Insights and Challenges Prof Ravi Sandhu Executive Director and Endowed Chair DBSec Philadelphia July 19 2017 ravisandhuutsaedu wwwprofsandhucom wwwicsutsaedu Ravi Sandhu ID: 796027
Download The PPT/PDF document "1 Attribute-Based Access Control:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Attribute-Based Access Control: Insights and ChallengesProf. Ravi SandhuExecutive Director and Endowed ChairDBSecPhiladelphiaJuly 19, 2017ravi.sandhu@utsa.eduwww.profsandhu.comwww.ics.utsa.edu
© Ravi Sandhu
World-Leading Research with Real-World Impact!
Institute for Cyber Security
Slide2© Ravi Sandhu
2World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????
Slide3© Ravi Sandhu
3World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Born 1990s
Slide4© Ravi Sandhu
4World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Relationship Based Access Control (ReBAC) ????Provenance BasedAccess Control (PBAC) ????Born 1990s
Born mid
2000s
Born late2000s
Slide5NO!! Never!!
Is ABAC the right word for the moment? Certainly a strong candidate Already too late? ReBAC (relationship-based access control) not ABAC Big Data, Analytics and AI will take care of everything What is lacking in ABAC?Usage Control (UCON) concepts of attribute mutability, enforcement and obligation continuity, and post-obligationsTask-Based Access ControlRisk-Based Access ControlPolicy-Based Access Control…………….© Ravi Sandhu5World-Leading Research with Real-World Impact!
ABAC = Final Word?
Slide6ABAC is orders of magnitude more complex than anything that has been an Access Control winner so far (DAC, MAC, RBAC)
We need the complexity, but need to manage it If Google can index the web, we can do ABAC!!Cloud-enabled IoT may be the killer app© Ravi Sandhu6World-Leading Research with Real-World Impact!The ABAC Challenge
Slide77
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended
ABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Based on RBAC experience
Slide88
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models
4. ExtendedABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide9© Ravi Sandhu
9World-Leading Research with Real-World Impact!2. Core ABAC Models: UCONUsage Control Models, early 2000sPark, Sandhu, Pretschner
unified model integrating
authorization
obligation
conditions
and incorporating
continuity of decisions
mutability of attributes
Slide10© Ravi Sandhu
10World-Leading Research with Real-World Impact!2. Core ABAC Models: ABACα Policy Configuration PointsCan be configured to do simple forms of DAC, MAC, RBACJin, Krishnan, Sandhu 2012
Slide11© Ravi Sandhu
11World-Leading Research with Real-World Impact!2. Core ABAC Models: ABACβ Can further be configured to do many RBAC extensionsJin, Krishnan, Sandhu 2014
Slide122. Core ABAC Models: HGABAC
© Ravi SandhuWorld-Leading Research with Real-World Impact!12U: UserUG: User-GroupS: SubjectUA: User AttributesO: ObjectOG: Object-GroupOA: Object Attributes
OP: Operations
Hierarchical Group and Attribute Based Access Control (HGABAC)
Introduces the notion of User and Object GroupsCore advantage is simplified administration of attributesUser and Objects are assigned set of attributes in one go as compared to single assignment at a time.
Servos and Osborn, 2015
Slide1313
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models
4. ExtendedABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide14© Ravi Sandhu
14World-Leading Research with Real-World Impact!3. Administrative ABAC Models: GURA and GURAGJin, Krishnan, Sandhu, 2012Gupta, Sandhu, 2016
Slide1515
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models
4. ExtendedABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide16© Ravi Sandhu
16World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC ReBAC FrameworkAhmed and Sandhu, 2017
Slide17© Ravi Sandhu
17World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC ABAC Framework
Slide18© Ravi Sandhu
18World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC Equivalence of ReBAC and ABAC Structural Variants
Slide19© Ravi Sandhu
19World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC Non-Equivalence of ReBAC and ABAC Variants
Slide2020
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models
4. ExtendedABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide21A single infinite attribute with no creation leads to undecidable safety.
Rajkumar 2012Pre_UCON with finite attributes and unbounded creation has decidable safety. Rajkumar, Sandhu 2016ABACα has decidable safety. Ahmed, Sandhu 2017GURA has decidable safety/reachability. Jin, Krishnan, Sandhu 2017© Ravi Sandhu21World-Leading Research with Real-World Impact!
1. Foundations: Safety
Slide2222
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended
ABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide23© Ravi Sandhu
23World-Leading Research with Real-World Impact!5. Policy Architecture: Centralized ABACα style Policy Configuration Points
Slide24© Ravi Sandhu
24World-Leading Research with Real-World Impact!5. Policy Architecture: Diffused AWS style
Slide2525
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended
ABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide26© Ravi Sandhu
26World-Leading Research with Real-World Impact!6. ABAC Enforcement Architecture: Federated ABAC Fisher 2015NCCOE, NIST, Building Block
Slide2727
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended
ABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications
Slide28Cloud Computing IaaS
Single tenantMulti tenantMulti cloud© Ravi Sandhu28World-Leading Research with Real-World Impact!7. ABAC Applications: Cloud IaaSJin, Tang, Dang, Bijon, Pustchi, Zhang, Biswas, Ahmed, Cheng,Patwa, Krishnan, Sandhu2012 onwards
Slide29© Ravi Sandhu
29World-Leading Research with Real-World Impact!7. ABAC Applications: Cloud Enabled IoTAlsheri, Bhatt,Patwa, Benson,Sandhu2016 onwards
Slide3030
World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended
ABAC Models
5. ABAC Policy
Architectures and Languages
6. ABAC Enforcement Architectures
7. ABAC Design, Engineering and Applications