rimbac risk management based access control michael frangos supervised by: dr william scott and dr...
TRANSCRIPT
RiMBACRisk Management Based Access Control
Michael FrangosSupervised by: Dr William Scott and
Dr Paul Montague
2
Overview
• Background & Motivation• Risk• Risk Management• Access Control• Multi Level Security
• Research questions & strategy
• Research Achievements• The RiMBAC Model• Comparison of RiMBAC and MLS
3
Risk
• What is Risk?
• “The expected impact on objectives due to one or more future events”
• Likelihood X Consequence
• Can be associated with negative or positive outcomes.
5
Access Control
• What is Access Control?• The process of mediating requests to resources and data
maintained by a system and determining whether the request should be granted or denied.
• Access Control Models• Discretionary• Mandatory• Role-based
6
Multi Level Security (MLS)
• What is MLS?• A form of mandatory access control.
• MLS Classifications
MLS Classification
Consequence of Damage
TOP SECRET Exceptionally Grave Damage to NS
SECRET Serious Damage to NS
CONFIDENTIAL Damage to NS
RESTRICTED Limited Damage to NS
UNCLASSIFIED Negligible Damage to NS
7
What’s wrong with MLS?
• Risk involved in each access is determined statically.• Clearances and classifications rarely reviewed.
• Sensitivity of information will vary with time and context.
• Trustworthiness of individuals varies with time and context.
• Risk estimates are binary entities.• Risk is either zero or worst case consequence.
• Total organizational risk for information sharing is unknown.• Risk can’t be capped.
• No provision to deal with emergencies.
8
Research Questions
1. How can an access control model based on risk management be developed for organizations that currently employ MLS?
2. How effective would such an access control model be when compared to traditional MLS?
10
The RiMBAC Model• Design Principles
Design Principle Supporting Papers
The risk associated with each access is
considered in access control decisions.
McGraw (2009), MITRE Corporation (2004), Molby et
al. (2008)
The benefits associated with each access are
considered in access control decisions.
Zhang et al. (2006)
Total information sharing risk for an
organization can be limited.
McGraw (2009), MITRE Corporation (2004), Molby et
al. (2008)
Information sharing risk is determined
dynamically.
McGraw (2009), MITRE Corporation (2004), Molby et
al. (2008), Zhang et al. (2006)
Access control decisions are auditable. All Papers
Access control decisions consider context. Diep et al. (2006), Ahmed & Zhang (2007)
Access control decisions are objective not
subjective
All Papers
The model can extend the MLS model. Cheng & Rohatgi (2007)
The RiMBAC Model
11
Tasks
Access Control System
Goals
Employees
Management
Information
Organization
Organizational Context:
12
The RiMBAC Model
Key Concepts and definitions:
Subject – An individual or computer process acting on behalf of an individual
Object – An information resource.
Compromise – Any event in which a subject who is not authorized by the access control system gains access to an object.
Harm – Negative impact on organizational goals (due compromise of an object).
Benefit – Positive impact on organizational goals (due to completion of a task).
RiM – a unit of harm or benefit.
Organizational Goals established
Information Sharing Risks defined
Information Sharing Benefits defined
Transactional Risk Calculated
Maximum Transactional Benefit Calculated
Access Control Decision Made
Access Control Decision Enforced
RiMBAC
Organization
Goals
Risks Benefits
Level of BenefitLevel of Risk
AC Decision
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Goals
Mon
itor
and
Rev
iew
Risk Tolerance Levels established
AC Result
Risk Thresholds
AC Policy
RiM
BA
C M
on
itor a
nd
Re
view
RiMBAC Overview
14
The RiMBAC Model
1. Establish the context:
• Establish organizational goals.• i.e. “to make profit”, “to preserve
national security”
• Set Risk Tolerance Levels for information sharing.
• i.e. $5M per annum.
(specified in RiMs)
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
15
The RiMBAC Model
2. Identify Risk:• Identify information sharing risks:
• Transactional risk – the risk involved each time a subject accesses an object.
• Identify information sharing benefits:
• Transactional benefit – the benefit involved each time a subject accesses an object.
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
16
The RiMBAC Model
3. Analyze Risk:
• Calculate Transactional Risk.
• Calculate Transactional Benefit
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
17
The RiMBAC Model
Calculate Transactional Risk:
Object Risk (ROBJ) - Expected harm associated with an object.
Likelihood of harm x Consequence of harm
Consequence of harm:
RiMBAC Object
Potential Harm Function
Information Categories
i.e.
18
The RiMBAC ModelLikelihood of Harm:
Assume that harm will always result from compromise of an object.
i.e. PC = PHARM
ObjectObject
TTI1
TTI2 TTIn HTI1
HTI2
HTIm
19
The RiMBAC Model
ObjectObjectPTC = 1-TTI PHC= 1-HTI
PC = PTC1 U PTC2 … U PTCn U PHC1 U PHC2 … U PHCm
TTI1
TTI2 TTIn HTI1
HTI2
HTIm
20
The RiMBAC Model
Calculate Transactional Risk:
Object Risk (ROBJ)
Expected harm associated with an object.
