and Beyond Prof Ravi Sandhu Executive Director Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Indraprastha Institute of Information ID: 743011
Download Presentation The PPT/PDF document "1 Attribute-Based Access Control Models" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Attribute-Based Access Control Modelsand BeyondProf. Ravi SandhuExecutive Director, Institute for Cyber SecurityLutcher Brown Endowed Chair in Cyber SecurityUniversity of Texas at San AntonioIndraprastha Institute of Information Technology (IIIT), DelhiFebruary 14, 2015ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.edu
© Ravi
Sandhu
World-Leading Research with Real-World Impact!
Institute for Cyber SecuritySlide2
© Ravi
Sandhu2World-Leading Research with Real-World Impact!Access ControlDiscretionary Access Control (DAC), 1970Mandatory Access Control (MAC), 1970Role Based Access Control (RBAC), 1995Attribute Based Access Control (ABAC), ????Slide3
© Ravi
Sandhu3World-Leading Research with Real-World Impact!The RBAC StoryRBAC96modelNIST-ANSIStandard ProposedNIST-ANSIStandard
AdoptedLudwig Fuchs,
Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76Slide4
4
World-Leading Research with Real-World Impact!RBAC Shortcomings© Ravi SandhuConstraintsHard Enough
ImpossibleSlide5
5
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsSlide6
6
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.500DirectoryPre Internet, early 1990sSlide7
7
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsX.509Identity CertificatesX.509AttributeCertificatesPost Internet, late 1990sSlide8
8
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsPost Internet, late 1990sSPKI CertificatesSlide9
9
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewUser (Identity)AttributesPublic-keys + Secured secretsMature Internet, 2000sAnonymousCredentialsSlide10
10
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewActionUserSubjectObjectContextPolicyAuthorization DecisionYes/No
AttributesSlide11
11
© Ravi SandhuWorld-Leading Research with Real-World Impact!ABAC is not NewActionUserSubjectObjectContextPolicyAuthorization DecisionYes/No
Attributes
Mature Internet, 2000s
Usage Control
XACML
Attribute-Based EncryptionSlide12
© Ravi
Sandhu12World-Leading Research with Real-World Impact!ABAC StatusRBAC96paperProposedStandardStandardAdopted
ABAC still in pre/early phase
1990?2014Slide13
Attributes are
name:value pairs possibly chained values can be complex data structures Associated with actions users subjects objects contexts policiesConverted by policies into rights just in time policies specified by security architects attributes maintained by security administrators but also possibly by users OR reputation and trust mechanisms Inherently extensible© Ravi Sandhu
13
World-Leading Research with Real-World Impact!
Attribute-Based Access Control (ABAC)Slide14
14
World-Leading Research with Real-World Impact!ABACα Model Structure© Ravi SandhuPolicy Configuration PointsCan be configured to do DAC, MAC, RBACSlide15
15
World-Leading Research with Real-World Impact!ABACβ Scope3. Subject attributes constrained by attributes of subjects created by the same user.5. Meta-Attributes2. Subject attribute constraints policy are different at creation and modification time.
1. Context Attributes
4. Policy Language
1, 2, 4, 51, 4, 5
4, 5
1,4
1, 4, 5
1, 2, 3, 4, 5
4Slide16
16
ABACβ ModelSlide17
17
© Ravi SandhuWorld-Leading Research with Real-World Impact!Beyond ABACSecurityAccess ControlTrustRiskAttributesRelationshipsProvenanceSlide18
GURA model for user-attribute assignment
Safety analysis of ABACα and ABACβ Undecidable safety for ABAC models Decidable safety for ABAC with finite fixed attributes Constraints in ABAC ABAC Cloud IaaS implementations (OpenStack) Attribute Engineering Attribute Mining Unification of Attributes, Relationships and Provenance© Ravi Sandhu18World-Leading Research with Real-World Impact!
ABAC Research at ICS