specification and management of security in the business process marc frappier, phd full professor...
Post on 22-Dec-2015
214 views
TRANSCRIPT
Specification and Management of Security in
the Business Process
Marc Frappier, PhD
Full Professor
Département d'informatique
2
Collaborators
Louise Adant, FBN
Alexandre Beaupré, Université de Sherbrooke and FBN
Pierre Konopacki, Université de Sherbrooke and Paris-12
Jérémy Milhau, Université de Sherbrooke and Paris-12
Michel Eme Jiague, Université de Sherbrooke and Paris-12
Régine Laleau, Paris-12
Richard St-Denis, Université de Sherbrooke
3
Your Data
4
Outline
Functional Security
Functional Security Policy
Software Architecture
5
As a Citizen
Do you know who has access to your medical file? your banking records? your credit file? transactions on your credit cards? your tax return?
Would you like to know who has accessed your personal data?
Would you like to be able to decide who can access/manipulate your data?
6
Security and Business Process
Who can do what with the data and functions in your applications?
Where is this described?
Who controls your security policy? accessing it changing it validating it
Can you show that you are complying with the relevant legislation?
7
Functional Security
Focuses on policies on access to data functions
Is different from architectural security, technological security, etc. physical security
Is also called access control access permission
8
Access and Filtering
Functions according to user’s role
Filtering on the user’s data
9
Architectural and Technological Security
Management of user codes and passwords
Authentication
Secure communication protocols
Data encryption
Firewall
Attack prevention
Etc.
10
Physical Security
Devices for gaining access to buildings, equipment Magnetic card Biometric scanner
Protection of equipment
Protection of communication lines
Etc.
11
Functional Security: Traditional Models
RBAC: Role-Based Access Control
ORBAC: Organization-Based Access Control
Bell-Lapadula
Sandu
Clark-Wilson
12
ORBAC – Components of the Model
Organization
Role Set of subjects (users)
Activity Set of actions (services)
View Set of objects (data)
Context
13
ORBAC – Components of the Model
Context Catch-all for any other parameter of the policy
Temporal, spatial, emergency, application data, workflow, etc.
Hierarchy Organization Role Activity
14
ORBAC
Source: http://orbac.org/
15
Role
User Role
Marc Individual
Paul Cashier
Isabelle Representative
Marie Manager
Role Actions
Individual Account: access, deposit, withdraw
Cashier Account: access, deposit, withdraw, etc.
Representative Create or close account, request credit
Manager Authorize credit
Manager
Representative
Cashier
Individual
On his accounts
On branch accounts.
For her clients
For the branch
16
Organization
User Role Organization
IsabelleBroker Financière Banque Populaire
Representative Banking servicesSole user
Banque Populaire
Brokerage services Banking services
Quebecbrokerage
Ontariobrokerage
Province
Region
Branch
17
ORBAC – Implementation
MotOrBac API Java Few uses documented in the literature
Ad Hoc A number of organizations use principles similar to
ORBAC (without knowing it) In-house implementation
18
ORBAC - Limitations
General nature of the model Do you need all the concepts?
Organization, Role, Activity, View Do you need other things?
Put it in the context How to integrate your security policy with the data
in your existing applications Put it in the context
19
In-house Approaches
Menu functions access manager Shows who has access to which function Is generally based on
User’s role Location, organization
Separate from the application
Data filtering For restricting access to the data of a function Embedded in the code for the function
20
The EB3SEC Project
21
Presentation of Problem
User
21
22
Presentation of Problem
I would like to be able to access my accounts.
I would like to be able to access my accounts.
User
22
23
Presentation of Problem
User
Internet
IS
23
24
Presentation of Problem
User
Internet
IS
Is the user entitled to perform the basic operations of this
action?
Is the user entitled to perform the basic operations of this
action?
24
25
Presentation of Problem
User
Internet
IS
Verification of permissions
Verification of permissions
25
26
Presentation of Problem
User
Internet
IS
Verification ofpermissions
Verification ofpermissions
Is the user entitled to perform this action at this
time?
Is the user entitled to perform this action at this
time?
26
27
Presentation of Problem
User
Internet
IS
Verification of permissions
Verification of permissions
Verification ofSecurity Workflow
Verification ofSecurity Workflow
27
28
Architecture of the Solution
I would like to perform an action, so I send a request
to the IS.
I would like to perform an action, so I send a request
to the IS.
28
29
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
29
30
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorisation2
To know whether the action is authorized by the security kernel, Authorization1 and
Authorization2 must be conjoined.
To know whether the action is authorized by the security kernel, Authorization1 and
Authorization2 must be conjoined.
30
31
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization
31
32
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization refused
Authorization refused
Answer
32
33
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Authorization refused
Authorization refused
Answer
I have just received an error message explaining the
refusal to execute.
I have just received an error message explaining the
refusal to execute.
33
34
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Permission granted
Permission granted
34
35
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Authorization1 Authorization2
Permission granted
Permission granted
Answer
Authorization must also be
granted by the existing IS.