Organizational Risk (RORG) Sum of object risk for all objects in the organization.
21
The RiMBAC Model
Calculate Transactional Risk:
Transactional Risk (RTRANS)
Expected harm involved in a subject accessing an object
22
The RiMBAC Model
Cumulative Transactional Risk:
Bob
Object 1Object 1Object 1Object 1
Object 1Object 1Object 1Object 1
Object 1Object 1Object 1Object 1
Object 1Object 1Object 1Object 1
Object 1Object 1Object 1Object 1
Object 1Object 1Object 1Object 1
Object 1Object 1Object Object
Time
TRB
23
The RiMBAC Model
Cumulative Transactional Risk:
Bob
Time
TRB
Sue
Task B
Organization
Task CTask A
24
The RiMBAC Model
Cumulative Transactional Risk:
Bob
Time
TRB
Sue
Task B
Organization
Task CTask A
TRA
25
The RiMBAC Model
3. Analyze Risk:
• Calculate Transactional Risk.
• Calculate Transactional Benefit
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
26
The RiMBAC Model
Calculate Transactional Benefit:
Maximum Transactional Benefit (MBTrans)
The potential benefit involved each time a subject accesses an object.
RiMBAC Object
Potential Harm Function
Information Categories
27
The RiMBAC Model
Calculate Transactional Benefit:
Task A Task B Task C
Bob
{1,2,3,4} {1,2,5,6}
{1,2,3,4,5,6}
28
The RiMBAC Model
Calculate Transactional Benefit:
Task A Task B Task C
Bob
TIF=0.2TIF=0.5
TBV=50 RiMs TBV=100 RiMs
ObjectCat {1, 44, 32}
ObjectCat {1, 44, 32}
{1,2,3,4,5,6}
{1,2,3,4} {1,2,5,6}
29
The RiMBAC Model
Calculate Transactional Benefit:
Task A Task B Task C
Bob
TIF=0.2TIF=0.5
TBV=50 RiMs TBV=100 RiMs
ObjectCat {1, 44, 32}
ObjectCat {1, 44, 32}
{1,2,3,4,5,6}
{1,2,3,4} {1,2,5,6}
MBTRANS = 50 x 0.2 + 100 x 0.5 = 60 RiMs
30
The RiMBAC ModelBreak Glass Provision
• What happens in an emergency?• No time to create a task etc.
• Override Capability.• Known benefit specified.• Acceptance of risk signed by higher authority.• Risk is accounted for.• Risk tolerance thresholds can still apply
Help!!!
31
The RiMBAC Model
3. Analyze Risk:
• Calculate Transactional Risk.
• Calculate Transactional Benefit
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
32
The RiMBAC Model
3. Evaluate and Treat Risk:
Apply Access Control Policy to make access control decision:
Policy Examples
Allow all transactions where MBTRANS > RTRANS and TRATASK not exceeded.
Allow all transactions where MBTRANS > 5xRTRANS and TRASUBJ not exceeded.
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor
and
Rev
iew
33
The RiMBAC Model
3. Monitor and Review:
• Monitor every access• Audit logs
• Monitor information leakage• Update TTI and HTI parameters.
• Regularly review:• organizational goals • risk tolerance thresholds• access control policy. • TBVs, TIFs
Establish the Context
Identify Risk
Analyze Risk
Evaluate Risk
Treat Risk
Mon
itor a
nd R
evie
w
34
Technological Requirements
• Direct Access:• HTI for subject, TTI for storage and transfer technology.• Tasks, TBVs and information category sets.• TIFs for each subject.
• Indirect Access:• Portable credential exchange devices.
• RiMBAC Objects:• Metadata containing information categories, potential harm function.• Ontology for describing contextual factors.
35
Technological Requirements
• Information Leakage Monitoring• Mechanisms (i.e. object tracking, label management, audit logs)
• Transition from MLS to RiMBAC• 3 phase transition plan:
(Still being finalized)
36
Comparing RiMBAC with MLS
Agent-based modelling
• Model a system from the bottom up.• Agents are a collection of autonomous decision-making entities.
• Shown to be effective at modeling human systems such as organizations. (Prietula et al. (1998))
• Provides a natural description of the system
• Flexible
• Captures emergent phenomena (i.e. Organizational behaviour)
• Repast (Recursive Porous Agent Simulation Toolkit)• Open source, Java-based, good documentation.
38
Comparing RiMBAC with MLS
Measurands
For each access control model:
• How many resources are compromised?
• How much harm is caused due to compromise?
• How many beneficial resources do employees get hold of?
39
Comparing RiMBAC with MLS
Employee AgentsAttributes
Attribute Description
ID A unique identifier for the individual.
