SlideShare uma empresa Scribd logo

smu_abac_150410.pptx

Transferir como PPTX, PDF
H
HashStriker

Attribute based access control

Ciências
1 de 32
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Singapore Management University Singapore April 10, 2015 ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.edu © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security
Cyber Security Technologies © Ravi Sandhu 2 World-Leading Research with Real-World Impact! AUTHENTICATION INTRUSION/MALWARE DETECTION AND AUDIT CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT
 Analog Hole  Inference  Covert Channels  Side Channels  Phishing  Social Engineering  Attack Asymmetry  Privacy vs Security  Base-rate Fallacy  …. © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Security Limitations Can manage Cannot eliminate
© Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ????
© Ravi Sandhu 5 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Fixed policy Flexible policy
© Ravi Sandhu 6 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Administration Driven Automated Adaptive
© Ravi Sandhu 7 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Enterprise Oriented Beyond Enterprise
© Ravi Sandhu 8 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Messy or Chaotic?
 Discretionary Access Control (DAC), 1970  Owner controls access  But only to the original, not to copies  Grounded in pre-computer policies of researchers  Mandatory Access Control (MAC), 1970  Synonymous to Lattice-Based Access Control (LBAC)  Access based on security labels  Labels propagate to copies  Grounded in pre-computer military and national security policies  Role-Based Access Control (RBAC), 1995  Access based on roles  Can be configured to do DAC or MAC  Grounded in pre-computer enterprise policies © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Access Control Models Numerous other models but only 3 successes: SO FAR
10 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration MAC, DAC Main focus RBAC, ABAC Initial focus RBAC, ABAC Next step focus MAC, DAC Easy (relatively)
© Ravi Sandhu 11 World-Leading Research with Real-World Impact! The RBAC Story 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 model NIST-ANSI Standard Proposed NIST-ANSI Standard Adopted Ludwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76
12 World-Leading Research with Real-World Impact! RBAC96 Model © Ravi Sandhu Constraints
13 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Security Architect Security Administrator User Security Architect Security Architect Security Administrator Security Architect
Fundamental Theorem of RBAC © Ravi Sandhu 14 World-Leading Research with Real-World Impact!  RBAC can be configured to do MAC  RBAC can be configured to do DAC  RBAC is policy neutral RBAC is neither MAC nor DAC!
 Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 15 World-Leading Research with Real-World Impact! RBAC Shortcomings
16 World-Leading Research with Real-World Impact! RBAC Shortcomings © Ravi Sandhu Constraints Hard Enough Impossible
17 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets
18 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.500 Directory Pre Internet, early 1990s
19 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.509 Attribute Certificates Post Internet, late 1990s
20 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Post Internet, late 1990s SPKI Certificates
21 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Mature Internet, 2000s Anonymous Credentials
22 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes
23 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes Mature Internet, 2000s Usage Control XACML Attribute-Based Encryption
© Ravi Sandhu 24 World-Leading Research with Real-World Impact! ABAC Status 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 paper Proposed Standard Standard Adopted ABAC still in pre/early phase 1990? 2014
 Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  actions  users  subjects  objects  contexts  policies  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  but also possibly by users OR reputation and trust mechanisms  Inherently extensible © Ravi Sandhu 25 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)
 An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify simple forms of DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 26 World-Leading Research with Real-World Impact! ABACα Hypothesis (DBSEC 2012) A small but crucial first step
27 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points
28 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points Can be configured to do DAC, MAC, RBAC
29 World-Leading Research with Real-World Impact! ABACβ Scope 3. Subject attributes constrained by attributes of subjects created by the same user. 5. Meta-Attributes 2. Subject attribute constraints policy are different at creation and modification time. 1. Context Attributes 4. Policy Language 1, 2, 4, 5 1, 4, 5 4, 5 1,4 1, 4, 5 1, 2, 3, 4, 5 4
30 ABACβ Model
31 © Ravi Sandhu World-Leading Research with Real-World Impact! Beyond ABAC Security Access Control Trust Risk Attributes Relationships Provenance
 GURA model for user-attribute assignment  Safety analysis of ABACα and ABACβ  Undecidable safety for ABAC models  Decidable safety for ABAC with finite fixed attributes  Constraints in ABAC  ABAC Cloud IaaS implementations (OpenStack)  Attribute Engineering  Attribute Mining  Unification of Attributes, Relationships and Provenance © Ravi Sandhu 32 World-Leading Research with Real-World Impact! ABAC Research at ICS

