Access Control Convergence Challenges and Opportunities Ravi Sandhu
- Slides: 30
Access Control Convergence: Challenges and Opportunities Ravi Sandhu Executive Director and Chief Scientist Professor of Computer Science Lutcher Brown Chair in Cyber Security International Conference on Information Systems Security December 2020 ravi. sandhu@utsa. edu www. ics. utsa. edu www. profsandhu. com © Ravi Sandhu World-Leading Research with Real-World Impact! 1
Convergent Research Disciplinary INCREASED Multi-Disciplinary Collaboration Interaction New paradigms New concepts New language New disciplines Inter-Disciplinary Convergent © Ravi Sandhu World-Leading Research with Real-World Impact! 2
Convergent Research Disciplinary INCREASED Multi-Disciplinary Inter-Disciplinary NAP Report 2005 Collaboration Interaction New paradigms New concepts New language New disciplines Convergent NAP Report 2014 NAP = National Academies Press © Ravi Sandhu World-Leading Research with Real-World Impact! 3
Convergent Research Disciplinary INCREASED Multi-Disciplinary Collaboration Interaction New paradigms New concepts New language New disciplines Inter-Disciplinary Cross-Disciplinary Trans-Disciplinary © Ravi Sandhu Convergent World-Leading Research with Real-World Impact! 4
Convergent Research Disciplinary INCREASED Multi-Disciplinary Collaboration Interaction New paradigms New concepts New language New disciplines Inter-Disciplinary Convergent DRIVERS -- Deep scientific questions -- Pressing societal needs © Ravi Sandhu World-Leading Research with Real-World Impact! 5
Cyber Security Research Convergence Objectives Enable POLICY ATTACKS What? Why? Respond Enforce Mechanisms © Ravi Sandhu Defend P R O T E C T How? Complement World-Leading Research with Real-World Impact! 6 D E T E C T Application Context
Cyber Security Research Convergence Objectives Enable POLICY ATTACKS What? Deep scientific questions: -- We have no clue how to do this Why? Enforce Pressing societal need: -- Cyber security is hugely important and broken -- Cyber security researchers lack incentive to converge P How? D R E O T T E Complement Mechanisms E C C T T © Ravi Sandhu World-Leading Research with Real-World Impact! 7 Respond Defend Application Context
Access Control Research Convergence ABAC Re. BAC MAC DAC … Convergent Access Control (CAC) Access Control Enforcement Models Access Control Policy Models © Ravi Sandhu This slide prepared by Smriti Bhatt World-Leading Research with Real-World Impact! 8 Application Context
Access Control Research Convergence ABAC Deep scientific questions: Re. BAC -- We have no clue how to do this DAC -- Will revisit at end of of talk RBAC MAC … Pressing societal need: -- Cyber security is hugely important and broken -- Access control Convergent is an essential piece. Control to secure modern Access (CAC) cyber applications: Io. T, CPS, smart communities, … -- Cyber security researchers have no incentive to converge -- Convergence may be easier in Access Control vs all of cyber security Access Control Policy Models © Ravi Sandhu Enforcement Models World-Leading Research with Real-World Impact! 9 Application Context
Access Control Research Convergence ABAC Re. BAC MAC DAC … Convergent Access Control (CAC) Access Control Enforcement Models Access Control Policy Models © Ravi Sandhu This slide prepared by Smriti Bhatt World-Leading Research with Real-World Impact! 10 Application Context
Access Control PEI Layers Big decisions Idealized Enforceable Code © Ravi Sandhu World-Leading Research with Real-World Impact! 11
Access Control PEI Layers Big decisions Our focus Idealized Enforceable Code © Ravi Sandhu World-Leading Research with Real-World Impact! 12
Enforcement Models PUSH MODEL Client PULL MODEL Client © Ravi Sandhu Server Authentication + Authorization Credentials Server Authentication Credentials World-Leading Research with Real-World Impact! 13 Authorization Credentials
Access Control PEI Layers Big decisions Our focus Idealized Enforceable Code © Ravi Sandhu World-Leading Research with Real-World Impact! 14
Access Control Discretionary Access Control (DAC) 1970 Mandatory Access Control (MAC) 1970 Role Based Access Control (RBAC) 1995 Attribute Based Access Control (ABAC) Relationship-Based Access Control (Re. BAC) Usage Control (UCON) 2020 s (Hopefully) © Ravi Sandhu World-Leading Research with Real-World Impact! 15
Discretionary Access Control (DAC) Ø Core concept: Custodian of information determines access Ø Core drawback: Does not protect copies Therefore OK for integrity but not for confidentiality Ø Sophistication: Delegation of custody Denials or negative rights © Ravi Sandhu World-Leading Research with Real-World Impact! 16