MLS Clearance Multi Level Security Clearance {RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET}
HTI RiMBAC Human Trust Index [0,1]
Trustworthiness A measure of the individual’s actual trustworthiness. (%)
Information Appetite The mean time between resource requests by the individual. (hours)
Required Information Categories
A list of information categories that the individual needs to complete their assigned tasks.
Current Resource List The current resources held by the individual
Current Tasks A set of organizational tasks that the employee is assigned to
40
Comparing RiMBAC with MLS
Employee Agents
Desire• When being trustworthy:
• Obtain any information resources required to complete assigned tasks.
• Share information resources with any employees approved by security policy.
• When being untrustworthy:• Obtain any resources not required to complete assigned tasks.• Share information resources with anyone.
41
Comparing RiMBAC with MLS
Employee AgentsDecisions• Decide what type of resource to ask for next based on
trustworthiness and required information categories.• Decide when to ask for information based on information
appetite.• Decide who to ask for information:
• When being trustworthy, ask an employee who is believed to have such information (based on the tasks they are working on).
• When being untrustworthy, ask an employee who is known to thwart policy (based on prior dealings)
• Decide whether to hand over a resource to another individual based on access control decision and trustworthiness.
42
Comparing RiMBAC with MLS
External Agents
Attributes
Attribute Description
ID A unique identifier for the individual.
MLS Clearance Multi Level Security Clearance = UNCLASSIFIED
HTI RiMBAC Human Trust Index = 0
Trustworthiness A measure of the individual’s actual trustworthiness. (%)
Information Appetite The mean time between resource requests by the individual. (hours)
Current Resource List The current resources held by the individual
43
Comparing RiMBAC with MLS
External Agents
Desire• Obtain any possible information resources from within the
organization.
44
Comparing RiMBAC with MLS
External Agents
Decisions• Decide what type (subject and classification of resource to ask
for:• Choose a resource type at random.
• Decide when to ask for information • based on information appetite.
• Decide who to ask for information:• Initially target random employees. • Later target mostly those employees known to thwart policy (based on
previous experience).
45
Comparing RiMBAC with MLSSimulation Parameters
• 20 Employees• Even distribution of MLS clearances• RiMBAC HTI derived from MLS clearance.
• 2 External Agents
MLS Clearance RiMBAC HTI
UNCLASSIFIED 0.0000
RESTRICTED 0.9900
CONFIDENTIAL 0.9950
SECRET 0.9990
TOP SECRET 0.9999
46
Comparing RiMBAC with MLSSimulation Parameters
• 10,000 Information Resources
• RiMBAC Harm Value of Resources:
MLS Classification Number of Resources
RESTRICTED 4000
CONFIDENTIAL 3000
SECRET 2000
TOP SECRET 1000
MLS Classification Value in RiMS
RESTRICTED 1
CONFIDENTIAL 5
SECRET 20
TOP SECRET 100
47
Comparing RiMBAC with MLS
Sample Results: Beneficial Resources Obtained
0
100
200
300
400
500
600
700
800
900
1000
0 2 4 6 8 10 12
Num
ber o
f Ben
efici
al R
esou
rces
O
btai
ned
Time (Years)
MLS
RiMBAC
Initialization Period
Real Simulation
48
Comparing RiMBAC with MLS
Sample Results: Information Leakage
0
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6
Num
ber o
f Res
ourc
es L
eake
d
Time (Years)
MLS
RiMBAC
49
Comparing RiMBAC with MLS
Sample Results: Estimated Harm
0
50
100
150
200
250
300
350
400
450
500
0 1 2 3 4 5 6
Esti
mat
ed H
arm
(RiM
s)
Time (Years)
MLS
RiMBAC
50
Comparing RiMBAC with MLS
Sample Results: Information LeakageOrganizational Risk Allowance applied (75 RiMs per annum)
0
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6
Num
ber o
f Res
ourc
es L
eake
d
Time (Years)
MLS
RiMBAC with TRA
51
Comparing RiMBAC with MLS
Sample Results: Estimated HarmOrganizational Risk Allowance applied (75 RiMs per annum)
0
50
100
150
200
250
300
350
400
450
500
0 1 2 3 4 5 6
Esti
mat
ed H
arm
(RiM
s)
Time (Years)
MLS
RiMBAC with TRA
52
Summary of Achievements
1. Existing Access Control Models incorporating risk reviewed.
2. Risk Management Based Access Control (RiMBAC) Model Developed.
3. Agent Based Model developed to assess RiMBAC with MLS.
53
Future Work
• Refine RiMBAC model• Trust models (TTI, HTI) developed.• Incentive for low risk, high benefit transactions.
• More complex Agent Based Model.• Dynamic harm value for objects included.• More complex agent characteristics and behaviour
• Trust, friendships, annoyance, manipulation techniques etc.
• Simulate larger organization.• Use of “Knowledge Pieces” to quantify benefit.