Authorization must also be
granted by the existing IS.
35
36
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
Request
Authorization1 Authorization2
36
37
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
The IS may refuse or accept the request.The IS may refuse or accept the request.
Request
Authorization1 Authorization2
37
38
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
Authorisation refused
Authorisation refused
Request
Authorization1 Authorization2
38
39
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
Answer
IS
RequestAutorization
refusedAutorization
refused
Answer
Authorization1 Authorization2
39
40
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
Answer
IS Kernel
RequestRequest RejectedRequest Rejected
Answer
I have just received an error message explaining the
refusal to execute.
I have just received an error message explaining the
refusal to execute.Authorization1 Authorization2
40
41
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestRequest acceptedRequest accepted
Authorization1 Authorization2
41
42
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
42
43
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
Answer
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
43
44
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
UpdatingIS
Kernel
UpdatingIS
Kernel
Authorization1 Authorization2
44
45
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
KernelAnswer Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
Authorization1 Authorization2
45
46
Architecture of the Solution
RequestSecurity Kernel
PermissionsSecurity
Workflow
Permission granted
Permission granted
IS Kernel
RequestPermission
grantedPermission
granted
UpdatingIS
Kernel
UpdatingIS
KernelAnswer Answer
UpdatingSecurity Kernel
UpdatingSecurity Kernel
I have just received the answer to my request.I have just received the answer to my request.
Authorization1 Authorization2
46
47
Security Rule or Business Rule?
Business rule Describes the functioning of the application Assumes that anyone can do anything
Security rule Who has access to what action on which data
Approval process Sometimes business rule Sometimes security rule
48
ESB Architecture
Enterprise Service Bus (ESB)
Routing, Connectivity, Security, Transformation
Consumer
1
AuthorizationRegister of
services
SecurityKernel
Service A Service B
18 2 3
5498 1514 1110
6 7 12 13
1716
49
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow book in the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
49
50
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
RoleRole
50
51
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
RoleRole
51
52
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
52
53
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
Organization
Organization
53
54
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole
Organization
Organization
54
55
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization
55
56
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization
ActionAction
56
57
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction
57
58
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction
ObjectObject
58
59
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction objectobject
59
60
Example of Security Policy
Consider a student in the Faculty of Science.
This student wants to borrow a book from the Faculty of Law.
The libraries of the different faculties are independent of each other.
The student must go through the librarian to borrow the book.
rolerole organizationorganization actionaction objectobject useruser
60
61
Example of the Library
Role:StudentLibrarianProfessor
Organization:Science libraryLaw library
User:PersonFinancial system
Actions:Actions involved inspecifying the information system
Object:BookArticleMember
61
62
Description of Security Policy
The security policy has two parts: Access permission data model
Class diagram Security workflow and data filtering
Process expression
63
Access Permissions
Construct the appropriate data model Traditional entity-relation model No particular restriction
More flexible than ORBAC
64
Access Permissions
Organization
Action
User
Role
plays
permission
64
65
Security Workflow and Filtering
A process algebra called EB3SEC is used
Request is of the form<User,role,organization,action>
User: the identifier of the user performing the action
Role: the role played by the user when performing the action
Organization: the organization in which the action is performed
Action: an EB3 action
65
66
Security Workflow
Any user having the role ‘librarian’ can perform, in any organization, the action Lend( _ , _ )
rule1() = < _ , librarian, _, Lend( _, _ ) >
For this particular case, redundant with access permissions We could therefore also represent access permissions
with process expressions. Tabular format is more user-friendly.
66
67
Security Workflow
A book cannot be discarded without the consent of the professor who initially approved it.
Acquisitions or discards can only be made by a librarian.
rule2() = ||| bId: book: | pId: person: < pId , professor , _ , ApproveAcquire( bId ) > •< _ , librarian, _ , Acquire( bId ) > •< pId , professor , _ , ApproveDiscard( bId ) > •< _ , librarian, _ , Discard( bId ) >
67
68
Security Workflow
A loan must be returned to the branch where it was borrowed.
rule3() = ||| bId: BOOKID: ( | oid: organization:
< _ , _ ,oid, Lend( bId, _ ) > • < _ , _ ,oid, Return( bId, _ ) >
)*
69
Security Workflow
Security rules are applied indefinitely and in parallel fashion.
main() = rule1()* Ш rule2() Ш rule3()
69
70
Validation of Security Policy
Use of automated verification tools
Proof of ownership
Exhaustive run through all sequences of actions allowed by a policy
71
Implementation: APIS Platform
72
Conclusion
Possible to make security policies explicit
Separate security policy from application evolution validation
Increased desire of public to control access to their data
73
Contact Information
Marc FrappierDépartement d'informatiqueUniversité de SherbrookeSherbrooke, Quebec Canada J1K 2R1Tel: +1 819-821-8000, Local 62096Fax: +1 [email protected]://www.dmi.usherb.ca/~frappier