Mandatory Access Control (MAC) Top Secret Confidential Unclassified can-flow © Ravi Sandhu World-Leading Research with Real-World Impact! 17
Mandatory Access Control (MAC) Ø Core concept: Extend control to copies by means of security labels Ø Core drawback: Covert/side channels bypass MAC Inference not prevented Too strict Too reductionist Ø Sophistication: Dynamic labels © Ravi Sandhu World-Leading Research with Real-World Impact! 18
Access Control Discretionary Access Control (DAC) 1970 Mandatory Access Control (MAC) 1970 Role Based Access Control (RBAC) 1995 Attribute Based Access Control (ABAC) Relationship-Based Access Control (Re. BAC) Usage Control (UCON) 2020 s (Hopefully) © Ravi Sandhu World-Leading Research with Real-World Impact! 19
Role-Based Access Control (RBAC) Ø Core concept: Roles determine everything Ø Core drawback: Roles are a natural concept for human users But not so natural for: Information objects Io. T things Contextual attributes Ø Sophistication: Role hierarchies Role constraints © Ravi Sandhu World-Leading Research with Real-World Impact! 20
Access Control Discretionary Access Control (DAC) 1970 Mandatory Access Control (MAC) 1970 Role Based Access Control (RBAC) 1995 Attribute Based Access Control (ABAC) Relationship-Based Access Control (Re. BAC) Usage Control (UCON) 2020 s (Hopefully) © Ravi Sandhu World-Leading Research with Real-World Impact! 21
Attribute-Based Access Control (ABAC) Operation Actor Access Decision? Yes/No Context © Ravi Sandhu World-Leading Research with Real-World Impact! 22 Target
Attribute-Based Access Control (ABAC) Ø Core concept: Attributes determine everything No fixed access decision rule Ø Core drawback: Flexibility at the cost of complexity Ø Sophistication: Chained attributes Group attributes Distributed decision rules Automation Adaptation © Ravi Sandhu World-Leading Research with Real-World Impact! 23
Access Control Discretionary Access Control (DAC) 1970 Mandatory Access Control (MAC) 1970 Role Based Access Control (RBAC) 1995 Attribute Based Access Control (ABAC) Relationship-Based Access Control (Re. BAC) Usage Control (UCON) 2020 s (Hopefully) © Ravi Sandhu World-Leading Research with Real-World Impact! 24
Access Control: Where Are We? Ø Rich set of building blocks: DAC, MAC, RBAC, ABAC, Re. BAC, UCON Ø We have some understanding of the relationships amongst these © Ravi Sandhu World-Leading Research with Real-World Impact! 25
Access Control: What Next? Ø Rich set of building blocks: DAC, MAC, RBAC, ABAC, Re. BAC, UCON Ø We have some understanding of the relationships amongst these Ø Do we need more building blocks? Ø We have very little understanding of synergy amongst these © Ravi Sandhu World-Leading Research with Real-World Impact! 26
Access Control: What Next? Ø Rich set of building blocks: DAC, MAC, RBAC, ABAC, Re. BAC, UCON Ø We have some understanding of the relationships amongst these Ø Do we need more building blocks? Ø We have very little understanding of synergy amongst these © Ravi Sandhu Deep scientific question for convergent research World-Leading Research with Real-World Impact! 27
Access Control: What Next? Ø Rich set of building blocks: DAC, MAC, RBAC, ABAC, Re. BAC, UCON Ø We have some understanding of the relationships amongst these Ø Do we need more building blocks? Ø We have very little understanding of synergy amongst these Pressing societal need? © Ravi Sandhu Deep scientific question for convergent research World-Leading Research with Real-World Impact! 28
Smart Communities © Ravi Sandhu This slide prepared by Smriti Bhatt World-Leading Research with Real-World Impact! 29
Access Control Research Convergence ABAC Re. BAC MAC DAC … Convergent Access Control (CAC) Access Control Enforcement Models Access Control Policy Models © Ravi Sandhu This slide prepared by Smriti Bhatt World-Leading Research with Real-World Impact! 30 Application Context
Clark-wilson model
Converges conditionally
Winkle sandhu
Five opportunities in media and information
Greater bay area opportunities and challenges
Terminal access controller access control system
Terminal access controller access-control system
Ravi and minu architects
Käeseen
Ravi raj production
Ravinin adalet kusurları
Hadsler
Ravi kumar kopparapu
Gmail
Ravi credit card
Rasmus ruus
Ravi chandra cisco
Ravi kandhadai madhavan
Dr anita ravi
Ravikindlustamata isikute ravi
Kurttummus ravi
Senedin müntehası
Ravi sinha iit bombay
Ravi rajapakse
Ravi kumar sacramento
Ravi zaccharias
Kumar satish ravi
Ravi type 240 characters
Indentation gonioscopy
Ravi vaswani
Ravi patki
