RoleBased Access Control RBAC Approach for DefenseinDepth - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

RoleBased Access Control RBAC Approach for DefenseinDepth

Description:

Role-Based Access Control ... role, and permission reviews are built into RBAC. Much easier to determine if an object should be accessed from a role instead ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 17
Provided by: stephenn4
Category:

less

Transcript and Presenter's Notes

Title: RoleBased Access Control RBAC Approach for DefenseinDepth


1
Role-Based Access Control (RBAC) Approach for
Defense-in-Depth
  • Peter Leight and Richard Hammer
  • August 2006

2
Role-Based Access Control (RBAC) Approach for
Defense-in-Depth
  • What is Role-Based Access Control (RBAC)?
  • What are the advantages to implementing RBAC?
  • What are the challenges to implementing RBAC?
  • How can RBAC be used as a framework for defense
    in Depth?
  • How will the RBAC implementation standard help?

3
What is RBAC?
  • Role-Based Access Control
  • Permission to perform an operation on an object
    is assigned to roles, not to users
  • Users are assigned to roles
  • Roles are assigned permissions
  • Users acquire their permissions based on the
    roles they are assigned

4
RBAC is Many-to-Many
  • Users may be assigned many roles
  • Roles may have many users assigned to them
  • Roles may be assigned to many other roles
  • Roles may be assigned many permissions
  • Permissions may be assigned to many roles
  • Permissions may be granted to perform many
    different types of operations on an object

5
RBAC Flow Diagram
6
What are the Advantages of RBAC?
  • Once implemented RBAC simplifies system
    administration
  • Strong support for separation of duties
  • Good auditing support
  • Considered best practice by many

7
RBAC Simplifies System Administration
  • When a user changes positions
  • Her roles are changed to reflect her new position
  • Her replacement is assigned her old roles
  • No need to remove users old access on each
    object
  • If roles are well defined, the system
    administrator only needs to add a user to their
    assigned roles and the user has access to all the
    resources they require to complete their job

8
Separation of Duties
  • Manages conflict of interest policy
  • Reduces chances of fraud
  • Spreads critical duties across roles and in turn
    users
  • RBAC has built-in support for
  • Static Separation of duties (SSD)
  • Dynamic Separation of duties (DSD)

9
RBAC Improves Auditing
  • User, role, and permission reviews are built into
    RBAC
  • Much easier to determine if an object should be
    accessed from a role instead of a person
  • Should Jane access the payroll object? ???
  • Should the hotdog vendors role access the payroll
    object? NO !

10
Challenges Implementing RBAC
  • Policy must be clearly defined or RBAC breaks
    down completely
  • Roles must be created that reflect business needs
  • Permissions for roles to access objects must be
    determined
  • Membership is each role must be determined
  • Up-front work requires a lot of time and effort
  • RBAC standards have not resulted in compatible
    vendor implementations

11
RBAC as a DiD Framework
  • Extend the concept of a user to include
  • Computers or networks
  • Agents (ex. Web front end accessing a database)
  • Permission is approval to access or perform some
    action on an object
  • Objects extended to include
  • Data, databases or information container
  • Computers, networks or network resources
  • Programs or applications

12
RBAC for Network Design
  • Use RBAC as the access mechanism for your entire
    network infrastructure
  • Routers
  • Firewalls
  • VPNs
  • VLANS
  • Servers
  • Granular access controls can ensure all
    parameters are correct before access is granted
  • Joe might have access to financial data, but not
    from the wireless VLAN (Sensitive finance data
    should only be accessible from the office VLAN)
  • Sally might have access to all external Internet
    sites, but only from her assigned IP address (HR
    determines lewd content of website but not from
    out in the cubicles)

13
Server Access Control
  • RBAC allows granular access control to server
    resources based on roles
  • Servers can use RBAC to control access
  • Documents or document containers
  • Resources (Printers, CDs, USB Ports, etc.)
  • Applications (Database, WWW, FTP, etc.)
  • Applications can restrict what data or reports a
    role can access

14
RBAC Standards
  • Proposed NIST Standard for Role-Based Access
    Control (2001)
  • Users, roles, permissions, operations, objects
  • Core and Hierarchical RBAC
  • Separation of duties
  • Administrative functions, supportive System
    functions, review functions
  • ANSI/INCITS 359 - 2004
  • Draft NIST Role Based Access Control
    Implementation Standard - 2006

15
How the Standard Will Help
  • It will give vendors a common model and language
  • Will supply functional requirements that vendors
    must implement to become RBAC compliant
  • Will help consumers choose products
  • Will help products become interoperable

16
Conclusion
  • RBAC is a great defense in depth model
  • RBAC requires policy to be clearly defined before
    implementation
  • RBAC does reduce system administration duties
    once implemented
  • RBAC improves auditing and facilitates separation
    of duties
  • An implementation standard is required before
    RBAC can fully realize its potential as a
    approach to defense-in-depth
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "RoleBased Access Control RBAC Approach for DefenseinDepth" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!