Recomendados

Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...CA Technologies
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?SecPod
 
Microservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMicroservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMatt McLarty
 
Test Your Cloud Maturity Level: A Practical Guide to Self Assessment
Test Your Cloud Maturity Level: A Practical Guide to Self AssessmentTest Your Cloud Maturity Level: A Practical Guide to Self Assessment
Test Your Cloud Maturity Level: A Practical Guide to Self AssessmentDavid Resnic
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Cyber Resiliency 20120420
Cyber Resiliency 20120420Cyber Resiliency 20120420
Cyber Resiliency 20120420Steve Goeringer
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 

Recomendados

Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...
Technology Primer: New Cloud Monitoring Capabilities in CA Unified Infrastruc...CA Technologies
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?SecPod
 
Microservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMicroservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMatt McLarty
 
Test Your Cloud Maturity Level: A Practical Guide to Self Assessment
Test Your Cloud Maturity Level: A Practical Guide to Self AssessmentTest Your Cloud Maturity Level: A Practical Guide to Self Assessment
Test Your Cloud Maturity Level: A Practical Guide to Self AssessmentDavid Resnic
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Cyber Resiliency 20120420
Cyber Resiliency 20120420Cyber Resiliency 20120420
Cyber Resiliency 20120420Steve Goeringer
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...CA Technologies
 
Simplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoSimplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoCisco Canada
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingSebastiano Panichella
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...IndicThreads
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Defining Microservices
Defining MicroservicesDefining Microservices
Defining MicroservicesMatt McLarty
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)Cisco Canada
 
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC GatewayWebinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC GatewayHussein Khazaal
 
The Changing Data Center Landscape
The Changing Data Center LandscapeThe Changing Data Center Landscape
The Changing Data Center LandscapeCisco Canada
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCA Technologies
 
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release AutomationTech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release AutomationCA Technologies
 
SD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivitySD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivitybayusch
 
Building The Right Network
Building The Right NetworkBuilding The Right Network
Building The Right NetworkCisco Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...Primend
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 

Mais conteúdo relacionado

Semelhante a smu_abac_150410.pptx

Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...CA Technologies
 
Simplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoSimplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoCisco Canada
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingSebastiano Panichella
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...IndicThreads
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Defining Microservices
Defining MicroservicesDefining Microservices
Defining MicroservicesMatt McLarty
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)Cisco Canada
 
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC GatewayWebinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC GatewayHussein Khazaal
 
The Changing Data Center Landscape
The Changing Data Center LandscapeThe Changing Data Center Landscape
The Changing Data Center LandscapeCisco Canada
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCA Technologies
 
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release AutomationTech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release AutomationCA Technologies
 
SD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivitySD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivitybayusch
 
Building The Right Network
Building The Right NetworkBuilding The Right Network
Building The Right NetworkCisco Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...Primend
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 

Semelhante a smu_abac_150410.pptx (20)

Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
 
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
How To Track Performance and Fault in a Multi-layer, Software-Defined Network...
 
Simplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoSimplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with Cisco
 
The Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software TestingThe Cloudification Perspectives of Search-based Software Testing
The Cloudification Perspectives of Search-based Software Testing
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Defining Microservices
Defining MicroservicesDefining Microservices
Defining Microservices
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
 
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC GatewayWebinar - Nuage Networks Integration with Check Point vSEC Gateway
Webinar - Nuage Networks Integration with Check Point vSEC Gateway
 
The Changing Data Center Landscape
The Changing Data Center LandscapeThe Changing Data Center Landscape
The Changing Data Center Landscape
 
Case Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP wayCase Study: Datalink—Manage IT monitoring the MSP way
Case Study: Datalink—Manage IT monitoring the MSP way
 
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release AutomationTech Talk: Keeping Applications Compliant and Secure Using Release Automation
Tech Talk: Keeping Applications Compliant and Secure Using Release Automation
 
SD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivitySD-WAN_MoD.pptx for SD WAN networks connectivity
SD-WAN_MoD.pptx for SD WAN networks connectivity
 
