1. Context Attributes4. Policy Language1, 2, 4, 5
1, 4, 5
4, 5
1,4
1, 4, 5
1, 2, 3, 4, 5
4Slide24
24
ABACβ ModelCan be configured to do many RBAC extensionsSlide25
25
SOME RESEARCH CHALLENGES © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide26
26
© Ravi SandhuWorld-Leading Research with Real-World Impact!Ultimate Unified ModelSecurityAccess ControlTrustRiskAttributesRelationshipsProvenanceSlide27
© Ravi
Sandhu27World-Leading Research with Real-World Impact!Expressive PowerIdealized
Enforceable
(Approximate)
CodeableSlide28
© Ravi
Sandhu28World-Leading Research with Real-World Impact!Safety AnalysisIdealized
Enforceable
(Approximate)
CodeableSlide29
29
Attribute and Policy EngineeringSlide30
Application Domains
© Ravi Sandhu30World-Leading Research with Real-World Impact!Cloud computingInternet of Things……….Slide31
© Ravi
Sandhu31World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????