1 Attribute-Based Access Control: - PowerPoint Presentation

Slide1

1

Attribute-Based Access Control: Insights and ChallengesProf. Ravi SandhuExecutive Director and Endowed ChairDBSecPhiladelphiaJuly 19, 2017ravi.sandhu@utsa.eduwww.profsandhu.comwww.ics.utsa.edu

© Ravi Sandhu

World-Leading Research with Real-World Impact!

Institute for Cyber Security

Slide2

© Ravi Sandhu

2World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????

Slide3

© Ravi Sandhu

3World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Born 1990s

Slide4

© Ravi Sandhu

4World-Leading Research with Real-World Impact!Access Control EvolutionDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Relationship Based Access Control (ReBAC) ????Provenance BasedAccess Control (PBAC) ????Born 1990s

Born mid

2000s

Born late2000s

Slide5

NO!! Never!!

Is ABAC the right word for the moment? Certainly a strong candidate Already too late? ReBAC (relationship-based access control) not ABAC Big Data, Analytics and AI will take care of everything What is lacking in ABAC?Usage Control (UCON) concepts of attribute mutability, enforcement and obligation continuity, and post-obligationsTask-Based Access ControlRisk-Based Access ControlPolicy-Based Access Control…………….© Ravi Sandhu5World-Leading Research with Real-World Impact!

ABAC = Final Word?

Slide6

ABAC is orders of magnitude more complex than anything that has been an Access Control winner so far (DAC, MAC, RBAC)

We need the complexity, but need to manage it If Google can index the web, we can do ABAC!!Cloud-enabled IoT may be the killer app© Ravi Sandhu6World-Leading Research with Real-World Impact!The ABAC Challenge

Slide7

7

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended

ABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Based on RBAC experience

Slide8

8

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models

4. ExtendedABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide9

© Ravi Sandhu

9World-Leading Research with Real-World Impact!2. Core ABAC Models: UCONUsage Control Models, early 2000sPark, Sandhu, Pretschner

unified model integrating

authorization

obligation

conditions

and incorporating

continuity of decisions

mutability of attributes

Slide10

© Ravi Sandhu

10World-Leading Research with Real-World Impact!2. Core ABAC Models: ABACα Policy Configuration PointsCan be configured to do simple forms of DAC, MAC, RBACJin, Krishnan, Sandhu 2012

Slide11

© Ravi Sandhu

11World-Leading Research with Real-World Impact!2. Core ABAC Models: ABACβ Can further be configured to do many RBAC extensionsJin, Krishnan, Sandhu 2014

Slide12

2. Core ABAC Models: HGABAC

© Ravi SandhuWorld-Leading Research with Real-World Impact!12U: UserUG: User-GroupS: SubjectUA: User AttributesO: ObjectOG: Object-GroupOA: Object Attributes

OP: Operations

Hierarchical Group and Attribute Based Access Control (HGABAC)

Introduces the notion of User and Object GroupsCore advantage is simplified administration of attributesUser and Objects are assigned set of attributes in one go as compared to single assignment at a time.

Servos and Osborn, 2015

Slide13

13

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models

4. ExtendedABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide14

© Ravi Sandhu

14World-Leading Research with Real-World Impact!3. Administrative ABAC Models: GURA and GURAGJin, Krishnan, Sandhu, 2012Gupta, Sandhu, 2016

Slide15

15

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models

4. ExtendedABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide16

© Ravi Sandhu

16World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC ReBAC FrameworkAhmed and Sandhu, 2017

Slide17

© Ravi Sandhu

17World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC ABAC Framework

Slide18

© Ravi Sandhu

18World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC Equivalence of ReBAC and ABAC Structural Variants

Slide19

© Ravi Sandhu

19World-Leading Research with Real-World Impact!4. Extended ABAC Models: ReBAC versus ABAC Non-Equivalence of ReBAC and ABAC Variants

Slide20

20

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models

4. ExtendedABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide21

A single infinite attribute with no creation leads to undecidable safety.

Rajkumar 2012Pre_UCON with finite attributes and unbounded creation has decidable safety. Rajkumar, Sandhu 2016ABACα has decidable safety. Ahmed, Sandhu 2017GURA has decidable safety/reachability. Jin, Krishnan, Sandhu 2017© Ravi Sandhu21World-Leading Research with Real-World Impact!

1. Foundations: Safety

Slide22

22

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended

ABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide23

© Ravi Sandhu

23World-Leading Research with Real-World Impact!5. Policy Architecture: Centralized ABACα style Policy Configuration Points

Slide24

© Ravi Sandhu

24World-Leading Research with Real-World Impact!5. Policy Architecture: Diffused AWS style

Slide25

25

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended

ABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide26

© Ravi Sandhu

26World-Leading Research with Real-World Impact!6. ABAC Enforcement Architecture: Federated ABAC Fisher 2015NCCOE, NIST, Building Block

Slide27

27

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended

ABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications

Slide28

Cloud Computing IaaS

Single tenantMulti tenantMulti cloud© Ravi Sandhu28World-Leading Research with Real-World Impact!7. ABAC Applications: Cloud IaaSJin, Tang, Dang, Bijon, Pustchi, Zhang, Biswas, Ahmed, Cheng,Patwa, Krishnan, Sandhu2012 onwards

Slide29

© Ravi Sandhu

29World-Leading Research with Real-World Impact!7. ABAC Applications: Cloud Enabled IoTAlsheri, Bhatt,Patwa, Benson,Sandhu2016 onwards

Slide30

30

World-Leading Research with Real-World Impact!ABAC Research Agenda© Ravi Sandhu1. Foundational Principles and Theory2. Core ABAC Models3. AdministrativeABAC Models4. Extended

ABAC Models

5. ABAC Policy

Architectures and Languages

6. ABAC Enforcement Architectures

7. ABAC Design, Engineering and Applications