1 future of access control: attributes, automation, adaptation prof. ravi sandhu executive director,...
TRANSCRIPT
1
Future of Access Control:Attributes, Automation, Adaptation
Prof. Ravi Sandhu
Executive Director, Institute for Cyber SecurityLutcher Brown Endowed Chair in Cyber Security
University of Texas at San Antonio
PSG College of Technology, ICC3 Conference, KeynoteDecember 19, 2013
[email protected], www.profsandhu.com, www.ics.utsa.edu
© Ravi Sandhu World-Leading Research with Real-World Impact!
Institute for Cyber Security
2
The Science, Engineering, and Business of Cyber Security
Prof. Ravi Sandhu
Executive Director, Institute for Cyber SecurityLutcher Brown Endowed Chair in Cyber Security
University of Texas at San Antonio
PSG College of Technology, ICC3 Conference, KeynoteDecember 19, 2013
[email protected], www.profsandhu.com, www.ics.utsa.edu
© Ravi Sandhu World-Leading Research with Real-World Impact!
Institute for Cyber Security
© Ravi Sandhu 3World-Leading Research with Real-World Impact!
Cyber Security StatusMicroSecurity
Not too bad About as good as it is going to get Criminals can only defraud so many Big government/big business are real threats
MacroSecurity New arena for researchers Highly asymmetric, includes offense, clandestine Dual goals: strong offense, strong defense Cyber should be controllable
Nuclear, chemical, biological have been “controlled”
© Ravi Sandhu 4World-Leading Research with Real-World Impact!
Cyber Security StatusMicroSecurity
Not too bad About as good as it is going to get Criminals can only defraud so many Big government/big business are real threats
MacroSecurity New arena for researchers Highly asymmetric, includes offense, clandestine Dual goals: strong offense, strong defense Cyber should be controllable
Nuclear, chemical, biological have been “controlled”
Run as fast as you can to stay in place
≈ 2010 US Department of Defense epiphanies A new domain akin to land, sea, air and space Have and use offensive cyber weapons Malware penetrations in highly classified networks
Consumerization of cyberspace Anytime, Anywhere, Anything BYOD: Bring your own device BYOC: Bring your own cyberspace?
Entanglement of cyber-physical-social space Just starting
© Ravi Sandhu 5World-Leading Research with Real-World Impact!
21st Century Cyberspace
Enable system designers and operators to say:
This system is secure
There is an infinite supply of low-hanging attacks
© Ravi Sandhu 6World-Leading Research with Real-World Impact!
Cyber Security Goal
Not attainable
Enable system designers and operators to say:
This system is secure
There is an infinite supply of low-hanging attacks
Alternate goal:
This system is as secure as possibleMore secure is always better
© Ravi Sandhu 7World-Leading Research with Real-World Impact!
Cyber Security Goal
Not attainable
Not appropriate
Enable system designers and operators to say:
This system is secure “enough”
Mass scale, rather low assurance ATM network, On-line banking, E-commerce
One of a kind, extremely high assurance US President’s nuclear football
© Ravi Sandhu 8World-Leading Research with Real-World Impact!
Cyber Security Goal
Many successful examples
Enable system designers and operators to say:
This system is secure “enough”
Mass scale, rather low assurance ATM network, On-line banking, E-commerce
One of a kind, extremely high assurance US President’s nuclear football
© Ravi Sandhu 9World-Leading Research with Real-World Impact!
Cyber Security Goal
Many successful examples
Science
Engineering Business
© Ravi Sandhu 10World-Leading Research with Real-World Impact!
Cyber Security Ecosystem
Science
Engineering Business
Distinguishing Characteristics of Cyber/Cyber Security Cyberspace is an entirely man-made domain Evolves rapidly and unpredictably Validation primarily with respect to future systems
Science explains the cause of observed phenomenon
© Ravi Sandhu 11World-Leading Research with Real-World Impact!
Cyber Security Ecosystem
Science
Engineering Business
Distinguishing Characteristics of Cyber/Cyber Security Cyberspace is an entirely man-made domain Evolves rapidly and unpredictably Validation primarily with respect to future systems
Science explains the cause of observed phenomenon and enables better construction of future systems
© Ravi Sandhu 12World-Leading Research with Real-World Impact!
Scientific Method: Natural Sciences
Hypothesis
Prediction
Experimentation
PredictionConfirmed
PredictionFalsified
Hypothesis → Law Reject Hypothesis
© Ravi Sandhu 13World-Leading Research with Real-World Impact!
Scientific Method: Natural Sciences
Hypothesis
Prediction
Experimentation
PredictionConfirmed
PredictionFalsified
Hypothesis → Law Reject Hypothesis
Paradigms
© Ravi Sandhu 17World-Leading Research with Real-World Impact!
