1 The Data and Application Security and Privacy (DASPY) Challenge - PowerPoint Presentation

Slide1

1

The Data and Application Security and Privacy (DASPY) Challenge Prof. Ravi SandhuExecutive Director and Endowed Chair11/11/11ravi.sandhu@utsa.eduwww.profsandhu.comwww.ics.utsa.edu

© Ravi Sandhu

World-Leading Research with Real-World Impact!

Institute for Cyber Security

Slide2

The ATM (Automatic Teller Machine) network is

secure enough (but insecure) global in scope and rapidly growing But not securable by academically taught cyber security not studied as a success story missing technologies highly regarded by academia Similar “paradoxes” apply to on-line banking e-commerce etc© Ravi Sandhu

2

World-Leading Research with Real-World Impact!

The ATM “Paradox”

Slide3

Cyber technologies and systems have evolvedCyber attacks and attackers have evolved Side note: all attackers are not evil Cyber security (defensive) goals have evolved Computer security Information security = Computer security + Communications security Information assurance Mission assurance© Ravi Sandhu

3

World-Leading Research with Real-World Impact!

Cyber Security Status

Slide4

Cyber security research (and practice) are rapidly loosing ground evolving glacially in spite of increase in funding and many innovative research advances in spite of numerous calls for “game changing” researchGrand challenge: how to become relevant to the real world© Ravi Sandhu4World-Leading Research with Real-World Impact!

Cyber Security

Research Status

Slide5

We need to do something differentRough analogies software engineering vis a vis programming data models (e.g., entity-relationship) vis a vis data structures (e,g., B trees) © Ravi Sandhu5

World-Leading Research with Real-World Impact!

Cyber Security

Research Status

Slide6

Cyber Security Characteristics

Cyber Security is all about tradeoffs© Ravi Sandhu6World-Leading Research with Real-World Impact!ProductivitySecurityLet’s build itCash out the benefitsNext generation can secure itLet’s not build itLet’s bake in super-security tomake it unusable/unaffordableLet’s mandate unproven solutionsThere is a sweet spot

We don’t know how to predictably find it

Slide7

7

World-Leading Research with Real-World Impact!Cyber Security CharacteristicsTech-LightTech-HeavyTech-MediumHigh-tech + High-touch© Ravi Sandhu

Slide8

Microsec versus MacrosecMost cyber security thinking is microsecMost big (e.g., national level) cyber security threats are macrosecRational microsec behavior can result in highly vulnerable macrosec

© Ravi Sandhu

8

World-Leading Research with Real-World Impact!

Cyber Security Characteristics

Slide9

Cyber Security Characteristics

© Ravi Sandhu9World-Leading Research with Real-World Impact!realityperceptionLOWHIGHHIGH

Slide10

How to justify investing in security in presence of persistent insecurity?

And, where to invest? mitigate known attacks in the wild? mitigate anticipated attacks? mitigate ultimate attacks? some combination?© Ravi Sandhu

10

World-Leading Research with Real-World Impact!

Cyber Security Characteristics

Slide11

Develop a scientific disciplineto cover (at least) the previous characteristicsthat can be meaningfully taught in Universities at all levels: BS, MS, PhD Prognosiswe shall succeed (we have no choice)© Ravi Sandhu11

World-Leading Research with Real-World Impact!

Academic Challenge

Slide12

Insecurity is inevitable

Death is inevitableSecurity investment is nevertheless justifiedMortals nevertheless seek medical careToo much security can be counter productiveSo can too much medical care© Ravi Sandhu

12

World-Leading Research with Real-World Impact!Driving Principles

Slide13

How can we be “secure” while being “insecure”?versus How can we be “secure”?© Ravi Sandhu13World-Leading Research with Real-World Impact!

Central Question

Slide14

Sometimes aiming high is very appropriate The President’s nuclear football Secret formula for Coca Cola Sometimes not ATM network On-line banking E-commerce (B2C)© Ravi Sandhu

14

World-Leading Research with Real-World Impact!

How Secure? How Insecure?

Slide15

Monetary loss is easy to quantify and compensate

Security principles stop loss mechanisms audit trail (including physical video) retail loss tolerance with recourse wholesale loss avoidance Technical surprises no asymmetric cryptography no annonymity© Ravi Sandhu

15

World-Leading Research with Real-World Impact!

Why is the ATM System Secure?

Application Centric

Slide16

16

World-Leading Research with Real-World Impact!Cyber Security Research© Ravi SandhuFOUNDATIONSBuilding blocks and theoryApplicationCentricTechnologyCentricAttackCentric

Slide17

17

The DASPY System ChallengeSecurity and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation modelsNecessarily informal

Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting.Security analysis (objectives, properties, etc.).

Approximated policy realized using system architecture with trusted servers, protocols, etc.

Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.).

Technologies such as Cloud Computing, Trusted Computing, etc.

Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.)

Software and Hardware

Concrete System

© Ravi Sandhu

World-Leading Research with Real-World Impact!

P

E

I

M

O

D

E

L

S

Slide18

RBAC96 Model (P Layer)

© Ravi Sandhu18World-Leading Research with Real-World Impact!ROLESUSER-ROLEASSIGNMENTPERMISSIONS-ROLEASSIGNMENTUSERSPERMISSIONS

...

SESSIONS

ROLE HIERARCHIES

CONSTRAINTS

Slide19

Server Pull Model (E Layer)

© Ravi Sandhu19World-Leading Research with Real-World Impact!ClientServerUser-roleAuthorizationServer

Slide20

Client Pull Model (E Layer)

© Ravi Sandhu20World-Leading Research with Real-World Impact!ClientServerUser-roleAuthorizationServer

Slide21

21

The DASPY System ChallengeSecurity and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation modelsNecessarily informal

Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting.Security analysis (objectives, properties, etc.).

Approximated policy realized using system architecture with trusted servers, protocols, etc.

Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.).

Technologies such as Cloud Computing, Trusted Computing, etc.

Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.)

Software and Hardware

Concrete System

© Ravi Sandhu

World-Leading Research with Real-World Impact!

P

E

I

M

O

D

E

L

S

Slide22

22

g-SIS Model (P layer)Operational aspectsGroup operation semanticsAdd, Join, Leave, Remove, etcMulticast group is one exampleObject modelRead-onlyRead-Write (no versioning vs versioning)User-subject modelRead-only Vs read-writePolicy specificationAdministrative aspectsAuthorization to create group, user join/leave, object add/remove, etc.

© Ravi Sandhu

World-Leading Research with Real-World Impact!

Users

Objects

Group

Authz (u,o,r)?

join

leave

add

remove

Slide23

23

g-SIS Model (E layer)© Ravi SandhuWorld-Leading Research with Real-World Impact!Super-Distribution (SD)Micro-Distribution (MD)Scalability/PerformanceSD: Encrypt once, access where authorizedMD: Custom encrypt for each user on initial access

Assurance/Recourse

SD: Compromise one client, compromise group key

MD: Compromise of one client contained to objects on that client

Slide24

How can we be “secure” while being “insecure”?versus How can we be “secure”?© Ravi Sandhu24World-Leading Research with Real-World Impact!

Conclusion