A Conceptual Framework forGroup-Centric Secure Information Sharing

Ram Krishnan (George Mason University)Ravi Sandhu, Jianwei Niu, William Winsborough

(University of Texas at San Antonio)ASIACCS 2009, Sydney, Australia

Secure Information Sharing (SIS)

• A fundamental problem in cyber security– Share but protect

• Current approaches not satisfactory• Classic models (DAC/MAC/RBAC) do not work• Recent approaches

• Proprietary systems for Enterprise Rights Management• Many solutions: IBM, CA, Oracle, Sun, Authentica, etc.• Interoperability is a major issue

• Many languages have been standardized• XrML, ODRL, XACML, etc.

• Primarily, dissemination or object centric

2

Dissemination Centric Sharing

• Attach attributes and policies to objects– Objects are associated with sticky policies– XrML, ODRL, XACML, etc. provide sticky policies

3

Alice Bob Charlie Ravi Shashi

Attribute + Policy Cloud

Object

Attribute + Policy Cloud

Object

Attribute + Policy Cloud

Object

Attribute + Policy Cloud

Object

Dissemination Chain with Sticky Policies on Objects

Attribute Cloud

Attribute Cloud

Attribute Cloud

Attribute Cloud

Attribute Cloud

Group Centric Sharing (g-SIS)• Advocates bringing users & objects together in a group

– In practice, co-exists with dissemination centric sharing

4

NeverGroupSubject Leave

Current GroupSubject

PastGroupSubject

Join

Join

NeverGroupObject Remove

Current GroupObject

PastGroupObject

Add

Add

• Two useful metaphors– Secure Meeting/Document Room

• Users’ access may depend on their participation period• E.g. Program committee meeting, Collaborative Product Development, Merger and

Acquisition, etc.

– Subscription Model• Access to content may depend on when the subscription began• E.g. Magazine Subscription, Secure Multicast, etc.

Core g-SIS Properties

Join Add

Leave Authz

Add Join

Remove Authz

1. Provenance: Authorization can only originate during a simultaneous period of membership

2. Bounded Authorization: Authorization cannot grow during non-membership periods

3. Persistence: Authorization cannot change if no group event occurs

g-SIS Operation Semantics

6

6

GROUP

Authz (S,O,R)?

Join Leave

Add Remove

Subjects

Objects

GROUP

Authz (S,O,R)?

Strict Join

Strict Leave

Liberal Add

Liberal Remove

LiberalJoin

LiberalLeave

StrictAdd Strict

Remove

Subjects

Objects

Operation Semantics (Continued)

7

• Strict Join (SJ): Only access objects added after Join time• Liberal Join (LJ): Also access objects added before Join time• Strict Leave (SL): Lose access to all objects• Liberal Leave (LL): Retain authorizations held at Leave time

Operation Semantics (Continued)

8

• Strict Add (SA): Only existing subjects at Add time are authorized

• Liberal Add (LA): No such restrictions• Strict Remove (SR): All subjects lose access• Liberal Remove (LR): Subjects who had authorization

at Remove time can retain access

Family of g-SIS Models

9

Most Restrictiveg-SIS Specification:

Traditional Groups: <LJ, SL, LA, SR>Secure Multicast: <SJ, LL, LA, *>

Conclusion & Future Work

• Group-centric Vs Dissemination-centric• Focus on group operation semantics• Lattice of g-SIS models• Ongoing Work

– Extension to other operations such as write, etc.– Multiple groups

• Investigate information flow• Compare with Lattice Based Access Control models

– Attribute Based Access Control in g-SIS

10

Thank You!

11

Comments & Questions

Email: rkrishna@gmu.eduWeb: http://mason.gmu.edu/~rkrishna

Backup

12

Presentation Outline

• Secure Information Sharing (SIS)– Dissemination Vs Group Centric

• Group Centric SIS (g-SIS)• g-SIS Core Properties• g-SIS Operation Semantics• Family of g-SIS Models• Usage Scenarios• Conclusions

13

g-SIS (continued)

NeverGroupSubject Leave

Current GroupSubject

PastGroupSubject

Join

Join

NeverGroupObject Remove

Current GroupObject

PastGroupObject

Add

Add

Subject Membership States

Object Membership States

Operation Semantics (Continued)

15

Re-visiting Metaphors

• Program Committee Meeting– Committee members initially enter room with LJ– Exit room with LL– Re-admitted with SJ if no access allowed to

conversations during periods of absence• LJ, on the other hand, will allow access• Objects added with SA are accessible to existing

members in the room

16