Building The Right Network
Building The Right NetworkBuilding The Right Network
Building The Right Network
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 

Último

Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...Sérgio Sacani
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCEPRINCE C P
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡anilsa9823
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bSérgio Sacani
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )aarthirajkumar25
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxSwapnil Therkar
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physicsvishikhakeshava1
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhousejana861314
 

Último (20)

Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
Work, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE PhysicsWork, Energy and Power for class 10 ICSE Physics
Work, Energy and Power for class 10 ICSE Physics
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhouse
 

smu_abac_150410.pptx

  • 1. 1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber Security University of Texas at San Antonio Singapore Management University Singapore April 10, 2015 ravi.sandhu@utsa.edu, www.profsandhu.com, www.ics.utsa.edu © Ravi Sandhu World-Leading Research with Real-World Impact! Institute for Cyber Security
  • 2. Cyber Security Technologies © Ravi Sandhu 2 World-Leading Research with Real-World Impact! AUTHENTICATION INTRUSION/MALWARE DETECTION AND AUDIT CRYPTOGRAPHY ACCESS CONTROL ASSURANCE RISK ANALYSIS SECURITY ENGINEERING & MANAGEMENT
  • 3.  Analog Hole  Inference  Covert Channels  Side Channels  Phishing  Social Engineering  Attack Asymmetry  Privacy vs Security  Base-rate Fallacy  …. © Ravi Sandhu 3 World-Leading Research with Real-World Impact! Security Limitations Can manage Cannot eliminate
  • 4. © Ravi Sandhu 4 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ????
  • 5. © Ravi Sandhu 5 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Fixed policy Flexible policy
  • 6. © Ravi Sandhu 6 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Administration Driven Automated Adaptive
  • 7. © Ravi Sandhu 7 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Enterprise Oriented Beyond Enterprise
  • 8. © Ravi Sandhu 8 World-Leading Research with Real-World Impact! Access Control Discretionary Access Control (DAC), 1970 Mandatory Access Control (MAC), 1970 Role Based Access Control (RBAC), 1995 Attribute Based Access Control (ABAC), ???? Messy or Chaotic?
  • 9.  Discretionary Access Control (DAC), 1970  Owner controls access  But only to the original, not to copies  Grounded in pre-computer policies of researchers  Mandatory Access Control (MAC), 1970  Synonymous to Lattice-Based Access Control (LBAC)  Access based on security labels  Labels propagate to copies  Grounded in pre-computer military and national security policies  Role-Based Access Control (RBAC), 1995  Access based on roles  Can be configured to do DAC or MAC  Grounded in pre-computer enterprise policies © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Access Control Models Numerous other models but only 3 successes: SO FAR
  • 10. 10 World-Leading Research with Real-World Impact! Access Control Models © Ravi Sandhu Policy Specification Policy Reality Policy Enforcement Policy Administration MAC, DAC Main focus RBAC, ABAC Initial focus RBAC, ABAC Next step focus MAC, DAC Easy (relatively)
  • 11. © Ravi Sandhu 11 World-Leading Research with Real-World Impact! The RBAC Story 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 model NIST-ANSI Standard Proposed NIST-ANSI Standard Adopted Ludwig Fuchs, Gunther Pernul and Ravi Sandhu, Roles in Information Security-A Survey and Classification of the Research Area, Computers & Security, Volume 30, Number 8, Nov. 2011, pages 748-76
  • 12. 12 World-Leading Research with Real-World Impact! RBAC96 Model © Ravi Sandhu Constraints
  • 13. 13 World-Leading Research with Real-World Impact! RBAC Policy Configuration Points © Ravi Sandhu Constraints Security Architect Security Administrator User Security Architect Security Architect Security Administrator Security Architect
  • 14. Fundamental Theorem of RBAC © Ravi Sandhu 14 World-Leading Research with Real-World Impact!  RBAC can be configured to do MAC  RBAC can be configured to do DAC  RBAC is policy neutral RBAC is neither MAC nor DAC!