Scientific Method: Cyber Sciences
Hypothesis
Prediction
Experimentation
PredictionConfirmed
PredictionFalsified
Hypothesis → Law Reject Hypothesis
Science explains the cause of observed phenomenon and enables better construction of future systems
Paradigms
© Ravi Sandhu 18World-Leading Research with Real-World Impact!
Science Quadrants
FundamentalUnderstanding
L H
H
L
Utility
Edison Pasteur
Bohrjunk
Donald Stokes, 1997Pasteur’s Quadrant: BasicScience and Technological Innovation
© Ravi Sandhu 19World-Leading Research with Real-World Impact!
Cyber Science Quadrants
FundamentalUnderstanding
L H
H
L
Jobs Cerf-Kahn
Turingjunk
Utility
© Ravi Sandhu 20World-Leading Research with Real-World Impact!
Cyber Security Quadrants
FundamentalUnderstanding
L H
H
L
?? ??
??junk
Utility
21World-Leading Research with Real-World Impact!
Access Control Decomposition
© Ravi Sandhu
PolicySpecification
PolicyEnforcement
PolicyAdministration
22World-Leading Research with Real-World Impact!
Access Control Decomposition
© Ravi Sandhu
PolicySpecification
PolicyReality
PolicyEnforcement
PolicyAdministration
© Ravi Sandhu 23World-Leading Research with Real-World Impact!
Access Control
Discretionary Access Control (DAC), 1970
Mandatory Access Control (MAC), 1970
Role Based Access Control (RBAC), 1995
Attribute Based Access Control (ABAC), ????
© Ravi Sandhu 24World-Leading Research with Real-World Impact!
Access Control
Discretionary Access Control (DAC), 1970
Mandatory Access Control (MAC), 1970
Role Based Access Control (RBAC), 1995
Attribute Based Access Control (ABAC), ????
RBAC can be configured to do
MAC or DAC
© Ravi Sandhu 25World-Leading Research with Real-World Impact!
Access Control
Discretionary Access Control (DAC), 1970
Mandatory Access Control (MAC), 1970
Role Based Access Control (RBAC), 1995
Attribute Based Access Control (ABAC), ????
FixedPolicy
FlexiblePolicy
© Ravi Sandhu 26World-Leading Research with Real-World Impact!
Access Control
Discretionary Access Control (DAC), 1970
Mandatory Access Control (MAC), 1970
Role Based Access Control (RBAC), 1995
Attribute Based Access Control (ABAC), ????
HumanDriven
AutomatedAdaptive
© Ravi Sandhu 27World-Leading Research with Real-World Impact!
Access Control
Discretionary Access Control (DAC), 1970
Mandatory Access Control (MAC), 1970
Role Based Access Control (RBAC), 1995
Attribute Based Access Control (ABAC), ????
Messy or Chaotic?
28World-Leading Research with Real-World Impact!
ABAC Model Structure
© Ravi Sandhu
Policy Configuration Points
Usage Control Model (UCON)
© Ravi Sandhu 29
Rights(R)
Authorizations
(A)
Subjects(S)
Objects(O)
Subject Attributes (SA) Object Attributes (OA)
Obligations(B)
Conditions(C)
UsageDecisions
before-usage ongoing-Usage after-usage
Continuity ofDecisions
pre-decision ongoing-decision
pre-update ongoing-update post-update
Mutability ofAttributes
• unified model integrating• authorization• obligation• conditions
• and incorporating• continuity of decisions• mutability of attributes
© Ravi Sandhu 31World-Leading Research with Real-World Impact!
The RBAC Story
2nd expansion phase1st expansion phase
1995 2000 2005 2008
Amount ofPublications
Year of Publication
28 30 30 35 40 48 53 88 85 88 112 103 111 866
1992
3 2 7 3
80
60
40
20
0
Pre-RBAC Early RBAC
100
RBAC96paper
ProposedStandard
StandardAdopted
© Ravi Sandhu 32World-Leading Research with Real-World Impact!
ABAC Status
2nd expansion phase1st expansion phase
1995 2000 2005 2008
Amount ofPublications
Year of Publication
28 30 30 35 40 48 53 88 85 88 112 103 111 866
1992
3 2 7 3
80
60
40
20
0
Pre-RBAC Early RBAC
100
RBAC96paper
ProposedStandard
StandardAdopted
ABAC still in pre/early phase
199x? 2013
Cyber technologies and systems trends will drive pervasive adoption of ABAC
ABAC deployment is going to be messy but need not be chaotic
Researchers can facilitate ABAC adoption and reduce chaos by developing Models Theories Systems
© Ravi Sandhu 33World-Leading Research with Real-World Impact!
Access Control Prognosis