Title: Data and Applications Security Developments and Directions
1Data and Applications Security Developments and
Directions
- Dr. Bhavani Thuraisingham
- The University of Texas at Dallas
- Lecture 4
- Policies
- January 29, 2007
2Outline of the Unit
- Need to Know to Need to Share
- RBAC
- UCON
- RBUC
- Dissemination
- Rick based access control
- Trust Management/Credential/Disclosure
- Directions
- Major conferences for Policy and Access Control
- IEEE Policy Workshop (June 13-15, Bologna, Italy)
- ACM SACMAT (June 20-22, Sophia Antipolis, France)
3Need to Know to Need to Share
- Need to know policies during the cold war even
if the user has access, does the user have a need
to know? - Pose 9/11 the emphasis is on need to share
- User may not have access, but needs the data
- Do we give the data to the user and then analyze
the consequences - Do we analyze the consequences and then determine
the actions to take - Do we simply not give the data to the user
- What are risks involved?
4RBAC
- Access to information sources including
structured and unstructured data both within the
organization and external to the organization - Access based on roles
- Hierarchy of roles handling conflicts
- Controlled dissemination and sharing of the data
5RBAC (Sandhu)
6UCON
- RBAC model is incorporated into UCON and useful
for various applications - Authorization component
- Obligations
- Obligations are actions required to be performed
before an access is permitted - Obligations can be used to determine whether an
expensive knowledge search is required - Attribute Mutability
- Used to control the scope of the knowledge search
- Condition
- Can be used for resource usage policies to be
relaxed or tightened
7UCON (Sandhu)
8Role-based Usage Control (RBUC)
RBAC with UCON extension
9RBUC in Coalition Environment
- The coalition partners maybe trustworthy),
semi-trustworthy) or untrustworthy), so we can
assign different roles on the users (professor)
from different infospheres, e.g. - professor role,
- trustworthy professor role,
- semi-trustworthy professor role,
- untrustworthy professor role.
- We can enforce usage control on data by set up
object attributes to different roles during
permission-role-assignment, - e.g. professor role 4 times a day,
- trustworthy role 3 times a day
- semi-trustworthy professor role 2 times a day,
- untrustworthy professor role 1 time a day
10Dissemination Policies
- Release policies will determine to whom to
release the data - What is the connection to access control
- Is access control sufficient
- Once the data is retrieved from the information
source (e.g., database) should it be released to
the user - Once the data is released, dissemination policies
will determine who the data can be given to - Electronic music, etc.
11Risk Based Data Sharing/Access Control
- What are the risks involved in releasing/dissemina
ting the data - Risk modeling should be integrated with the
access control model - Simple method assign risk values
- Higher the risk, lower the sharing
- What is the cost of releasing the data?
- Cost/Risk/Security closely related
12Trust Management
- Trust Services
- Identify services, authorization services,
reputation services - Trust negotiation (TN)
- Digital credentials, Disclosure policies
- TN Requirements
- Language requirements
- Semantics, constraints, policies
- System requirements
- Credential ownership, validity, alternative
negotiation strategies, privacy - Example TN systems
- KeyNote and Trust-X (U of Milan), TrustBuilder
(UIUC)
13Trust Management
14 The problem establishing trust in open systems
- Interactions between strangers
- - In conventional systems user identity is
known in advance - and can be used for performing access
control - - In open systems partecipants may have no
pre-existing - relationship and may not share a common
security domain
?
- Mutual authentication
- - Assumption on the counterpart honesty no
longer holds - - Both participants need to authenticate each
other
15Trust Negotiationmodel
- A promising approach for open systems where most
of the interactions occur between strangers - The goal establish trust between parties in
order to exchange sensitive information and
services - The approach establish trust by verifying
properties of the other party
16 Trust negotiation the approach
- Interactions between strangers in open systems
- are different from traditional access control
models
Policies and mechanisms developed in conventional
systems need to be revised
ACCESS CONTROL POLICIES VS. DISCLOSURE POLICIES
USER IDs VS. SUBJECT PROPERTIES
17Subject properties digital credentials
- Assertion about the credential owner issued and
certified by a Certification Authority.
- Each entity has an associated set of
credentials, - describing properties and attributes of the
owner.