  • 15.  Role granularity is not adequate leading to role explosion  Researchers have suggested several extensions such as parameterized privileges, role templates, parameterized roles (1997-)  Role design and engineering is difficult and expensive  Substantial research on role engineering top down or bottom up (1996-), and on role mining (2003-)  Assignment of users/permissions to roles is cumbersome  Researchers have investigated decentralized administration (1997-), attribute-based implicit user-role assignment (2002-), role-delegation (2000-), role-based trust management (2003-), attribute-based implicit permission-role assignment (2012-)  Adjustment based on local/global situational factors is difficult  Temporal (2001-) and spatial (2005-) extensions to RBAC proposed  RBAC does not offer an extension framework  Every shortcoming seems to need a custom extension  Can ABAC unify these extensions in a common open-ended framework? © Ravi Sandhu 15 World-Leading Research with Real-World Impact! RBAC Shortcomings
  • 16. 16 World-Leading Research with Real-World Impact! RBAC Shortcomings © Ravi Sandhu Constraints Hard Enough Impossible
  • 17. 17 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets
  • 18. 18 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.500 Directory Pre Internet, early 1990s
  • 19. 19 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets X.509 Identity Certificates X.509 Attribute Certificates Post Internet, late 1990s
  • 20. 20 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Post Internet, late 1990s SPKI Certificates
  • 21. 21 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New User (Identity) Attributes Public-keys + Secured secrets Mature Internet, 2000s Anonymous Credentials
  • 22. 22 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes
  • 23. 23 © Ravi Sandhu World-Leading Research with Real-World Impact! ABAC is not New Action User Subject Object Context Policy Authorization Decision Yes/No Attributes Mature Internet, 2000s Usage Control XACML Attribute-Based Encryption
  • 24. © Ravi Sandhu 24 World-Leading Research with Real-World Impact! ABAC Status 2nd expansion phase 1st expansion phase 1995 2000 2005 2008 Amount of Publications Year of Publication 28 30 30 35 40 48 53 88 85 88 112 103 111 866  1992 3 2 7 3 80 60 40 20 0 Pre-RBAC Early RBAC 100 RBAC96 paper Proposed Standard Standard Adopted ABAC still in pre/early phase 1990? 2014
  • 25.  Attributes are name:value pairs  possibly chained  values can be complex data structures  Associated with  actions  users  subjects  objects  contexts  policies  Converted by policies into rights just in time  policies specified by security architects  attributes maintained by security administrators  but also possibly by users OR reputation and trust mechanisms  Inherently extensible © Ravi Sandhu 25 World-Leading Research with Real-World Impact! Attribute-Based Access Control (ABAC)
  • 26.  An ABAC model requires  identification of policy configuration points (PCPs)  languages and formalisms for each PCP  A core set of PCPs can be discovered by building the ABACα model to unify simple forms of DAC, MAC and RBAC  Additional ABAC models can then be developed by  increasing the sophistication of the ABACα PCPs  discovering additional PCPs driven by requirements beyond DAC, MAC and RBAC © Ravi Sandhu 26 World-Leading Research with Real-World Impact! ABACα Hypothesis (DBSEC 2012) A small but crucial first step
  • 27. 27 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points
  • 28. 28 World-Leading Research with Real-World Impact! ABACα Model Structure © Ravi Sandhu Policy Configuration Points Can be configured to do DAC, MAC, RBAC
  • 29. 29 World-Leading Research with Real-World Impact! ABACβ Scope 3. Subject attributes constrained by attributes of subjects created by the same user. 5. Meta-Attributes 2. Subject attribute constraints policy are different at creation and modification time. 1. Context Attributes 4. Policy Language 1, 2, 4, 5 1, 4, 5 4, 5 1,4 1, 4, 5 1, 2, 3, 4, 5 4
  • 31. 31 © Ravi Sandhu World-Leading Research with Real-World Impact! Beyond ABAC Security Access Control Trust Risk Attributes Relationships Provenance
  • 32.  GURA model for user-attribute assignment  Safety analysis of ABACα and ABACβ  Undecidable safety for ABAC models  Decidable safety for ABAC with finite fixed attributes  Constraints in ABAC  ABAC Cloud IaaS implementations (OpenStack)  Attribute Engineering  Attribute Mining  Unification of Attributes, Relationships and Provenance © Ravi Sandhu 32 World-Leading Research with Real-World Impact! ABAC Research at ICS