CA
18Use of Credentials
Credential Issuer
Digital Credentials
- Julie
- 3 kids
- Married
- American
Alice
Check
Check
-Julie - Married
-Julie - American
Company B
Want to know marital status
Company A
Referenced from http//www.credentica.com/technolo
gy/overview.pdf
Want to know citizenship
19Credentials
- Credentials can be expressed through the Security
Assertion Mark-up Language (SAML) - SAML allows a party to express security
statements about a given subject - Authentication statements
- Attribute statements
- Authorization decision statements
20Disclosure policies
Disclosure policies
- Disclosure policies govern
- Access to protected resources
- Access to sensitive information
- Disclosure of sensitive credentials
- Disclosure policies express trust requirements by
means of credential combinations that must be
disclosed to obtain authorization
21Disclosure policies - Example
- Suppose NBG Bank offers loans to students
- To check the eligibility of the requester, the
Bank asks the student to present the following
credentials - The student card
- The ID card
- Social Security Card
- Financial information either a copy of the
Federal Income Tax Return or a bank statement
22Disclosure policies - Example
- p1 (, Student_Loan ? Student_Card())
- p2 (p1), Student_Loan ? Social_Security_Card())
- p3 (p2, Student_Loan ? Federal_Income_Tax_Retur
n()) - p4 (p2, Student_Loan ? Bank_Statement())
- P5(p3,p4, Student_Loan ? DELIV)
- These policies result in two distinct policy
chains that lead to disclosure - p1, p2, p3, p5 p1, p2, p4, p5
23Trust Negotiation - definition
The gradual disclosure of credentials and
requests for credentials between two strangers,
with the goal of establishing sufficient trust so
that the parties can exchange sensitive
information and/or resources
24Trust-X system Joint Research with University
of Milan
- A comprehensive XML based framework for trust
negotiations - Trust negotiation language (X-TNL)
- System architecture
- Algorithms and strategies to carry out the
negotiation process
25Trust-X language X-TNL
- Able to handle mutliple and heterogeneus
certificate specifications - Credentials
- Declarations
- Able to help the user in customizing the
management of his/her own certificates - X-Profile
- Data Set
- Able to define a wide range of protection
requirements by means of disclosure policies
26X-TNL Credential type system
X-TNL simplifies the task of credential
specification by using a set of templates
called credential types Uniqueness is ensured by
use of XML Namespaces Credential types are
defined by using Document Type Definition
lt!DOCTYPE library_badge lt!ELEMENT library_badge
(name, address, phone_number, email?,
release_date, profession,Issuer)gt lt!ELEMENT name
(fname, lname)gt lt!ELEMENT address
(PCDATA)gt lt!ELEMENT phone_number
(PCDATA)gt lt!ELEMENT email
(PCDATA)gt lt!ELEMENT release_date
(PCDATA)gt lt!ELEMENT profession
(PCDATA)gt lt!ELEMENT fname
(PCDATA)gt lt!ELEMENT lname
(PCDATA)gt lt!ELEMENT Issuer ANYgt lt!ATTLIST
Issuer XMLLINK CDATA FIXED SIMPLE HREF
CDATA REQUIRED TITLE CDATA
IMPLIEDgt lt!ATTLIST library_badge CredID ID
REQUIREDgt lt!ATTLIST library_badge SENS CDATA
REQUIREDgt gt
27Trust-X negotiation phases- basic model
- Introduction
- Send a request for a resource/service
- Introductory policy exchanges
- Policy evaluation phase
- Disclosure policy exchange
- Evaluation of the exchanged policies in order to
determine secure solutions for both the parties. - Certificate exchange phase
- Exchange of the sequence of certificates
determined at step n. 2.
28 Trust-X Architecture
Trust-X has been specifically designed for a
peer-to-peer environment in that each party is
equipped with the same functional modules and
thus it can alternatively act as a requester or
resource controller during different
negotiations.
29How a policy is processed
- Upon receiving a disclosure policy the compliance
checker determines if it can be satisfied by any
certificate of the local X-profile.
- Then, the module checks in the policy base the
protection needs associated with the
certificates, if any. - The state of the negotiation is anyway updated
by the tree manager, which records whether new
policies and credentials have been involved or
not.
COMPLIANCE CHECKER
TREE MANAGER
Disclosure Policies
Policy Base
Policy Reply
X-Profile
30Directions
- Policies are of much interest to many
organizations and applications - Financial, Medical, Retail, Manufacturing etc
- Roles and responsibilities
- Flexible policies
- RBAC, UCON, RBUC, Trust Negotiation,
Dissemination Policies - Need to Know to Need to Share
- IEEE POLICY and ACM SACMAT